An Oldie but Goodie: 7-Year-Old Spoof Flaw Turns Up in Firefox

An oldie but goodie bedevils the new Firefox version—a 7-year-old flaw, tied to how software handles frames displays on websites, doesn't check whether frames are all from the same site, allowing a hacker to insert content.

That's the warning from security company Secunia June 7, which said the flaw has made vulnerable Firefox, Mozilla 1.7, and Camino 0.x.

Users who think they might be interacting with actual frames at their banking or financial or other such websites could end up getting tricked into giving up personal information or downloading malicious code, Secunia warned, calling the issue moderately critical.

Secunia added, however, that a spoof attempt could work only if the user had both the compromised site and a trusted site open in different windows, with a click on the infected site showing the attacker's content in a frame on the trusted site. The company has posted a test on its website for users to determine if their machines are vulnerable.

Secunia said the same flaw turned up in Mozilla browsers last July but had not affected the most recent versions. But they advised users not to visit trusted sites in more than one window at a time until the flaw is repaired. Mozilla Foundation said it was investigating the Secunia analysis, while a support forum moderator on Mozilla's website said the flaw has yet to be exploited as far as the foundation knows at this writing.