A bug was recently uncovered in Firefox that could allow a malicious Web site to appear authentic.
The bug affects the way Firefox handles writing to the "location.hostname" DOM property, according to a posting by security researcher Michal Zalewski on the security mailing list Full Disclosure. The vulnerability could potentially allow a malicious Web site to manipulate the authentication cookies for a third-party Web site.
By bypassing same-origin policy, attackers can possibly tamper with the way these sites are displayed or how they work. For users, this means the bug could allow for the browser to appear as if the user were connecting to a bank, when in fact the user would instead be receiving data from an attacker.
This vulnerability was tested using Firefox 2.0.01. Though the bug was listed as resolved, Mozilla security chief Window Snyder said they will be addressing the vulnerability in the next update to Firefox, version 2.0.0.2.
no, no update yet, but don't forget that when a security flaw is found in IE, you then have to wait for M$ to patch it and release it in the their monthly security update - so you could wait a month for an IE patch, whereas Mozilla tend to be fairly quicker than that
