New Firefox/Safari Exploit

Both BoingBoing and The Register report about a security exploit affecting most modern browsers. The vulnerability makes it possible to create links that look ok in the browser (like www.paypal.com) but that actually lead to another site that has non-7-bit-ascii characters in their address. Secunia has prepared a test you can run to see if your browser is vulnerable to the exploit.

In the BoingBoing story, they tell about a way to secure Firefox by changing a config parameter. However, in a later update they say that the fix doesn’t stand restarting the browser. Another update tells how to make the fix permanent. The fix is for Windows users, so here’s a rewrite of it for all Mac Firefox people:

  1. Exit Firefox
  2. Open ~/Library/Application Support/Firefox/Profiles/ ###.default (or default.###) in finder (### being a number of random characters)
  3. Backup compreg.dat
  4. Open compreg.dat in a text editor (right-click => open with… => other => select textedit or some other text editor)
  5. Scroll down to [CONTRACTIDS] section and find this row: @mozilla.org/network/idn-service;1,{62b778a6-bce3-456b-8c31-2865fbb68c91}
  6. change the 1 after idn-service; to 0, so that the line will be @mozilla.org/network/idn-service;0,{62b778a6-bce3-456b-8c31-2865fbb68c91}
  7. Save the file and restart Firefox. Navigate to Secunia’s test and run the test. If you get a “not found” error, you should be all fine.

I’ve tested the fix and it works fine for me, but I can’t promise it will for you. So stay tuned for security updates. And don’t forget Safari is vulnerable to this exploit, too, as is Opera.