Update: The fix that is documented in the original advisory and recommended by Mozilla doesn’t work reliably. As soon as you restart Firefox, you;re vulnerable again. Worse, the about:config file continues to show that you’ve properly disabled the setting. This issue is throughly discussed in this thread on the MozillaZine Forums, and the behavior itself is documented in Bugzilla as bug 281365 (you may also see it referenced as bug 281377, but that one is a duplicate).
Thanks to John Walkenbach for pointing out this problem.
I’ve had a chance to work a little more with the vulnerability that affects Firefox and other non-Microsoft browsers. This fix, which was documented in the original advisory, worked for me.
- Open Firefox, click in the Address bar, type about:config, and press Enter.
- Scroll through the alphabetical list to the entry labeled network.enableIDN.
- Double-click that entry to change its value to False.
You don’t need to close or restart Firefox. The change is immediate. Note that any changes you make to default Firefox settings appear in bold in this list. I also expect that a Firefox patch will appear in short order.
Presumably, other Mozilla-based browsers work the same way. At this point there is no known solution for Macintosh Safari users, and the response from Opera (as quoted in the original Shmoo advisory) is that they believe the feature is working properly and plan no changes. Something tells me they’ll change that tune very soon!
Ed Bott 