Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

Firefox 1.0.1 Security Update Released

Firefox 1.0.1 Security Update Released -- The Mozilla Organization last week released Firefox 1.0.1 for all platforms, which fixes a number of small security holes or potential problems, notably the homograph spoofing problem we've talked about recently in TidBITS (see "Don't Trust Your Eyes or URLs" in TidBITS-766). The updated version includes a new preference, network.IDN_show_punycode, which is set to true. (To access this preference, enter "about:config" in the Location field and press Return; it's probably easiest to then type "IDN" in the Filter field to display the preference.)

<http://www.mozilla.org/products/firefox/ all.html>
<http://www.mozilla.org/projects/security/known- vulnerabilities.html>
<http://db.tidbits.com/article/07983>

Instead of seeing the actual display of international characters in domain names, you'll see the punycode or Unicode-to-Roman mapping when you visit a site that is attempting to pass itself off as another site using this technique. The Shmoo Group, which exposed this visual vulnerability, have a demonstration on their site. The second o in shmoo in the links at the top of that page is a homograph, or a letter that looks like another letter. Before Firefox 1.0.1, the links and the destination of the fake domains at the top of that page would read "http://www.theshmoogroup.com/". Now they appear as "http://www.xn--theshmogroup-bgk.com/".

<http://www.shmoo.com/idn/>

The English version of Firefox 1.0.1 for Mac OS X is an 8.7 MB download; note that not all language versions have been updated yet.

 

TextExpander: Your knowledge at your fingertips. From email to code,
gather your text "snippets" for reuse, each only a keystroke away.
Get consistency and accuracy everywhere you type! Share with your
team on Mac, iPhone, iPad, Windows (beta). <http://smle.us/newte-tb>