New Firefox flaws exploit pop-ups, phishing hole

Posted by Mark Raby

Chicago (IL) - A pair of new flaws in Mozilla's Firefox browser have found ways around the security infrastructure to fool the system and open up user PCs to potential attacks, according to a report published this week by SecuriTeam.

The first flaw affects Firefox users who have manually disabled pop-up windows. Through a hole in the browser, an intelligent hacker can find a way to disable a specific security check on a user's computer, and bring up a fake permission screen asking the user to allow a pop-up to, for example, access a video or download. Upon allowing the pop-up, the hacker could then access the victim's computer and steal personal information.

The second flaw concerns the phishing protection in Firefox. According to SecuriTeam, there is a fairly easy way to circumvent the browser's phishing filter, by just adding specific characters into the URL of the site.

The phishing exploit affects users of the latest version of the browser, Firefox 2.0, though it is unclear at this time if the pop-up flaw can be executed in the new version. Users of older editions of Firefox are vulnerable to both flaws.