Security flaw found in Mozilla browsers

[Julio Franco]

Microsoft's Internet Explorer has been hardly critiziced over the past few months given the impressive number of security holes found which has kept increasing as times passes. Rest assured however no piece of software is perfect and with all the attention PC security is getting nowadays, it came as no surprise a new security flaw discovered in Mozilla browsers caught the big headlines earlier today:

"Branches have been created for three of mozilla.org's latest releases, in order to fix an external Windows protocol handler bug. The fix involves disabling the shell: protocol handler, which was found to enable pages to run executables on Windows via a link. Builds should officially be available shortly, and there will also be an XPI offered to disable the pref. Alternatively, you can set the pref network.protocol-handler.external.shell in about:config to false to remove the exploit."

Patched versions of Mozilla 1.7.1 and Firefox 0.9.2 have been released now, also there's the option of downloading a XPI patch to that disables the shell: protocol handler.

 

[Didou]

You can also find the patch HERE.

 

[RedRooster]

Glad to see they are patching it both way(new release and patch) So new users are patched right away instead of downloading 2 things!

 

[Godataloss]

I'm pretty sure this is my fault
Since I finally allowed firefox to be my default browser yesterday, it only makes sense that it would start to get holes punched in it
:unch:firefox

 

[Arris]

Well I still feel good about being a long term Opera user (until it gets its flaws searched out).

 

[TS | Thomas]

This problem only affects Windows, not other OSes.

"Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 contain no new features other than a preference change that disables the shell: protocol handler."

"Some may find it notable that a patch was issued less than forty-eight hours after this bug was filed."

"On July 7 (yesterday) a security vulnerability affecting browsers for the Windows operating system was posted to Full Disclosure, a public security mailing list. On the same day, the Mozilla security team confirmed the report of this security issue affecting the Mozilla Application Suite, Firefox, and Thunderbird and discussed and developed the fix at Bugzilla bug 250180. We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users.

Today, the Mozilla team released a configuration change which resolves this problem by explicitly disabling the use of the shell: external protocol handler."

So there you have it, the Mozilla team fixes a security issue pointed out within 48 hours. Microsoft gets pointed out security issues dating back (+2 years in some cases) months & fail to fix them, instead pointing out they wouldn't classify it as a security problem, or in many cases only fixing 1 particular method of exploiting a hole, rather than fixing the root problem itself.

 

[Federelli]

So this is more a Windows flaw than it's a mozilla one? ...
I'm glad they patched right away

 

[agissi]

A

Aha

Ahahahah

 

[DigitAlex]

yes, acutally the IE and Mozilla flaws are a huge Windows security hole, the shell: handler provided to the browsers.

 

[Phantasm66]

Originally posted by Godataloss
I'm pretty sure this is my fault
Since I finally allowed firefox to be my default browser yesterday, it only makes sense that it would start to get holes punched in it
:unch:firefox

LOL!

That's what I think has happened to me as well.