BugBlog Home
BJK Research Home
BJK Research Home

Did the BugBlog help you? Donate via PayPal to say thanks.

Even better, subscribe to the BugBlog Plus for even more coverage of bugs and their fixes.

Jump to the BugBlog archives Dec 06
Nov 06
Oct 06
Sept 06
Aug 06
July 06
June 06
May 06
Apr 06
Mar 06
Feb 06
Jan 06
Dec 05
Nov 05
Oct 05
Sept 05
Aug 05
July 05
Jun 05
May 05
Apr 05
Mar 05
Feb 05
Jan 05
Dec 04
Nov 04
Oct 04
Sep 04
Aug 04
Jul 04
June 04
May 04
Apr 04
Mar 04
Feb 04
Jan 04
Dec 03
Nov 03
Oct 03
Sept 03
Aug 03
July 03
June 03
May 03
April 03
Mar 03
Feb 03
Jan 03
Dec 02
Nov 02

Amazon.comOrder books and more at Amazon.com

Win 2K Secrets
Order Windows 2000 Secrets from Amazon.com



BugBlog Bug of the Month

Starting with January 2005, the BugBlog will pick its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

The Bug of the Month for March 2005 was posted as the Bug of the Day on February 9

Browsers that support IDN (International Domain Name) are susceptible to a spoofing attack where your address bar will show that you are at a particular site, such as your bank, while the content shown in the browser window is from some other site, such as an identity thief. Browsers that are susceptible include Mozilla, Firefox, OmniWeb, Opera, Konqueror (and other KDE browsers), Netscape, and Apple Safari. One browser that isn't affected is Microsoft Internet Explorer, because it doesn't support IDN. However, there is a plug-in that adds the support, and also the vulnerability. The Secunia security researchers have a test to see if your browser is vulnerable, which you can see at http://secunia.com/multiple_browsers_idn_spoofing_test/. As fix information becomes available, it will be listed individually for each of the browsers.

Why this one? First, it is a cross-company bug, affecting all browsers that implement IDNs. The reason for this, as became clear, was due to a weakness in the implementation of IDNs. Given the fact that it can trick a user into giving sensitive information to a fake site, the bug could also have some financially severe consequences.

There have already been fixes for the Konqueror browser, at least in the Red Hat version, that were listed in the BugBlog Plus on 2/14. The Mozilla Organization announced a "fix" on 2/17. The fix was to remove support for IDN. After a certain amount of user outcry, they changed course on 2/21 and said that IDN would be displayed as puny code, which would show the spoofing possibilities.

Previous Bugs of the Month

February 2005

January 2005

The Bug of the Month is also posted at Blogcritics.org