You can disable IDN support in Mozilla products by setting 'network.enableIDN' to false. There is no known workaround for Opera or Safari. Vendor responses have been varied with VeriSign and Apple failing to respond but Opera believing they have correctly implemented IDN, and will not be making any changes (oops). Mozilla are currently working on finding a good long-term solution. The company provided a clear workaround for disabling IDN temporarily until it can better address the issue.

The workaround for firefox seems to be an edit to your compreg.dat.

For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat

For UNIX
~/.mozilla/firefox/default.random/compreg.dat

Removing the line that references IDN makes the problem go away. Using Find, there was a single reference for the UNIX host and 2 for the Win32 host. Removing the lines and restarting the browser makes the attack fail regardless of the about:config/userprefs.js value.

Here's an example entry.

{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so

Instead of deleting the line (1 in Linux) or lines (2 in Win) you can just comment them out by using the character #

Isn't compreg.dat re-created anytime you install a new plugin/extension installed ? and wouldn't that overwrite the old file with the commented out line (not sure if FF respects the readonly attribute either, a la cookies.txt)... I haven't tested this as I haven't had the time and as i'm not really all that concerned with the IDN issue (based on my browsing habits)...

well i got a chance to test... and unless u make the file readonly the edit will be OVERwritten on new plugin/extension installation. also keeping readonly may prevent your newly installed extension/plugin from registering properly... SO... make sure reedit the file after extension/plugin installation....

Just added info ... Kye-U's Filters V4.30 for Proxomitron also prevent this exploit.

Kye-U's Forum (link to post) - http://www.kye-u.com/proxo/forums/i...=225&#entry3846
Direct Download of Kye-U's V4.30 .cfg ~Zipped~ - http://www.kye-u.com/proxo/dp/download.php?file=18
(I hope, you don't mind me posting a direct link Kye-U)

thats annoying, I hope apple get on to this soon

Must re-edit when new plugin/extension is installed

I just make a shortcut to the file and open innotepad - use "replace" (or "find") function. I just replace "IDN" with"#" - it works.

Or you can use Proximitron:

What is proximitron?

For those who have not yet been introduced, meet the Proxomitron: a free, highly flexible, user-configurable, small but very powerful, local HTTP web-filtering proxy.û To become better acquainted, please see our online copy of the Proxomitron Help Files for a more comprehensive overview.

The current (and last) version of Proxomitron is Naoko 4.5, of which there were two releases, one in May of 2003 followed by one in June.û Although very similar, there are distinct differences between the two which are not mentioned in either program's documentation.û Both releases are available in the Files section.û P.I's focus will be on the latest version -- the June release.

Another temporal workaround:

1. Install the extension Greasemonkey

2. Don't forget to restart Firefox to complete the extension installation.

3. Right click this link (DON'T FOLLOW THE LINK): IDN patch script and click "Install User Script..."

4. A window will appear. Press OK.

Finished. It will raise an alert when the URL contains IDN characters.

English language is not my best, so translation errors advices will be welcome