All you Firefox users out there should be aware of this recently discovered
password vulnerability in Firefox 2.0.0.5. According to
a message posted over the weekend on the Full-Disclosure mailing list, the
latest version of Firefox, 2.0.0.5, contains a password management vulnerability
that can allow malicious Web sites to steal user passwords: "If you have
JavaScript enabled and allow Firefox to remember your passwords, you are at risk
from this flaw," the site warns. According to
Linux.com,
Apple's browser Safari is also vulnerable to the same flaw. The site advises
that users either disable JavaScript or not use automatic password management on
sites where users can post JavaScript pages. For those interested, Heise
Security has put together
a proof of concept demonstartion of the flaw that does indeed seem to work
on Firefox 2.0.0.5.