[Secure-testing-team] Bug#860806: firefox-esr: network.enableIDN no longer has any effect, allowing easier phishing attacks

Vincent Lefevre vincent at vinc17.net
Thu Apr 20 10:50:51 UTC 2017 

Package: firefox-esr
Version: 45.9.0esr-1
Severity: grave
Tags: security
Justification: user security hole

I've had the network.enableIDN preference[1] set to false for many
years (as shown in about:config) in order to avoid some phishing
attacks (and I had always relied on it). I've just noticed that it
no longer has any effect!

For instance, enter

  https://www.аррӏе.com/

in the location bar. I don't get any error and URL in the location bar
looks like the Apple one. But it is not the Apple web site.

Note: I've learned at the same time from [2] that there is a new
preference network.IDN_show_punycode, but it is set to false by
default, and there hasn't been any announce in the past upgrades
of the Debian package. In any case, network.enableIDN should still
have an effect when set to false.

[1] http://kb.mozillazine.org/Network.enableIDN
[2] http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

-- Package-specific info:

-- Extensions information
Name: -Global Styles- userstyle
Status: enabled

Name: Adblock Plus
Location: ${PROFILE_EXTENSIONS}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
Status: enabled

Name: AlloCiné userstyle
Status: enabled

Name: allocine-imdb greasemonkey-user-script
Status: enabled

Name: cac-imdb greasemonkey-user-script
Status: enabled

Name: Cinémathèque Française userstyle
Status: enabled

Name: Classic Theme Restorer
Location: ${PROFILE_EXTENSIONS}/ClassicThemeRestorer at ArisT2Noia4dev.xpi
Status: enabled

Name: Combine Stop/Reload buttons userstyle
Status: enabled

Name: Default theme
Location: /usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
Package: firefox-esr
Status: enabled

Name: Different cursor for links that open in new windows userstyle
Status: enabled

Name: Disable autocomplete userstyle
Status: user-disabled

Name: Disable marquee userstyle
Status: user-disabled

Name: Filmsite.org userstyle
Status: enabled

Name: Firebug
Location: ${PROFILE_EXTENSIONS}/firebug at software.joehewitt.com.xpi
Status: enabled

Name: Firefox Hello Beta
Location: ${PROFILE_EXTENSIONS}/loop at mozilla.org.xpi
Status: enabled

Name: Flagfox
Location: ${PROFILE_EXTENSIONS}/{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi
Status: enabled

Name: Font Finder
Location: ${PROFILE_EXTENSIONS}/fontfinder at bendodson.com.xpi
Status: enabled

Name: FxIF
Location: ${PROFILE_EXTENSIONS}/{11483926-db67-4190-91b1-ef20fcec5f33}.xpi
Status: enabled

Name: GLPI - assistance.ens-lyon.fr userstyle
Status: enabled

Name: Google Search userstyle
Status: enabled

Name: Greasemonkey
Location: ${PROFILE_EXTENSIONS}/{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
Status: enabled

Name: gtranslate
Location: ${PROFILE_EXTENSIONS}/{aff87fa2-a58e-4edd-b852-0a20203c1e17}.xpi
Status: enabled

Name: HeadingsMap
Location: ${PROFILE_EXTENSIONS}/headings at niquelheadings.net.xpi
Status: enabled

Name: IMDb userstyle
Status: enabled

Name: itt-datetimes greasemonkey-user-script
Status: enabled

Name: Link Widgets
Location: ${PROFILE_EXTENSIONS}/linkwidget at clav.mozdev.org
Status: enabled

Name: Live HTTP headers
Location: ${PROFILE_EXTENSIONS}/{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
Status: enabled

Name: Move tabbar to the bottom userstyle
Status: user-disabled

Name: Move tabbar to the left userstyle
Status: user-disabled

Name: Move tabbar to the right userstyle
Status: user-disabled

Name: Multiple row bookmark toolbar userstyle
Status: user-disabled

Name: Nerim userstyle
Status: enabled

Name: Open in Browser
Location: ${PROFILE_EXTENSIONS}/openinbrowser at www.spasche.net.xpi
Status: enabled

Name: PeopleForCinema userstyle
Status: enabled

Name: QuickWiki
Location: ${PROFILE_EXTENSIONS}/{EE223D7A-F30F-11DD-8F0A-D2AD55D89593}.xpi
Status: enabled

Name: Slashdot.org - Remove ads userstyle
Status: enabled

Name: SourceForge font size in comments userstyle
Status: enabled

Name: Stylish
Location: ${PROFILE_EXTENSIONS}/{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi
Status: enabled

Name: Tab Mix Plus
Location: ${PROFILE_EXTENSIONS}/{dc572301-7619-498c-a57d-39143191b318}.xpi
Status: enabled

Name: twitter-times greasemonkey-user-script
Status: enabled

Name: us-to-iso8601 greasemonkey-user-script
Status: user-disabled

Name: Web Developer
Location: ${PROFILE_EXTENSIONS}/{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi
Status: enabled

Name: Wikipedia font size userstyle
Status: enabled

Name: X-Ray
Location: ${PROFILE_EXTENSIONS}/{3f1182ea-3243-4d32-8826-71fb1cc9c328}.xpi
Status: enabled

Name: youtube-html5 greasemonkey-user-script
Status: enabled

-- Plugins information

-- Addons package information
ii  firefox-esr    45.9.0esr-1  amd64        Mozilla Firefox web browser - Ext

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/12 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages firefox-esr depends on:
ii  debianutils               4.8.1.1
ii  fontconfig                2.11.0-6.7+b1
ii  libasound2                1.1.3-5
ii  libatk1.0-0               2.22.0-1
ii  libc6                     2.24-10
ii  libcairo2                 1.14.8-1
ii  libdbus-1-3               1.10.18-1
ii  libdbus-glib-1-2          0.108-2
ii  libevent-2.0-5            2.0.21-stable-3
ii  libffi6                   3.2.1-6
ii  libfontconfig1            2.11.0-6.7+b1
ii  libfreetype6              2.6.3-3.1
ii  libgcc1                   1:6.3.0-14
ii  libgdk-pixbuf2.0-0        2.36.5-2
ii  libglib2.0-0              2.50.3-2
ii  libgtk2.0-0               2.24.31-2
ii  libhunspell-1.4-0         1.4.1-2+b2
ii  libnspr4                  2:4.12-6
ii  libnss3                   2:3.26.2-1
ii  libpango-1.0-0            1.40.5-1
ii  libsqlite3-0              3.16.2-3
ii  libstartup-notification0  0.12-4+b2
ii  libstdc++6                6.3.0-14
ii  libvpx4                   1.6.1-3
ii  libx11-6                  2:1.6.4-3
ii  libxcomposite1            1:0.4.4-2
ii  libxdamage1               1:1.1.4-2+b3
ii  libxext6                  2:1.3.3-1+b2
ii  libxfixes3                1:5.0.3-1
ii  libxrender1               1:0.9.10-1
ii  libxt6                    1:1.1.5-1
ii  procps                    2:3.3.12-3
ii  zlib1g                    1:1.2.8.dfsg-5

Versions of packages firefox-esr recommends:
ii  gstreamer1.0-libav         1.10.4-1
ii  gstreamer1.0-plugins-good  1.10.4-1

Versions of packages firefox-esr suggests:
ii  fonts-lmodern          2.004.5-3
ii  fonts-stix [otf-stix]  1.1.1-4
ii  libcanberra0           0.30-3
ii  libgnomeui-0           2.24.5-3.1
ii  libgssapi-krb5-2       1.15-1
pn  mozplugger             <none>

-- no debconf information

More information about the Secure-testing-team mailing list