There has been a lot of buzz about a Firefox add-on named Firesheep.  I have kind of ignored the topic for some time, but after getting a few emails from Firefox users asking what it is about – I thought it might be time to shed some light on the topic – so that all Firefox users know it is out there.  Firesheep snoops fro cookies, and then allows others to log into websites as you if you are browsing on an open wireless network.

Mozilla has said it would not (or could not) put in a kill switch to disable the Firesheep add-on from stealing log-on and account access information to Facebook, Twitter and other major website services out there. The reason for this is because it does not exploit a vulnerability in Firefox – it exploits a whole in a number of popular websites instead.

So what you can do to protect yourself, if you often browse from an open wireless network? Download Squad has put together a great guide on how to defend against Firesheep by surfing securely with HTTPS. Sebastian has done a great job at giving you all the details you need to know there.

Now, before you go searching for Firesheep on your own – let me warn you.  While downloading Firesheep and Firesheep itself is not illegal, using Firesheep to login as somebody else (so the process of using the add-on) is illegal under US law.

Hopefully the attention this add-on has drawn will create enough buzz to get some of the biggest websites out there today to fix this hole and better protect their users.

Ronald van den Heetkamp says that he found a vulnerability that effects all versions of Firefox (even the most recent 2.0.0.12 update). Found out about this over at Mozilla Links.

Then I go check out Asa’s blog to see what he is saying about it, and he writes:

This news item on /. and making the rounds on some blogs is not real. It’s not a flaw. This guy’s found a way to read a file that doesn’t contain any personal information and that’s identical for every Firefox install on the planet. It’s simply not a flaw.

His post then points me over to Mike Shaver’s post who does a better job at explaining the situation. It turns out that the vulnerability found does not have access to the user’s setting at all. The files are not stored in the Windows program files (or any other operating system’s equivalent for that mater). Check out his post to see Ronald and Mike discuss the topic on on one via the comments for more information.

I love the Internet.

This is actually a threat that I had considered once or twice before – but it seems like it is getting a little more “conversation” around the Web this time around. For the best description on what this security hole is all about – lets turn to CyberNet News.

So what’s the problem? When using an extension in Firefox it frequently checks to see if there is a more updated version available, and Firefox will notify the user whether they are running the latest version. Normally the user will agree to the update and proceed with their normal browsing activities, but there could be more going on behind the scenes than the user is actually aware of.

Looks like Firefox isn’t looking to fix this yet till version 3 of the browser rolls out. Folks like Google though have promised to fix any issues with their extensions as soon as they can. All we can hope is that others will follow suit.

Today, Mozilla made public bug #360493, which exposes Firefox’s Password Manager on many public sites. The flaw derives from Firefox’s willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user’s site will be unhelpfully propagated with the visitor’s Myspace.com credentials.

+ Read More About the New Bug in Firefox 2′s Password Manager!

Mozilla Corp. Thursday updated its Firefox browser to fix 7 flaws, including 4 pegged by the open-source developer as “Critical.” Of the four critical vulnerabilities patched in Firefox 1.5.0.7, none are currently being exploited, Mozilla said in detailed descriptions of each fixed flaw. In fact, Mozilla said in several of the descriptions that it was not sure whether the specific vulnerabilities could be exploited, but had issued patches just in case.

+ Read More About the Security Threat!

Virus writers have created a spyware package that poses as an extension to the Firefox web browser. FormSpy, which poses as the legitimate NumberedLinks 0.9 extension, is programmed to steal confidential information from compromised machines including passwords, credit card numbers, and ebanking login details. The malware is also capable of sniffing passwords from ICQ, FTP, and email traffic before sending this data to a hacker-controlled website.

[Learn More About Firefox's Security Threat!]