[5913] in Release_7.7_team
[Fwd: Re: Fwd: [IS&T Security-FYI] Newsletter, January 18, 2008
daemon@ATHENA.MIT.EDU (Bill Cattey)
Fri Feb 1 13:38:02 2008
From: Bill Cattey <wdc@MIT.EDU>
To: release-team@mit.edu
Content-Type: text/plain
Date: Fri, 01 Feb 2008 13:37:24 -0500
Message-Id: <1201891044.17497.20.camel@wdc-laptop>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Spam-Flag: NO
X-Spam-Score: 0.00
Itypo'ed the CC list on my note.
-------- Forwarded Message --------
From: Bill Cattey <wdc@MIT.EDU>
To: swrt@mit.edu, myeaton@mit.edu
Cc: releae-team@mit.edu, rhe-release@mit.edu
Subject: Re: Fwd: [IS&T Security-FYI] Newsletter, January 18, 2008
[help.mit.edu #564068]
Date: Fri, 01 Feb 2008 13:36:18 -0500
Some comments people may find useful:
I reviewed this vulnerability early on in the reporting. The Firefox
developers are working on an approach that obviates this class of
spoofing, but no remedy is yet available.
The Computerworld web page seems to go out of its way to avoid providing
links to the original source information. Additional useful links are:
Aviv Raff's original report:
http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx
Aviv Raff's FAQ on the issue:
http://aviv.raffon.net/2008/01/05/FirefoxDialogSpoofingFAQ.aspx
The Firefox Bug where the solution is evolving:
https://bugzilla.mozilla.org/show_bug.cgi?id=244273
The original report give a picture of what the spoofed authentication
dialog actually looks like.
To mitigate this risk, users should be advised to log onto web sites
through alternate means and to avoid dialogs that look like the picture
shown in Aviv Raff's report.
