NEWS FROM THE LAB - Thursday, February 15, 2007

Firefox Cookie Bug Posted by Sean @ 14:43 GMT

Bug 370445

There's a new bug reported in the way Firefox handles writes to the 'location.hostname' DOM property. The vulnerability could potentially allow a malicious website to manipulate the authentication cookies for a third-party site. The bug was submitted by Michal Zalewski and was tested with the current version of Firefox.

The bug could allow for the browser to appear as if were connecting to a bank, when in fact it would instead be receiving data from a bad guy.

Firefox is often patched quickly, so take note, it's an excellent idea to enable Firefox's automatic updates option if you haven't already.

Firefox Update Options

A demo of the vulnerability and a suggested work-around can be found here.