UPDATED–There is a bug in Mozilla’s flagship Firefox browser related to the way the browser handles obfuscated URLs in iFrames. However, a Mozilla official said the bug poses “very low” risk to users.
Johnathan Nightingale of Mozilla said in a blog post late Tuesday that the bug poses little risk to users. “This issue poses very low risk to users. This attack relies on user
confusion about the true destination of a link, and only someone
examining the HTML source of the page would ever see the deceptive URL.
Most users do not view the source of loading pages, and are therefore
unlikely to be impacted by this attack,” Nightingale, the director of development for Firefox, wrote.
He added that the company doesn’t plan to fix the bug, as there is little chance of it being exploited. “There is currently no fix in plan since Mozilla does not believe this
can be used to attack users. Firefox ships with built-in phishing and
malware protection that warns users if they are attempting to visit a
dangerous URL, and these attempts at deception do not impact that
protection,” he wrote.
The problem of URL obfuscation is not a new one, and neither is it novel for attackers to use iFrames as an infection vector for visitors to a compromised Web site. Web-based attacks have been employing various forms of URL obfuscation for years now, and iFrames are a favorite of attackers because of their ability to perform malicious actions in the background of a victim’s Web session.
The new flaw, which already is in the Mozilla Bugzilla system, is in all of the current versions of Firefox, according to researchers at Web application security firm Armorize. URL obfuscation often is used by attackers to hide the true address of a malicious site that they’re directing users to, typically as part of a phishing or drive-by download attack. But browsers now check for this behavior and will warn users when a URL appears to have been tampered with, explaining that this may not be the site they’re looking for.
The Firefox bug defeats this protection, the Armorize researchers say.
“On performing analysis of various malware, a bug has been noticed in all
version of Firefox which fails to generate an alert when obfuscated URL
is being placed in Iframes. In certain cases, it can be used
effectively in spreading malware and stealing sensitive information.
While discussions on BugZilla, it is noticed that Firefox behavior is
completely different in these two scenarios which should not happen,” Aditya Sood of Armorize said in a blog post on the bug.
Many of the mass SQL injection attacks and other large-scale Web-site compromises that have cropped up in the last couple of years have used iFrames as part of their attack vector. The iFrames open in the background when users hit a given compromised page and often are used to deliver the actual malicious payload to the target machines.
This story was updated to add Nightingale’s statements about the effect of the bug and its exploitability.