XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
It is currently Sun Apr 23, 2017 12:02 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Thu Apr 20, 2017 10:29 pm 
Offline

Joined: Thu Jul 05, 2012 4:02 pm
Posts: 941
Location: Melbourne
I just read this possible deception affecting Firefox and Chrome.
https://arstechnica.com/security/2017/0 ... -you-want/
Pasted that address into my Firebox address bar and it showed the false text saying Apple. I didn't click through.

Attachment:
unicode snaffu.png
unicode snaffu.png [ 63.7 KiB | Viewed 27 times ]

Google just patched it and Safari is not vulnerable to it.
Only this morning I did a Firefox update. I hope it is on their to-do list for the next update.

FF ESR 49.5.0


Top
 Profile  
 
PostPosted: Fri Apr 21, 2017 4:29 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5806
Location: NYC
Don't really understand much about all the serious vulnerabilities now corrected in the latest 52.1, just released 4/19--there are a lot of them--but doesn't look like this particular unicode exploit is covered. Thanks for the heads up.

Quote:
Firefox users can protect themselves by entering "about:config" in the address bar and agreeing to the displayed warning. From there, enter "punycode" in the search box to bring up a line that reads network.IDN_show_punycode. Next, double-click the word "false" to change it to "true." From then on, Firefox will display the "dumb ascii" characters and not the deceptive, encoded ones.


Top
 Profile  
 
PostPosted: Fri Apr 21, 2017 11:04 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14359
Thanks, Safari 8.0.8 not affected, punycode true cured FF 51.01


Top
 Profile  
 
PostPosted: Fri Apr 21, 2017 3:00 pm 
Offline

Joined: Thu Jul 05, 2012 4:02 pm
Posts: 941
Location: Melbourne
Thanks WZZZ for pointing out the fix located at the end of the article. I was too sleepy to read to the end. :snail: Just did it and now that behaviour is gone.


Top
 Profile  
 
PostPosted: Fri Apr 21, 2017 3:41 pm 
Offline

Joined: Sat Sep 27, 2008 6:28 pm
Posts: 185
Seems the Firefox people do not think it is a problem that apple.com can go to two different web sites depending which letter "a" is used. It seems each user must change about:config to be safe.

Never heard of a more ridiculous situation.

Robert


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group