Mozilla/Firefox security exploit: Disable IDN support

NetRyder

Tech Junkie
Joined
19 Apr 2002
Messages
13,256
From the front-page:
http://www.osnn.net/comments.php?shownews=11780

You can disable IDN support in Mozilla products by setting 'network.enableIDN' to false. There is no known workaround for Opera or Safari. Vendor responses have been varied with VeriSign and Apple failing to respond but Opera believing they have correctly implemented IDN, and will not be making any changes (oops). Mozilla are currently working on finding a good long-term solution. The company provided a clear workaround for disabling IDN temporarily until it can better address the issue.
 
Re: Mozilla/Firefox users: Disable IDN support

Update: Several users are now reporting that the fix does not necessarily work:
http://it.slashdot.org/comments.pl?sid=138568&cid=11596841

I tried setting the network.enableIDN flag to false, then visited the proof of concept page and I got an error when I tried to visit the fake Paypal link. All good. Then I restarted Firefox, tried again and the spoof still works. :s

Edit: Confirmed. It's a single session fix. As soon as you close and restart the browser, the fix no longer works. Hopefully the Mozilla/Firefox folks release an official patch soon.
 
Alright, here's a temporary fix that actually works:

The workaround for firefox seems to be an edit to your compreg.dat.

For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat

For UNIX
~/.mozilla/firefox/default.random/compreg.dat

Removing the line that references IDN makes the problem go away. Using Find, there was a single reference for the UNIX host and 2 for the Win32 host. Removing the lines and restarting the browser makes the attack fail regardless of the about:config/userprefs.js value.

Here's an example entry.

{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so

Instead of deleting the line (1 in Linux) or lines (2 in Win) you can just comment them out by using the character #
http://forums.mozillazine.org/viewtopic.php?t=215178
 
Works perfectly. BTW, I didn't delete the lines, I just commented them out with a #.

Melon
 
ok, so for the fix to work its suppose to say not found when clicking on a spoof link?

I used http://www.shmoo.com/idn/ to test. And uncommented results in meeow and commented results in site not found.
 
thats annoying, I hope apple get on to this soon
 
What does disabling IDN do to your connection? (I'm not tops w/ networking)
 
Must re-edit when new plugin/extension is installed
Isn't compreg.dat re-created anytime you install a new plugin/extension installed ? and wouldn't that overwrite the old file with the commented out line (not sure if FF respects the readonly attribute either, a la cookies.txt)... I haven't tested this as I haven't had the time and as i'm not really all that concerned with the IDN issue (based on my browsing habits)...
well i got a chance to test... and unless u make the file readonly the edit will be OVERwritten on new plugin/extension installation. also keeping readonly may prevent your newly installed extension/plugin from registering properly... SO... make sure reedit the file after extension/plugin installation....

I just make a shortcut to the file and open in notepad - use "replace" (or "find") function. I just replace "IDN" with "#" - it works.
idn7kh.jpg


Or you can use Proximitron:

Just added info ... Kye-U's Filters V4.30 for Proxomitron also prevent this exploit.

Kye-U's Forum (link to post) - http://www.kye-u.com/proxo/forums/i...=225&#entry3846
Direct Download of Kye-U's V4.30 .cfg ~Zipped~ - http://www.kye-u.com/proxo/dp/download.php?file=18
(I hope, you don't mind me posting a direct link Kye-U)
 
lynchknot said:
Must re-edit when new plugin/extension is installed

I just make a shortcut to the file and open innotepad - use "replace" (or "find") function. I just replace "IDN" with"#" - it works.

Or you can use Proximitron:
What is proximitron?
 
funky dredd said:
What is proximitron?
For those who have not yet been introduced, meet the Proxomitron: a free, highly flexible, user-configurable, small but very powerful, local HTTP web-filtering proxy.û To become better acquainted, please see our online copy of the Proxomitron Help Files for a more comprehensive overview.

The current (and last) version of Proxomitron is Naoko 4.5, of which there were two releases, one in May of 2003 followed by one in June.û Although very similar, there are distinct differences between the two which are not mentioned in either program's documentation.û Both releases are available in the Files section.û P.I's focus will be on the latest version -- the June release.
...apparently :p (link)

p.s. Fix for Safari users: http://forum.osnn.net/showthread.php?t=55474
 
Great. So we have temporary fixes for Mozilla/Firefox and Safari. :)
*Wonders what the Opera folks are going to do*
 
Serlio said:
Another temporal workaround:

1. Install the extension Greasemonkey

2. Don't forget to restart Firefox to complete the extension installation.

3. Right click this link (DON'T FOLLOW THE LINK): IDN patch script and click "Install User Script..."

4. A window will appear. Press OK.

Finished. It will raise an alert when the URL contains IDN characters.

English language is not my best, so translation errors advices will be welcome ;)

Thanks Serlio, looks interesting.

**edit - wonderful. you can still visit site but are warned (Japanese sites - or sites that use IDN characters work - instead of disabling IDN altogether)

warn1io.jpg
 
Awesome! That's a much better fix. Where did you find it, lynch?
 
Where find? I live in Firefox world since Oct. 2002 - creating themes - so my finger is always on it's pulse.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back