Michal Zalewski has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks.
The vulnerability is caused due to the address bar of a newly opened window displaying the URL of the requested location before the page is loaded. This can be exploited to display arbitrary content in the blank document while showing the URL of a trusted web site in the address bar, e.g. by calling "window.stop()" to abort loading the new page.
The vulnerability is confirmed in version 3.6.4. Other versions may also be affected.
Solution: Update to version 3.5.11 and 3.6.7.
Provided and/or discovered by: Michal Zalewski
Original Advisory: Michal Zalewski:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Mozilla Firefox Address Bar Spoofing Vulnerability