Discourse.net: If You Use Firefox You Need To Read This

Tue Feb 08 2005 00:00:00 GMT+0000 (Coordinated Universal Time)

hacks

If You Use Firefox You Need To Read This

Someone has come up with a Firefox exploit - one that doesn't affect IE users!

You can find links to the details, at Boing Boing: Shmoo Group exploit. Here, however, is the simple info on how to protect yourself (probably):

Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.

Scroll down to the line beginning network.enableIDN - this is International Domain Name support, and it is causing the problem here. We want to turn this off - for now. Ideally we want to support international domain names, but not with this problem.

Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.

I say "probably" because even though this fix works for me, there are reports that it doesn't work for everyone. The test of the exploit is here.

UPDATE [2005-02-07 14:06]: This only works on a per-session basis... that is, if you quit Firefox and restart, the exploit works just as it did before. Checking network.enableIDN in about:config shows it still to be set to false. Setting it to true and then back to false does the trick. Although I don't want to do this every browser session! Crap.

UPDATE [2005-02-08 09:17]: Here is a permanent fix that actually works. Note: on Mac OS X with a recent version of FireFox 1.0 the compreg.dat file resides in:

~/Application Support/Firefox/Profiles/xxxxxxxx.default

Where the xxxxxxxx is different for every user.