News

Malware Authors Exploit 11-Year Old Mozilla Firefox Bug for Malicious Activity

By Nitish Singh / December 10, 2018

One of the biggest drawbacks of Mozilla Firefox is that it is an open-source project and it lacks the resources owned by Microsoft and Google. Mozilla has been unable to fix an exploit that dates back to April 2007. The issue was discovered at the time for all major browsers, and it has already been patched on Internet Explorer (now Edge) and Chrome.

The browser exploit takes advantage of embedding an iframe within the source code of malicious websites. The malicious iframe uses HTTP authentication requests on other domains and shows malicious websites as “genuine,” making it difficult for users to differentiate between real and fake websites. Mozilla has tried a number of solutions, but none of them have been particularly effective.

Firefox Exploit

Image Courtesy of ZDNet

Microsoft has managed to bypass the exploit by enabling a large delay between authentication modals; users have more than enough time to close malicious tabs. Google, on the other hand, has made the authentication dialogs exclusive to each tab and malicious attacks are not able to crash the browser (only the affected tab freezes which can be closed). Mozilla is better off implementing either of these solutions according to users in the official forums.

A user who reported the exploit revealed "At first, it is opened full-screen mode. With some fake Windows dialog (I am using Linux, so I know it is fake). Then I press ESC to exit full screen. I click the close button of tab or window, but it doesn't work because it has this login dialog. I click close button of the login dialog or cancel button. Then the dialog will appear again. I click the 'Don't allow' button of extension installation popover, but it seems not clickable. I killed the Firefox process, which is the only solution for me."

Mozilla will be releasing a fix very soon, and we recommend keeping automatic updates for Firefox enabled to ensure you get the bug fixes in time. It is unknown if Mozilla will go ahead with the solution used by Microsoft and Google or build something from scratch for Firefox.

What do you think about the Firefox bug that has been left unchecked by Mozilla? Let us know in the comments below. Come chat with TechNadu on Facebook and Twitter



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari