Firefox 1.0.1 Security Update Released -- The Mozilla Organization last week released Firefox 1.0.1 for all platforms, which fixes a number of small security holes or potential problems, notably the homograph spoofing problem we've talked about recently in TidBITS (see "Don't Trust Your Eyes or URLs" in TidBITS-766). The updated version includes a new preference, network.IDN_show_punycode, which is set to true. (To access this preference, enter "about:config" in the Location field and press Return; it's probably easiest to then type "IDN" in the Filter field to display the preference.)
<http://www.mozilla.org/products/firefox/ all.html>
<http://www.mozilla.org/projects/security/known- vulnerabilities.html>
<http://db.tidbits.com/article/07983>
Instead of seeing the actual display of international characters in domain names, you'll see the punycode or Unicode-to-Roman mapping when you visit a site that is attempting to pass itself off as another site using this technique. The Shmoo Group, which exposed this visual vulnerability, have a demonstration on their site. The second o in shmoo in the links at the top of that page is a homograph, or a letter that looks like another letter. Before Firefox 1.0.1, the links and the destination of the fake domains at the top of that page would read "http://www.theshmoogroup.com/". Now they appear as "http://www.xn--theshmogroup-bgk.com/".
The English version of Firefox 1.0.1 for Mac OS X is an 8.7 MB download; note that not all language versions have been updated yet.
