Firefox flaw could let attackers fake connections
A flaw in the Firefox web browser could trick people into thinking they are connected to a trusted site when the program is actually receiving data from an attacker.
The vulnerability,which affects all versions of Firefox's web browser, could allow a specially designed website to manipulate the authentication cookies for trusted websites such as an online bank, said F-Secure Corp. of Helsinki, Finland,in a post to its security blog. That could allow an attacker to steal sensitive information.
Cookies are small data files used by web browsers to identify individual users, and sometimes contain details such aslogin names and passwords.
"Firefox is often patched quickly, so take note, it's an excellent idea to enable Firefox's automatic updates option if you haven't already," an F-Secure researcher wrote on the company's blog.
Firefox's automatic update option is available in the Windows version by going to the Tools menu, selecting Options then Advanced, opening the Updates tab and checking the boxes there.
Users of the Mac OS X version can go to the Firefox menu, choose Preferences, Options, Advanced, open the Updates tab and check the boxes to enable automatic updates.
The flawis in the way that Firefoxmanages data written to the browser's "location.hostname" DOM property.