Two security holes found in Firefox web browser

Two flaws found in the Firefox web browser could result in users exposing sensitive information to malicious attackers, according to a computer security company.

One of the vulnerabilities, which affects the latest version of the popular web browser, could let an attacker fool the software into identifying a website as secure when it should classify it as a phishing site, SecuriTeam, an arm of Beyond Security Inc., said on Wednesday.

Phishing sites trick people into disclosing sensitive information such as online banking passwords by mimicking legitimate trusted sites such as a bank.

The security hole in Firefox version 2.0.0.1 can be exploited by simply adding an extra forward-slash character to a site's address, or URL (Universal Resource Locator), according to the group, which has offices in McLean, Va., and Netanya, Israel.

In order to exploit the vulnerability, an attacker would have to fool a person into clicking a specially crafted link in an e-mail, document or a malicious website.

SecuriTeam had issued an advisory on Monday, Feb. 5, that stated the pop-up window blocker in an earlier version of Firefox could be compromised to allow an attacker to read files on a computer at will.

The flaw in Firefox 1.5.0.9 could give an attacker the same access rights to files as a user who manually allows pop-ups from a site, SecuriTeam said.

The security hole could give a malicious individual access to sensitive information stored on the target computer.

The pop-up hole would also require a person to click on a specially crafted link either in an e-mail, document or web page.

It was not clear whether the vulnerabilities affected versions of Firefox other than those specifically cited in the reports.

The Mozilla Foundation, which oversees development of the Firefox browser, did not have any comment about either security hole published on its security site Thursday morning.