You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.1) > MFSA 2005-23

Mozilla Foundation Security Advisory 2005-23

Title: Download dialog source spoofing
Severity: Low
Risk: Low
Reporter: Jakob Balle (Secunia)
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.1
  Mozilla Suite 1.7.6

Description

The true source of a download can be disguised by using a host name long enough that the most significant parts are truncated. Spoofing can be made even more convincing on windows if the subdomain labels contain a string of non-breaking space characters.

Workaround

Do not download files from untrusted sites. Be suspicious if the download dialog shows the file comes from a different site than the one you are on. If the download source is a trusted one visit that site yourself to get the file by typing the address into the location bar rather than trust 3rd-party links to content.

References