TechSpot

Security flaw found in Mozilla browsers

By Julio Franco
Jul 9, 2004
  1. Microsoft's Internet Explorer has been hardly critiziced over the past few months given the impressive number of security holes found which has kept increasing as times passes. Rest assured however no piece of software is perfect and with all the attention PC security is getting nowadays, it came as no surprise a new security flaw discovered in Mozilla browsers caught the big headlines earlier today:

    "Branches have been created for three of mozilla.org's latest releases, in order to fix an external Windows protocol handler bug. The fix involves disabling the shell: protocol handler, which was found to enable pages to run executables on Windows via a link. Builds should officially be available shortly, and there will also be an XPI offered to disable the pref. Alternatively, you can set the pref network.protocol-handler.external.shell in about:config to false to remove the exploit."

    Patched versions of Mozilla 1.7.1 and Firefox 0.9.2 have been released now, also there's the option of downloading a XPI patch to that disables the shell: protocol handler.
     
  2. Didou

    Didou Bowtie extraordinair! Posts: 5,899

    You can also find the patch HERE.:)
     
  3. RedRooster

    RedRooster TS Rookie Posts: 18

    Glad to see they are patching it both way(new release and patch) So new users are patched right away instead of downloading 2 things!
     
  4. Godataloss

    Godataloss TS Rookie Posts: 501

    I'm pretty sure this is my fault:eek:
    Since I finally allowed firefox to be my default browser yesterday, it only makes sense that it would start to get holes punched in it
    :unch:firefox
     
  5. Arris

    Arris TS Evangelist Posts: 4,604   +110

    Well I still feel good about being a long term Opera user (until it gets its flaws searched out). :D
     
  6. TS | Thomas

    TS | Thomas TS Rookie Posts: 1,327

    This problem only affects Windows, not other OSes.

    "Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 contain no new features other than a preference change that disables the shell: protocol handler."

    "Some may find it notable that a patch was issued less than forty-eight hours after this bug was filed."

    "On July 7 (yesterday) a security vulnerability affecting browsers for the Windows operating system was posted to Full Disclosure, a public security mailing list. On the same day, the Mozilla security team confirmed the report of this security issue affecting the Mozilla Application Suite, Firefox, and Thunderbird and discussed and developed the fix at Bugzilla bug 250180. We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users.

    Today, the Mozilla team released a configuration change which resolves this problem by explicitly disabling the use of the shell: external protocol handler."

    So there you have it, the Mozilla team fixes a security issue pointed out within 48 hours. Microsoft gets pointed out security issues dating back (+2 years in some cases) months & fail to fix them, instead pointing out they wouldn't classify it as a security problem, or in many cases only fixing 1 particular method of exploiting a hole, rather than fixing the root problem itself.
     
  7. Federelli

    Federelli TS Rookie Posts: 382

    So this is more a Windows flaw than it's a mozilla one? ...
    I'm glad they patched right away :)
     
  8. ---agissi---

    ---agissi--- TechSpot Paladin Posts: 2,384   +15

    A

    Aha

    Ahahahah
     
  9. DigitAlex

    DigitAlex TechSpot Paladin Posts: 583

    yes, acutally the IE and Mozilla flaws are a huge Windows security hole, the shell: handler provided to the browsers.
     
  10. Phantasm66

    Phantasm66 TS Rookie Posts: 6,504   +6

    LOL!

    That's what I think has happened to me as well.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.