Vigil@nce: Firefox, new homographs
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
Several homographs characters are not recognized by Firefox.
Gravity: 1/4
Consequences: disguisement
Provenance: internet servert
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: multiples sources (3/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 27/02/2009
IMPACTED PRODUCTS
– Mozilla Firefox
– Mozilla SeaMonkey
– Mozilla Suite
DESCRIPTION OF THE VULNERABILITY
Some characters are very similar, such as the ’0’ (zero) and the
’O’ (the ’o’ character). Moreover, some Unicode characters look
like the slash (’/’), such as 0x2044, 0x2215 and 0x3033. Some
attackers use domain names with these variations in order to
convince the victim to click on a link.
Firefox contains a list of homograph characters, to ensure they
are not displayed in urls.
However, several characters are missing from this list:
- 0x66A, 0x799, 0x780, 0x9F4, 0xAEE, 0x96E, 0x2220, 0x2571 :
homographs of ’/’
- 0x203D : homograph of ’?’
An attacker can therefore use these characters in a url in order
to deceive the victim.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8497
http://vigilance.fr/vulnerability/Firefox-new-homographs-8497