Slashdot Mirror
Mozilla/Firefox Bug Allows Arbitrary Program Execution
treefort writes "An article at eWeek has the lowdown. The article also has a link to the bug report which addressed this issue some time ago. Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000." New releases are already available on mozilla.org that fix this. Update: 07/09 00:41 GMT by CN : I removed the bum link to Bugzilla, since I guess they don't like us. Also I discovered that OSDN's own NewsForge has more on the situation.
FYI, in case you didn't read the article, you can download the fix here.
Sigs cause cancer.
And now for some helpful links:
Note: If you click on download links for firefox on the main page of mozilla.org, you get 0.9.2. The link on the firefox page @ http://www.mozilla.org/products/firefox/ still gets you 0.9.1. The link on the main page for the Linux version of Firefox still points to version 0.9.1. It seems that if you want 0.9.2 for Linux you'll have to compile it yourself.
0.8
0.9rc
0.9
0.9.1
0.9.2
And a direct link to the newest release for the really lazy:
Windows 0.9.2
The question is, what is the shellblock.xpi for?
Does Bugzilla know? Sorry, links to Bugzilla from Slashdot are disabled. Ook!
Casual Games/Downloads
"Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000"...there goes a perfectly good Ha-Ha!. You've bested me this time *NIX...But you haven't seen the last of ME! BWAHAHA!
Releases are available already. One of the (many) reasons I switched to the Gecko browsers from IE, because they actually update their software.
Note how fast it was patched compared to the fact that IE still doesn't have tabbed browsing.
If you liked my post,
I guess that this is a big deal because I can't remember the last time Mozilla had a remote hole in it.
MOUNT TAPE U1439 ON B3, NO RING
Surprised I posted this early with Firefox cracked wide open.
Internet Explorer's finest hour!
"True dat with a wiffle ball bat." -- kabrakan
"Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites."
Seriously.
I can't help but think that this thread from earlier today can be seen as good news from a security context...
Just how does Mozilla/FireFox think it's going to keep malware from tricking the users into granting permission when the clueless masses come over from IE?
Mind you, I love Firefox, but I hate hypocrisy.
That was a nice patch. Thanks.
My hyperlinks aren't worth the paper they're printed on.
Just goes to show that as an item gains momentum, people will find more bugs/exploits in the software. If you are looking for targets, you typically go for the common denominator to be able to cut the widest swath possible.
Sorry, links to Bugzilla from Slashdot are disabled.
ShellBlock fixes Bug 250180, by disabling the shell protocol handler.
This fix is for users of all Mozilla products on Windows XP
Hmmm, article states Win2K and XP, fix page states Win XP.
Who to believe.....
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Firefox has no critical update system, or automatic notification of anything. All the clueless drones who switched to Firefox because the news said it was more secure are going to be blissfully enjoying a cup of tea while someone is examining the files on their computers.
"Researchers are reporting another security issue in Web browsing under Windows"
/bin, /sbin, and /usr directories to /zurg, /mumph, and /splunge. Bring it, you haxx0rs!
Sounds like a Windows problem, not a Mozilla problem. Oh, wait a minute...
Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle.
Ding! Next. However:
The attacker would have to know the location in the file system of the program
So just in case, I'm renaming my
malicious persons are much more unlikely to target any vulnerabilites
I disagree... if anything, malicious people are MUCH more likely to target vulnerabilities.
$0.02 (CDN)
If these other sites are so good then I'm sure people will go them and stop going to slashdot.
What? Open source software with a similar bug to a Microsoft product? Nevar! It's that damn liberal media!
Of course bugs will appear in Firefox.
Nobody in their right mind can expect a product to be perfect, but what makes Mozilla different is that bugs are fixed instantly. And that's because of the open source community, which is far more reliable than the competition.
People might disagree with me, but I still think these bugs (and their immediate fixes) only show how great open source really is.
If you were paying attention, you'd have noticed that it is already fixed. Not only that, but installing the fix is dead simple.
That's the opposite of hypocrisy. That's leading by example.
It remains without question that no matter what you install, there's always risk. It is, however, the actions of those whom provide the programs that do us well or do us ill. Mozilla's quick response is an example of fine, quality product support.
Since FF 0.9.1 kept crying wolf and telling me that new updates were available (that weren't) - I would have been way behind in updating hadn't I seen this article on /.
I don't like that the entire package had to be updated - a whole new setup program/procedure. I understand the depth and breadth of this particular bug, (and I don't suppose this is the issue) - but It's a drag that to update a minor fix in FF an entire download and install are required. The bright side is the rather small download size...
Anyway, just my two small complaints about FF.
This is NOT a firefox bug. It is a bug in an external protocol in windows - of which Mozilla calls. The fix is to disable ALL external windows protocols. (bittorrent, mirc, etc)
I thought only IE had bugs, and Mozilla/Firefox was supposed to be the Alpha and the Omega of all web browsers?
Mac OS X user. However, what's the blank window that shows up when I Exposé Firefox?
I'm in the hole of the broadband donut.
The Hun for those geeks who are Cowards, anonymous or otherwise. Browsing The Hun, you'll get inspiration for the act of cowardice /. readers perform most often: five guys beating one up.
How dangerous Mozilla can be. Everyone should be listening to Microsoft and use a secure browser such as Internet Explorer that isn't littered with security vulnerabilities.
Welcome to the world of hypocrisy.
Yeah, all those people who used to say that Windows is insecure sure look silly now saying that, ummmmmmm, Windows is insecure.
KFG
Mozilla hands off schemes it doesn't know to the operating system (Windows), and WINDOWS executes the shell scheme. It was obviously a security flaw in their eyes, too, as they fixed it in XP SP2. If you were able to run Windows with real restricted user accounts, this wouldn't really be such a problem.
in ie if i type
file:///c:/windows/system32/mspaint.exe
I can load the program, in firefox it prompts me to download it and disables the open option.
does this mean IE has always been vulerable to this type of bug?
Isn't this a bit like the bug that Safari (and OS X URI handling in general) had earlier?
English is easier said than done.
"Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000."
:) Just my 2c
That sounds like a windows bug to me...not a mozilla bug
About 25% of the time when I click on the down arrow, the dropdown "recently visited" list briefly appears and then goes away. Click on the down arrow again: the list displays and remains there so you can choose the desired link.
Any solution for this? It's driving me nuts, and I can't find a bugzilla entry for it.
so glad I didn't "update" to Win XP.
Remind sales force to re-emphasize our commitment to security. Suggest that if they are asked about Firefox to take on the blank stare which indicates you would laugh at the customer's foolishness if you weren't so extraordinarily polite.
If that doesn't work, teach the sales force the monkey-dance.
Also, float new IE motto: I... LOVE... THIS... BROWSER... YEAH!
-Steve Ballmer
new security company, fraud and ict sec.., I need help! wanna be my accomplice? Only open for the ict section, need folks who know nip, tcp/IP, ipSec, des/PGP, fourthfloor, nsk, an most urgent html security and programming.. check this out.. Helt seriost trenger jeg folk som snakker norsk ihvertfall, som kan deler av overnevnte, og/eller som har annen sikkerhets relatert bakgrunn innen hacker/cracker miljo.. dette er viktig for aa faa edge paa de andre etablerte firmaene som finnes allerede.. Give me a pip in tnys@start.no Og folkens, vaer seriose da.. trenger ikke crapmail!!!!!!
Woah, so malicious persons using Firefox suddenly grow a heart and decide not to harm the little folks in Mozillaville? I guess the spirit of open source has a similar effect as the spirit of Christmas in "The Grinch Who Stole Christmas". The little script kiddie who learned the true meaning of software development... <sniff, sniff> Neato!
<Reads again> Oh, I think you meant to say that compared to Internet Explorer it's not as tempting a target. Oh well. ;-(
Well, for all those who are browser-shopping, FireFox gets marked off the list of contenders. Who's next?
NCSA Mosaic?
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
At first I thought it (Shell:) was for running plug-ins, but then the fix would disable plug-ins - so that's not it or is it?
Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites.
Depending on obscurity? Shame on you.
There are no known exploitations of this in the wild, so it in no way shows that attackers are going for the common denominator of Mozilla installations.
Also note that this is a problem with Windows URI Handler rather than Mozilla. Mozilla passes any protocol it doesn't understand to Windows, and Windows uses it to execute a local file. That's why this problem doesn't exist in anything but Windows.
This just goes to show that Microsoft makes insecure software, and that insecurity often bleeds into otherwise trustworthy programs.
You can't judge a book by the way it wears its hair.
about the shell: protocol security issue
you smug asshole. truth matters equally to left-wing ideologues (moore) and right-wing ideologues (you).
timely when the bug was opened in 2002 (checks calendar); seems pretty old.
" Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites." So you not using Firefox becouse it is safer than IE, just less likely to be exploited. What if Firefox had 30% of the browsermarket?
Please point out the hypocrasy.
I don't hear the OSS community pretending their software has no bugs or holes.
Silly rabbit
Mozilla have been fairly lax about security problems if they think they are obscure or something. Search bugzilla for the file: protocol and you can find a few. Mozilla allows (since ever and at least up to version 1.7) http-sourced documents to open file: URLs, including /dev/tty. For some reason they think this is not worth fixing.
That took most of 90 seconds to fix, and no restart. Firefox is great.
What do you know? A new update is already available.
.9.0, .9.1 and .9.2!
Can't they *fix that* already? It's been in
And I don't think anyone is pointing to IE and saying "look at this one flaw".
The point is that IE operates much the same way a sewer grate does. There's a whole lot of holes. And it takes a long time to get them fixed.
If it were a comparison to Firefox, we have one exploitable hole, compared to how many for IE?
[ think ]
OK, that's it you guys. No more talk of how IE is so insecure because of Microsoft's 'monoculture.' Security issues, it seems, are a way of life in software. There are plenty of other arguments against Microsoft so there's no reason to use this one any more.
Personally I'm still going to use FireFox. It's a better browser than IE and I'm happy that they patched it in a single day. It's a little worrisome that this issue sat around on Bugzilla, hopefully this will motivate the Mozilla team to figure out some procedures to keep security bugs from slipping through the cracks.
Its always nice when a patch installs in 3 seconds with no issue and no demand for a reboot. Today was the day i switched to Mozilla, ive been using it for about 2 years now off and on but i just cant take IE and its security chasms.
Windows 2000 is **NOT** vulnerable. A few folks on a security mailing list and I have been testing it. The code can be executed within IE 6 and Firefox as it is a command that gets passed to the OS. You can execute the commands from the Start button as well.
Shell Directory
Visit our country and business websites around the world.
Shell for Motorists
More than 20 million customers a day visit Shell service stations for fuels, motor oils, carcare products and more.
Shell for Businesses
Shell offers oils, fuels, financial services, dynamic business solutions and more to businesses of all sizes.
Shell for the Home
Shell offers a range of products and services for the home - from natural gas and electricity to fuels and lubricants.
About Shell
An overview of the Group
Investor Centre
Results, share prices and more
Media Centre
Latest news from Shell
Jobs & Careers
Discover exciting career opportunities with Shell
Share Prices
Prices delayed by 20 mins
RD - Amsterdam 42.15
STT - London 398.50 p
RD - New York $52.20
STT ADR - New York $44.74
Visit the Investor Centre
Latest news
Qatar Petroleum and Shell sign Development and Production Sharing Agreement for Pearl GTL Project
Qatar Petroleum and Shell sign Development and Production Sharing Agreement for Pearl GTL Project
08/07/2004 - Qatar Petroleum (QP) and Qatar Shell GTL Limited (Shell), a company of the Royal Dutch/Shell Group, today signed an integrated Development and Production Sharing Agreement (DPSA) that provides for the fiscal and legal terms for the Pearl GTL project.
Saudi Aramco signs agreement to acquire strategic shareholding in Showa Shell
Saudi Aramco signs agreement to acquire strategic shareholding in Showa Shell
05/07/2004 - Aramco Overseas Company B.V., a subsidiary of Saudi Arabian Oil Company ("Saudi Aramco", the national oil company of Saudi Arabia), today signed an agreement to acquire a strategic shareholding in Showa Shell Sekiyu K.K. ("Showa Shell").
06/07/2004 - Toyota and Shell launch trial of D-CAT and Gas to Liquids Technology to reduce car emissions
02/07/2004 - Jobs and Careers go global with the Shell Career Newsletter
01/07/2004 - Shell announces portfolio actions and writedowns
More news
Features
Proved reserves restatement
Latest information
The Shell Report
Our progress in contributing to sustainable development
Annual Reports
Royal Dutch/Shell Group of Companies Annual Reports
Tell Shell
Email comments or join our open forum
US residents
Apply for a Shell Credit Card or pay your bill online
Terms and Conditions | Privacy Policy
Use of, and copying from, this site is subject to our terms and conditions. Please read our privacy policy.
That's why you need Mozilla with that handy "Launch This Page in IE" plugin. Referrer=null.
This particular type of exploit hit Safari, too.
Yes, that's why I will continue using Konqueror on Linux [for now]. BTW since Konqueror is written using QT which can be used to deploy cross-platform apps, why don't we have Konqueror for Windows?
In the definition of a URI (Uniform Resource Identifier), the technical name for a Web address, "shell:" is not a protocol like http but a scheme. Some schemes map directly to protocol handlers in the browser itself or externally, such as those that handle audio and video media. Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle. In this case, the location passed to the shell is a program name that the shell executes. Is it still security hole in Mozilla????
I say no more! We gain nothing by making fun of those poor souls that must use MS Windows. We should have sympathy for these misguided children and not publicly air their misfortunes.
Stop the Madness! We, like Fox News, must limit ourselves to positive MS stories. But we can do even more. We can actively search for negative *nix stories in hope that our misfortune will make those hapless lusers feel better.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Whilst it's easy to take pot-shots at Microsoft when it comes to IE, their update system isn't too bad. Firefox needs a easy to use mechanism for automatically retreiving and installing critical update, in a manner similar to MS windows update service.
Even better, take a leaf out of Norton's liveupdate program.
I just installed Shellblock XPI for Mozilla v1.7 from http://update.mozilla.org/extensions/moreinfo.php? id=154. How can I check it is installed?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Eweek and Slashdot linked to bug 167475, implying that Mozilla developers knew about this hole in 2002. Fixing bug 167475 would have done approximately nothing to protect Mozilla users against the shell: hole in Windows, and that is why bug 167475 hasn't been fixed.
The correct bug number for this hole is bug 250180.
The shareholder is always right.
This is added intentionally so that Mozilla contains all of the features of Internet Explorer.
Oh yes, that's right! I went there.
kyjello is too damn smooth to make a signature.
Wow, if trends like this keep happening pretty soon us Linux users will have the full feature set of Internet Explorer!
/sarcasm_off
oh yeah!
Where can I find a demonstration or a Howto-Repeat?
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Mozilla/Firefox Bug Allows Arbitrary Program Execution
Gates team, light your flamethrowers!
Is it still security hole in Mozilla????
Yup. Because Mozilla, as a local application, has a much higher set of privs than a remote website does. This is basically taking code (high-level instructions, but code) from a known insecure zone and telling the OS to run it without any built-in safeguards. And what do you know: we have an exploit.
Here's a fun example of how IE gets it right. Take the URI file:///c:/windows/system32/mspaint.exe from another example on this discussion. Type that into start/run on a Windows box - it works. Type it into the Address bar of IE - it works. Toss it into a webpage on the local machine and click on it - it works. Toss that webpage onto a remote server and click on it - it doesn't work any more. Different behaviors for different levels of trust. Mozilla defeats this by passing things to the shell with the same level of trust as the user has given it, the local program, which includes the (necessary) ability to mess with the filesystem.
You're special forces then? That's great! I just love your olympics!
Well, 22 months and 90 seconds actually, if you count from when the bug was found in September 2002.
Please, just take the networking stack out of Windows.
Apparently no network application can be secure on it.
A lot of people have the problem where, even after they've updated to firefox 0.9.1 (or now 0.9.2) the automatic update still says that there is a new update available (annoying).
Here's the fix:
Enter about:config in the location bar.
Enter update.app in the filter field. (Click on Enter)
Reset any prefs that appear in bold.
Restart Firefox.
taken from FireFox support newsgroup. [http://www.mozilla.org/support/]
Microsoft must have known about this hole, since Internet Explorer disallows the shell: protocol. When they found out about this hole, they had three choices:
They went with the second choice.
...they didn't realise at that point that this could be launched without user interaction, that is what was posted to full disclosure - when that was written it was believed that a user had to be fooled into clicking on that link - a whole different ballgame.
True, I think this was something that should have been looked at earlier, but the same day the no-user interaction vuln was posted, there was a fix.
Is there a (proper) fix yet for the download.ject problem? No, even with the temporary "sticking plaster" that microsoft launched onto windows update this week there are still ways to exploit the problem. It will be months until a proper patch that fixes that will be released, if it is ever released at all.
Lets keep things in perspective and in context please.
I am NaN
Anyone else notice the horrendous moderation on this article? It seems the OSS zealots are out in force tonight, eager to hide any comments that potentially threaten their arguments. I posted a similar comment to this one and it was called flamebait. Why? I guess these comments are too dangerous to the groupthink here on Slashdot.
Hello? Browsers must not execute arbitrary programs on client machines. Is there anybody who doesn't get this yet?
And why aren't we running browsers in jails yet, anyway?
nt
"Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites."
Yep, maybe that's a bit true (debatable though). But it's only one of dozens of reasons why Firefox is safer than IE, and there are also dozens of reasons why IE is safer than Firefox. To wit:
My point? His statement is biased because he's pointed out only one average argument in favour of Firefox, whereas there are many arguments that can be made in either direction.
dillo, here I come!
Now I look like the fool.
I spent effort convincing all of my friends and relatives to switch from IE for their own safety.
Now I need to remind them to upgrade because the software does the same stuff (and worse) that IE does.
I'm genuinely angry at the presence of this bug.
Which is basically to say:
IE bad because it is integrated into the OS
Moz bad because it calls the OS because it's not integrated
Both are bad. In fact, this is quite bad for Moz, as one of the touted improvements is that not being OS-integrated avoids such issues.
Basically, you're passing on data from the windows URI handler... so it's almost like importing a windows IE/Web insecurity into Moz. Perhaps if Moz just imported the windows URI handlers as a datafile, and stripped out known baddies?
Heretic, YOU MUST BURN!
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
The developers considered changing from scheme blacklisting to whitelisting, in which case all schemes and protocols would be disallowed unless explicitly allowed.
Duh.
I have been saying this for some time now: Never use blacklists. Always use whitelists.
If you forget to put an insecure operation on a security blacklist, you have a security hole. If you forget something on a whitelist, you just have an inconvenience.
I am disappointed that the Mozilla developers did not have enough common sense to use whitelists in the first place. But then, it seems like most computer security schemes are blacklist-based, which explains why computers are so insecure.
Keeping malware from tricking users isn't a technical problem to solve. You can provide the tools for the user to make the right choice in as clear and simple manner as possible, but you cannot /force/ a user to be educated.
You cannot solve the social problem of user ignorance with technology.
(Of course, you CAN solve the technological problems that allow malware to install itself without user action...)
Funny...the timing of this couldn't have been worse. I have been reading /. for a while now, and just the other day downloaded Mozilla, and then FF, then uninstalled FF and stuck w/ Mozilla, all on my work PC ,just to see the differences between the two.
Well, I d/l'ed & installed it, and within 25 min of checking /. , CNN and Yahoo I had AdDestroyer, Virtual Bouncer and something else loaded onto my machine.
After hearing how all of the /.'ers praised the open-source marvel that is Mozilla, I figured I must have clicked an ad-banner on accident somewhere and let something in (3x accidently clicking banners?? must have been really tired). I ran ad-aware and after the 3rd time through, it found and removed everything and we're all honky dorey once more.
**Now** I know where it came from, it was so close after the install of Mozilla there is no way it could be anything else.
This goes to show me a few things.
1) Don't believe everything you read. Check it out for yourself, and download Ad-Aware right after.
2) IE is the big corporate megolith swinging its clumsy and vulnerable code all over the place, but I really hope people realize that once these browsers start to get the attention that IE has had, the same vulnerabilities will be exposed in them as well, and the whole problem that MS has had to go through will occur for Mozilla/Opera/whatever....patching patches, breaking your software with software fixes...Not that I am an MS fanboi, but it does get a little "Anything not MS" heavy on here now and again.
For now, I'll stick with IE. It does everything I need, I'm comfortable with it, and it didn't download crap from banners within the first 30 min. I used it. ...I did like the tabbed browsing though.
Somehow I saw it coming... Some big MS conspiracy thing. Get someone everyone believes to say - "Switch to Firefox!"
And when Firefox starts getting all the media - SWOOSH! Here come the BIG Firefox bug. So you see other browsers AND open source programs are really buggy.
Welcome to MS software. Glad to have all your money.
This is where is unclear who gets it wrong. Assuming that there is a legitimate need to run a local command from the browser line, where is "the single, unambiguous, authoritative representation" of the security protocol to reside. Is the check for security clearance within MS Windows accessible to every local program? If this is the case then Mozilla was written incorrectly because it duplicates knowledge. Or is the check for security protocols within IE and not available to every other browser. In this case MS is at fault because it promotes the duplication of standard bits of knowledge.
Dropping the previous assumption, why do we need to run arbitrary local programs from within a browser, especially without a bullet proof sandbox.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
You meant to say, "objectivity."
Welcome to Windows Update
Pick updates to install
There are no critical updates available at this time. (Snigger)
Or you can set network.http.sendRefererHeader to 0, and Mozilla [Firefox] won't send the referrer header.
The IT section color scheme sucks.
Nice to have the fix, but...
1. When I launch FireFox 0.9.1, I get no notification that a critical update is available.
2. After I update, there is no dialog that tells me I need to restart FireFox (and Thunderbird) unlike what the website says.
3. After I downloaded the patch, choosing Tools>Extensions doesn't show that a patch has been applied. Only the ability to search for updates exists, but before I applied the patch, I clicked on it and it says no updates are available.
Add to the fact that on a laptop of mine, even after I have uninstalled all older versions of FireFox, it still says that FireFox 0.9.1 is available when I have installed FireFox 0.9.2
Is the check for security clearance within MS Windows accessible to every local program?
.cpl to let you set them from with itself as well, purely for convenience). Its been a while since I did any Windows coding though so I couldn't tell you off the top of my head, and I'm too lazy to go look.
Urm, I surely do believe so. That's why the user can even set it in their control panel - Internet Settings I believe - rather than just in IE (although IE does wrapper that
The Mozilla apps in general do seem to shun using standard approaches to things like this. At least they use local printers, though, they're not falling completely into the WordPerfect trap of providing "better" (mostly but not always) solutions to things they don't need to mess with. This is just an example of failing to take existing (yet OS-dependent) features into account.
You're special forces then? That's great! I just love your olympics!
Where do you get those earplugs?
Or maybe it's the fact that IE represents an easier target due to its much larger user base and long list of gaping holes.
Er, I think you need to look up 'hypocrisy' in a dictionary and get back to us.
"Or maybe it's the fact that IE represents an easier target due to its much larger user base"
It's fun to repeat what was said earlier isn't it
Reading the bugzilla entries for this and related bugs (an earlier post has the bugzilla url for this bug) is interesting in itself.
It shows that the developers well understood the security implications of the bug - but they were also trying to fit the browser into the MS scheme of things in which programs seem (I'm not a windows expert at that level) to be able to register protocols (shell:, vbscript:, irc:) that they get to handle. Disabling this in windows would then lead to Mozilla/Firefox behaving differently than they've come to expect.
It was further pointed out that mozilla could require a "yes" click in a dialog window, but that that would lead to other security issues.
Interesting reading.
Agreed. People just need to realize that Moore is the Limbaugh of the Left.
If IE is out, and so is Mozilla and related browsers, it seems that we should all be on Opera (or, if we aren't in it for the pretty pictures, let's all go back to Lynx).
Learn to love Alaska
This is a Windows issue. This of course won't stop everyone here from flaming though. Too bad you weren't the submitter.
All good points... And currently riding at -1, Flamebait. Sad. Very sad. Still, this place isn't short of fuckwitted moderators.
It's really not obvious when you go to Mozilla.org that there's a patch available. It should be on the right-hand-side instead of down in the middle of the page on the left-hand side. Also, mozilla.org/products/firefox doesn't tell you there's a patch available!! Hopefully, my email to its webmaster will help fix this soon.
I doubt they will block Slashdotters.
It's less effort, really it is. We now return you, of your own volition, to Windoze hell.
Friends don't help friends install M$ junk.
YMBNH
I'd rather be lucky than good.
Is that cos WINDO$$$$$$$$ is SHIT??
I eagerly await your responses.
I was about to post the same remarks, but I couldn't have said it any better.
Choice of words is not "grammar".
Reason just try to do that by the same fault I will not work. Thinking URI is a URL processor Linux has a URL processor and no fault.
This is case of a core function being defective. Over looked facts Number 1 I can call this from a Microsoft Office document with a macro just as simple as mozilla can.
So the flaw is not restructed to Mozilla also Outlook Express and Outlook both have the same flaw point. It had to be fixed. Basicly it was a cancer effecting everything linking to a core function what really sould not been able to do what it could.
Ie URL is [protocol]://[content] It would be fun to try same fault with a simple click though on Internet explorer O that right they already have.
ie Microsoft created a Protocol call shell Another case of don't trust Microsoft created anything.
I tried to install this patch and it said it was unsigned!!!! Not to be paranoid but how can I confirm this is real? I don't like to install patches that I can't get PGP signed key for or some other method to validate the code.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
This is a windows hole, not a Mozilla hole. The Mozilla team has just decided to implement a workaround so the windows hole won't hurt you when using their browser. That is also why it only affects Mozilla on windows and why they debated whether to do something about it for so long.
And just right after the HSD reccomends people switch from IE to Mozilla...
Bad timing.
---- Booth was a patriot ----
Download the fix here!
Wow, I should not post when knackered.
You can never keep employees from being tricked, but that's a data segregation and HR issue. Only give people information they need and only give sensitive information to people you know you can trust.
Running a free OS like Linux or BSD is a good start. As the current exploit shows, sticking a better browser on top of Windoze does not make it safe from auto exploits. Systems with real user level permissions and a diverse selection of software running are much safer for everyone.
Got any better ideas? Rip your network card out? Go back to IE and it's own plugin systems?
Friends don't help friends install M$ junk.
Opera long ago decided to *not* pass on any protocol or scheme to the operating system, except for a few well defined cases (ftp, telnet, mailto). Users of Opera 7 can add specific protocols/schemes manually in the prefs if they want.
Lesson of today: there is always a danger in presenting yourself as 'the save alternative'. Proper engineering can reduce risks, but there are never garantees. Not that this example was especially worrying imho: you'd still have to be tricked to visit a specific website that plans to harm you. Not that likely unless you to tend to visit the bowels of the web...
If you don't like having choices made for you, you should start making your own. - Neal Stephenson
It requires clicking on a link in order to execute. MS has plainly addressed this vulnerability when it was a problem in IE, and their solution is the same for Mozilla.
ahahaha hahahhah hahahahahahh hahahahaah ahahahahahahaha hahahaha hahahahahaha hahahahahaha hahaa hahahahahahaa haa ahaha ahahahaha ahah haha ha ha ha ha
O MG how I am laughing at you. Yes YOU. You wanker who thinks just because something is "Open Source" that it is made of magical fucking pixie dust and will automatically be secure.h ahah ahhahahahahaha
I couldn't possibly laugh any harder... Oh wait, yes I can...
ahahahah ahahahahaha aha hahahaahaha ahahhahahahahaaha ahahhahaahahah ahahahhahahaahahhhahahahahaahahahah hahahahaahahah hahahahahaahah
Stupid hubris ridden OSS sheep!
ahahahahahahah ahahahahahaha ahahahhahahahaha ahahahahahahah hahahahahahahhahahahahahaha hahahahahaa hahahahahahahhaha hahahahahahahahahahahhahahahahahahaahahaaaaaaaa
haahahahahahahahahahahahahahahah
And never mind the fact that most IE exploits have a patch available before they're publicised, while this Moz/FF bug is fucking 2 years old...
ahahahahahahahhahaahhaahahahahahahaahaaha
OMG I am laughing my fucking ass off.
How does it feel to have your whole pretense fucking collapse around you? To know that no-one will ever pay attention to you just-so stories ever again? Pretty bad I think so I just can't help sending you a bit of schadenfreude.
hahahahaahhaahahhahahahahahahaaha
Fucking noobs. OMG this has just made my day. And the inevitable censorship of this post is going to complete it. Can't handle the truth, eh? ahahahahahahahahahahah OMG bliss.
ps. How many mod points you got left, son? It doesn't cost me anything to repost. I know you don't like what I say, but you lack the power to do anything about it! Sorry!
BUT, since I have XP SP2 installed (the latest release candidate), I can ignore 0.9.2 altogether? Or are other bug fixes included in this release?
Having to run a windows site I was once again looking at the ADODB:stream bug and pondering directions to take and look into.
Some of the issues I pondered was if I spent a lot of time ripping out the user access to the none removable IE, and installing either Firefox, Mozilla, or another browser, or a combination of that or similar.
On the browser side, removal of Active X and the IE gubbins brings security, but also none working websites. Perhaps a lot of companies aare going to move back to the standards that form web rather than MS specific technology. I can't blame them, as most people outside tech areas like slash tend to use or aim for market leading pitches. The bulk of users use IE.
That will continue to be the issue, however, looking deeper into this, I looked at machines and figiured I would have to keep IE patched, but in addition, if I role another product or more, I merely add quite possible extra vectors of concern and attack.
All the browsers go through security and exploit issues, at least from time to time. What I settled on was continuing with IE. Its built into windows, there is'nt an easy undo for that.
Somewhere between Sunday/Monday, MS got a patch out. IMHO while this is not perhaps upto the highest levels of OSS error and fix correction, it is'nt bad or horrific.
In the main, so long as they deal with issues quickly and provide answers, I can tolerate them. They are not as bad as some make out.
The history of Mozilla is not as bug free and exploit free as much of the recent comments try to indicate. In truth, we will continue to have security issues with software, and it is how the vendor responds that should be critiqued.
AdmV
We`re all equal
I just, I mean JUST predicted earlier today that even releasing a windows mozilla browser was an incredibly bad idea,a short sighted "transitional crutch" I termed it, and using an analogy that it was akin to being an enbaler for an alcoholic. I posted it on the mozilla plugins article thread. Last I looked no replies, no mods, but HERE ya go, an example of what has happened, and an indication it will happen in the future as well. Now THIS. LOOK at this. It doesn't matter that this time it was fixed in time, because NO ONE can predict when and how an exploit will be discovered and used. Even though, this time, it wasn't widely exploited, I think it proves my point, that sometime, somehow, someone will figure out an exploit and it WILL be deployed extensively, and it WILL infect a LOT of windows boxes running mozilla, and it will give a serious blackeye to open source in general.
Either go all the way to changing the OS AND the browser, do the right thing, all the way,or don't bother, it's naieve wishful thinking and at best a finger in the dike stopgap measure to try and make windows "secure" on the internet, and at best an incredible waste of time and resources in the OPEN source coding community. You either support open source, or you don't. You either support windows closed source and their dismal OS and their mafia like business practices or you do not. If you are working for free for Redmond you are nuts, and are doing no one any sort of long term service. You aren't a "little bit pregnant", you either ARE or you AREN'T.
And even with this evidence, no one will admit the huge mistake in making a windows port of moz/firefox. They will keep doing it until they get BURNT BAD.
Waiting for the homeland propanganda......errr homeland security to advise us not to use it.
"If any question why we died, Tell them because our fathers lied."
Is it just me, or are Windows XP and 2000 ***more*** insecure than Win 98?!!!
It seems that just about each "new feature" that Microsoft has introduced into XP and 2000 has allowed a whole family of new exploits!
This is just Microsoft's curse on all "early adopters"!
P.S.
An "early adopter" is anyone who doesn't wait nearly a decade for Microsoft to work out all the bugs and security holes. This time limit seems to be getting longer not shorter, with each release!!!
How long will it take for Longhorn to be secure? Or, maybe Microsoft is going to give up entirely on "ease of use"?!
No, IE is insecure because it's a piece of shit. Had you read the article summary, you might have noticed this is a Windoze problem:
Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000.
The OS is a piece of shit too and you can't fix it by putting a better browser on it any more than you can make a VW bug into a Porche by upgrading the engine. As the same browser does not exhibit the same problem on other OS, you must conclude the OS is a fault, not the browser.
Apologies to VW for comparing the fine VW bug to M$'s OS.
Pull your pants up now, Captian, no one else is interested.
Friends don't help friends install M$ junk.
Sure, it's a crappy OS that crashes at the drop of a hat, but once again, no one cares enough about ME to exploit it.
The update feature is telling those without a version 0.9.1 that an update exists. This includes 0.9 and 0.9.2 (I just made the .2 install and it still complains).
..." while the file that's linked on the same page is ".../releases/0.9.2/FirefoxSetup-0.9.2.exe".
Also, the webpage that comes up says "Firefox 0.9.1 is the award winning preview of Mozilla's next generation browser.
Looks like whoever setup the notification system read the wrong number.
This is not my sig.
Mozilla does support different levels of trust. For example, a page on a remote website can't create an IFRAME whose SRC points at your local filesystem. A local file can do that. So I don't know what your point is.
This bug is about which Windows HTTP protocol handlers should be trusted. 'shell:' was trusted when it should not have been.
I tried all the links on the test page, but I just got a message-box saying "shell is not a registered protocol". Could it be that I'm using Mozilla 1.4 on Linux?
I won't even bother to mention using streams instead of C library output functions.
RTF specs!
I thought Firefox (and possibly other Mozilla products) had an update reminder?
So does this affect the 7.x releases of Netscape as well?
Anything important is text, so just use a text editor as your browser.
This bug report is about executing unknown protocol handlers in other places except . Mozilla has had for a while now, a blacklist of bad protocols that it should not pass to the OS.
With this patch, "shell:" was added--quickly because the infastructure was there.
--Sam
It's been almost two months since graduation, and I'm still living on campus, by myself, in a hundred twenty square foot single. I haven't left the building in more than three weeks. Perhaps the Chinese delivery place will wonder why I stopped calling. More likely, they won't even notice, and wouldn't care if they did. My so-called friends packed up and left without saying goodbye, and the only phone call I've answered since then was a wrong number; the other party hung up immediately. I've had all this time alone to absorb the crushing emptiness of my life and let it ferment. I dwell on the horror of solitude, knowing the company of strangers is infinitely worse. Life has spit me out filthy and wet and passed me by with nary a thought. If this comment gets modded down tonight, I am going to kill myself. The method: asphyxiation by carbon monoxide inhalation. The place: the parking lot behind my dorm. Yes, I'm aware Slashdot is not the appropriate forum for this kind of thing, yes, I'm aware of the dripping pathos. Call this a cry for help or whatever you want. I'm sure I'll merit at least a two-line summary in the death notices. -J.D. in NYC
That's not a report of this vulnerability. It's a comment about a proposed change that might have prevented this vulnerability, had it been implemented. At the time, there was no known actual vulnerability that demanded the change.
Sorry, that's not true. It was indeed a report of a vulnerability. The Mozilla team did not fix the vulnerability until an exploit appeared yesterday.
I hate having to say this, but that doesn't sound so different from Microsoft, does it?
The roots of education are bitter, but the fruit is sweet.
--Aristotle
Choose your evil. Internet Explorer or Mozilla/Firefox.
So this is how M$ get's revenge; make the browser it self a a security flaw.
That's the shallow reason. The solid reason is that when these things happen in Mozilla (et. al.), they're seen as bugs, and they treated like bugs - SPLAT! When bad shit happens to IE, not only are the bugs far less certain of quick repair, nor is it just that some of them just aren't going to get fixed. It's that basic underlying causes such as Active X's fundamentally broken security model CANNOT ever be fixed. It's borked by design, and not all the Gate's coders, nor all the Gate's men (jumping up and down, damply, still muttering "developers? wherefor art thou, developers?") can ever put poor Mr. Exploder together again.
But don't worry, the next Great! New! version will solve all these problems by refusing to connect to any internet site that doesn't pay danegeld to be part of the Trustworthy Commercial Advantage Network. (some sites may require an additional access fee. please insert wallet for hours of exciting tours of the Gates Museum of Once Useful Old Computers.)
--
I am not anonymous! I am the number six!
I probably would have just installed .9.2, but your tip saved me the time/headache.
When you look at the state of the world, how can you not become a radical, liberal anarchist?
Maybe you should read the specs.
int main(void) is valid in C and C++.
Including stdio.h and calling printf (not std::printf) is valid in C++, although it is deprecated.
Using C library functions instead of streams is entirely valid, too.
Okay, I'm a Firefox newbie but this has to be a common enough question: What the heck is an XPI?
Am I missing the obvious "to install this patch, follow steps a, b and c" readme.txt file which a ready for prime-time product like Firefox should have?
It's not like I'm trying to install fancy blinkenlights or some doohikey that'll let me change the title from "Firefox" to "FireWhizzBang" or something: I'm trying to install an apparently simple security patch.
Shouldn't a patch be a self-extracting, simple to install "Double click this to run" file?
I'll say this for IE: When there's a patch available, I just download, run it and it's done. Do I have to learn the super-secret mystery open-source handshake before I'm allowed to install a frickin >100kb patch?
Not only that, but it's a known (almost) ten year old bug in Windows - the use of the same set of handlers for local and remote services - and one I've been trying to tell people about for that long.
Mozilla and Firefox should NOT be using this functionality, they should be doing ALL their own URL parsing and handling on Windows, Linux, Mac OS X, and so on, because they can *not* depend on the native OS to do security right.
Even Apple doesn't do it right (see how they 'fixed' the help: problem), and Microsoft has refused to fix it on their side even under threat of judicial dismemberment.
From the article:
Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows.
The only way to deal with this is ONLY use external handlers you know are safe, rather than using all but the handlers you know have holes in them. Anything else is just following Microsoft's lead into a decade of virus-mania.
This has been blown way out of proportion by all the paper MCSE's running around here.
Constructive and polite, what a nice little troll. Why don't you you fix your problems instead of going back to playing with your Windoze and FUDding Mozilla?
Friends don't help friends install M$ junk.
Here you go.. an obvious, step-by-step guide.
Don't even need to double-click anything, it installs from inside the browser. No need for self-extracting executables.
Although many people have (partly as a result of press coverage) changed to Mozilla/Firefox, not all of them read Slashdot or are technically knowledgable.
At least with a problem in IE, many users will be patched automatically by the Windows Update process. That is not going to happen with Firefox. To me this is lack of automatic updates is much more serious than this individual problem.
Note - I personally use Firefox and not IE.
I am shocked that everyone here is sticking on Mozilla's side. I love Mozilla, and have used it since the beta versions. I install it on mom & pop computers all the time for security. But this is definitely Mozilla's fault. Mozilla should not pass unknown protocols to explorer. IMHO, that defeats the purpose of Mozilla. That would be like coding Mozilla to pass ActiveX controls to Internet Explorer since it doesn't support them.
I treat Mozilla as a standalone app, and I consider that an advantage. I'm not vulnerable to scripting exploits, MS Office exploits, etc. But now I am told it passes some work to Explorer. I consider that a bug. I don't want it to pass everything except shell: to IE. I want it to pass nothing to IE.
The security exposure is apparently due to the fact that Mozilla, running on MS-Windows, will hand off any "URI scheme" Mozilla does not recognize to the OS. This only happens on MS-Windows. Since Windows may (and indeed, does, by default) know about URI schemes that do things you would not want a web page doing (like run programs), this is considered a problem for Mozilla.
g i?id=163767
d =167475
i d=250180
I have to agree that this is a Mozilla issue. To use a slightly contrived comparison: I read my mail using UW Pine. If someone sends me a script via attachment in email, I do not want Pine to test and see if the interpreter in the she-bang line is available on the host OS. My OS is not my mail reader; I do not want my mail reader allowing everything my OS can do. Ditto my web browser.
There appear to be at least three Mozilla Bugzilla Bugs related to this (likely a lot more):
#1 = Mozilla Bug 163767 (20 Aug 2002)
"Pref to disable external protocol handlers"
http://bugzilla.mozilla.org/show_bug.c
#2 = Mozilla Bug 167475 (9 Sep 2002)
"Disable external protocol handlers in all cases, excluding <A HREF"
http://bugzilla.mozilla.org/show_bug.cgi?i
#3 = Mozilla Bug 250180 (7 Jul 2004)
"Shell: protocol allows access to local files"
http://bugzilla.mozilla.org/show_bug.cgi?
It appears that Mozilla developers have been worried about this kind of problem going back to at least Aug 2002 (see #1 above). #1 talks about an option to disable external protocol handlers (URI schemes) by default. I have to say that would be the right thing to do. "Secure by default" is the correct approach.
#2 talks about an approach that uses context to determine if an external handler should be invokved. Basically, it assumes that if a user clicked a link, they wanted to invoke the handler; anything that happened implictly (such as image loading) should not invoke an external handler. I do agree with those who commented (in that bug) that this is not the right approach. It adds complexity, and it still fails to address the fact that clicking a link is not something that should just up and run anything the web page wants. If I wanted that, I'd use MSIE.
#3 is a reference to the "shell:" URI scheme in particular being abused this way. It blocks the "shell:" scheme to prevent that abuse. It does nothing to prevent abuses of other possible schemes, though. I suspect we may see this "feature" of Mozilla rear its ugly head again in the future.
This is not a failure of Open Source in particular. Nor does it prove Mozilla is crap or Microsoft is okay after all. It means that people make mistakes. This should not surprise anyone. Stop pointing fingers and fix the problem.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"Agreed. It's not really a bug in the browser, it's a flaw in Windows."
I disagree. I feel this is a Mozilla problem. (It may be a Windows problem, too, but that's not the issue here.)
Let me explain in terms of Linux, another Slashdot favorite:
I run mainly Linux on my home and work PCs. The Linux OS looks at the start of any executable file to determine how to run said file. If it recognizes a particular "magic number", it invokes the appropriate handler (ELF, a.out, Java, etc.). If it recognizes a she-bang line (first line starts with "#!" followed by the path to a program), it will run that program. Otherwise, Linux feeds the executable to the default shell (/bin/sh) and hopes for the best.
The fact that my OS can do all of these things does not mean I want Mozilla to do them. If I click a link that leads to an executable file on the web, I do not want Mozilla to hand-off the executable to the host OS (Linux) to see if Linux can find a way to run said executable.
Make sense?
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
nice, doesn't seem to work though. says there are no updates, or it couldn't find any, something like that. for both methods you suggested (and for several other plugins i've got insalled). anyone else got firefox's auto-update to work?
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
Blocks the protocal that trigger the problem. Basicly gives mozilla a handler for the protocal that is required for the problem to work that leads nowhere but to a void.
Now 6k has to be one of the smallest browers patchs I have ever seen. Question what Is the Smallest IE patch???
Please note microsoft created this protocal all protocals used in URL should never have this fault the riskes are too high.
The real difference between them ...
... what the hell!
When a bug is found in IE, everyone blames Microsoft.
When a bug is found in Mozilla, everyone blames Microsoft.
hey, wait a minute
George Bush + Linux = "I will not let information get in the way of the fight against Windows"
Last weekend, I converted three people from IE6 to Moz FF 0.9.1, based on the facts that it's more secure than IE.
I'm pretty sure you mean 'based on the claims' rather than facts.
This exploit and patch pretty much proves that Firefox is not more secure than IE, something I was trying to tell slashbots last week and got flamed for.
Those points are all inflammatory, that -1 moderation is deserved.
One man's selflessness is another man's annoyance.
Could it be that IE and Windows itself are not simply just shoddy products, but are actually under more scrutiny than their nearest competitors despite the fanboy rantings to the contrary
No, IE and windows ARE just simply shoddy products AND they are under scrutiny. I thought that was painfully obvious to everyone by now.
What happens to the people who use the shell: feature? shell.com?
Georgia
I just read (on the Mozilla marketing list) that Firefox 0.9 improperly imports old profile data if you are using the Mac OS X version. This causes a loss of your old profile data.
So if you are using Firefox on Mac OS X, I would not upgrade to the 0.9 version until a new incremental version with a fix for this bug is released.
Update: This loss of profile data only appears to occur if you are migrating from a nightly build that was created between the 0.8 and 0.9 releases to the final 0.9 version. If you are upgrading directly from the 0.8 version to the 0.9 version (on Mac OS X), you should not have this problem.
Support Texas Troops use TXGoogle
Well, I have a policy that, when writing about mispellings, I always misspel the word "mispel".
;-)
(And it's fun when people attempt to correct me.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Well, everybody always says the Open Source movement is always trying to play catch up with proprietary software. This is obviously a case of Mozilla/Firefox feeling left behind by IE's apparent hold on the security flaws market.
[growls]We're coming Microsoft.[growls]
Yeah. But where is the auto-update feature for Firefox á la Windows XP, OS X, YAST or Up2date?
The French word à is spelled with a grave accent, rather than an acute one. If you're going to spell things like a smartass, at least get them right.
I hereby place the above post in the public domain.
So the bug affects Windows 2000? How come the fix on the site is only for XP? I can't seem to run the .xpi file on this 2000 machine.
Here's a fun example of how IE gets it right
That depends. While what you say is true, and it does not execute it also shows a lot about the thinking at MS. Mozilla hands off protocols to windows in a simplistic way because it is not a part of the OS - just as any other program does. IE by contrast has the concept of zones, and each zone has certain things which may be allowed or disallowed depending upon various security levels. This makes the IE security model much more complicated than it should be, and for most people hard to understand. And there has been more than enough problems with IE being confused as to which zone it's in, and enough exploits taking advantage of it.
Mozilla's fix is simple because what it does is simple. I'm not apologizing for the mozilla team here, and in fact I think it's sort of pathetc they just let this problem lay around for 2 years instead of just disabling the shell protocol to begin with. But if IE does anything right, it certainly is NOT the concept of security zones.
Damn right. This is a major screwup, and proof that in fact IE does it better than Mozilla should make them act a little more humble next time.
The fact is there are os calls that can write over any user-owned file. And Mozilla can call them (if it couldn't it would have some trouble downloading things or saving the bookmarks!) This does not mean that a hypothetical bug by which Mozilla can be told by a web page to overwrite a file is a bug in the OS because somehow those files should have been protected by the OS. The bug is in Mozilla, which knows exactly where the request came from and is the only program in a position to figure out if it is safe.
Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites.
I love how you're making excuses in the post before the non anti MS people can even get to you. Nobody is perfect
years of windows people bragging on the sheer numbers of applications out there, that you lack for absolutely nothing, that there doesn't exist a way to automatically check all your installed applications and update them?
I don't know, don't use windows, I just find it strange that an obvious functional application-checker-updater like that hasn't been written and been released.
Is there some way I can disable them all?
Request your free CD of my piano music.
Safari can't open "shell:windows" because Mac OS X doesn't recognize Internet addresses starting with "shell:". Oh, wait...
Thanks!
Unfortunately, I don't see the "Software Installation Window" mentioned (which would have provided the obvious answer in the first place).
Looks like I'll need to do a little poking around to figure out how I get that window to appear. At least now I know what I'm looking for! Many thanks.
Ah! Quickly discovered: I had "Allow web sites to install software" disabled.
XPI files now work smoothly and patch without a problem.
MS try to keep security updates very hush-hush until the latest worm has spread enough for them to be unable to deny it any longer...
Think i'm being harsh? Try reading some security mailing lists... ms policy is to deny the existance of the problem claiming its not exploitable so they won't fix it, until there's a proof of concept or actual exploit in the wild...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
No one said was invalid. main(void) is ENTIRELY different from main(), however. The grandparent is correct; it should be int main(void). (Whether it is mandated by the spec that it can't be main() I don't know, but it's certainly less correct than either main(void) or main(int, char **) ).
This is the best and most extensive summary so far
Ahem, Michael Moore is the Sen. Joe McCarthy of the left, thank you very much!
Good old rush doesn't attack without having at least one solid, inarguable fact.
This also works on v0.8 on Firefox. I went back to 8 after trying out .9.1... but there are just too many graphic related bugs (download box, extensions boxes are often blank, themes screw up and give me a blank bar even though they're "compatible")... and yes, I did install FF into a new directory after uninstalling the old. I think I'll wait for 0.9.5 or whatever.
But yes, older FireFox users should have no problem using the ShellBlock patch... regardless of what some people have said in the forums about compatibility. It simply disables the shell: call as described above.
now I have to write exploits for TWO different browsers. Damnit!
To all the people talking about how it's hypocritical to say a security flaw like this is no biggie for Mozilla and rant and rave on about a similar flaw in IE, think about this:
* Internet Explorer 6
* Firefox 0.9
Note the difference? Well, if you can't - basically Firefox is still not a 1.0 product - one that's ready to ship, whereas Internet Explorer is up to 6.whatever... one is a product that has been released, the other is still undergoing development.
Plus, the flaw only affects Windows systems, not Mac or Linux or whatever systems so the blame also partly lays with Microsoft.
I rest my case.
Choice of words is not "grammar".
:P
I think you meant to say "Grammar does not have anything to do with words." Grammar is structure, not presentation, and therefore this statment is true. However, your original statement might suggest that one's particular choice of a word, which involves selecting an adjective or an adverb, has nothing to do with grammar - this is far from true.
If you are going to be pedantic, please put your periods INSIDE the quote!
I'm sorry, but all the posting suggesting that this is a Windows bug that was simply inherited by Mozilla is complete crap.
For whatever reason, Windows has a protocol handler called shell. Big deal. Not the issue.
The issue is that the developers of Mozilla who discovered this hole -- way back in 2002 -- decided not to do anything useful about it.
This is no more a "bug" in Windows than is the format command, fdisk, or command prompt. The fact that a browser opened the shell up to a whole world is certainly not Microsoft's fault.
What's next? Someone writes a game that accidentially deletes your My Documents folder, and we blame Mirosoft for allowing that to happen too?
How about blaming Microsoft for allowing senior citizens to be duped by fradulent eBay scams? Let's blame them for Nigerian 419 scams too. Outlook Express should be more secure!
-David
the mozilla download seemed to be, well, slashdotted.
of course, I'm assuming the patch works, if you remove the space between "...extern" and "al.shell".
Yow! I'm supposed to have a plan?
The funny thing is that I'm sure most mozilla users clicked on the link and updated their machines. Whereas if this was an IE report, at least half the users would have just accepted the security hole and waited for windows update to fix it (if they even run windows update).
I see arguing about black and white lists and whether or not Mozilla should pass of requests for URI's it does not know about...
Why not implement a preferences option that says:
Pass off URI handling to the OS for protocols unknown to Mozilla ?
Then you can implement a black list AND a white list and let the user decide.
Black List = Allow Everything BUT these to pass to the OS
White List = Only allow these to pass to the OS
Spend a week and a half amongst developers what the Default option would be, and release the code. Maybe even set up a site with an FAQ and a listing of URI protocols.
I don't really see how the shell URL handler is useful anyway. You can probably remove it (or rename it, if you don't want to permanently change the system in a way you can't back out of).
As always, go into HKEY_CLASSES_ROOT, find the lone entry called "Shell" and just rename it. Maybe to shell_something.
Mozilla won't hand it off anymore, because it won't find the shell: handler as provided by XP.
Is there anything that breaks after this permanent fix?
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Opera allows one to pass various schemes onto the system however one needs to decide explicitly to do so. I personally don't want all explicit schemes to be disabled unless there is an easy enabling mechanism, given that I have written my own protocols that I want to interact with from the browser, and which I don't want to have to put in the time and effort to learn how to extend each browser to work with a custom protocol.
There are two programs: one is the OS, the other is a user program, connected to the internet. There are four possibilities for (this part of) how they interact:
Neither of them checks to see if the input is coming from a trusted source Obviously bad, as was the case here Just the user program checks to see if the data is trusted Provides the security, but means this has to be implemented in every single user program Just the OS checks to see if the input is trusted Provides security, and only needs to be implemented once Both the OS and the user program check to see if the input is trusted Redundant, though arguably more secureIf you're paranoid, you should have both of them check to see if the data is trusted, otherwise just the OS should check.
My diagnosis is that this is a severe bug in Windows and is Microsoft's fault, however, since it was there, Mozilla should have blocked it from showing up.
The fact that once they realized it could be a problem they did block it is only a good thing.
There are 11 types of people in the world: those who can count in binary, and those who can't.
Everyone here touts all the Moz products are drop-in replacements to all the MS stuff and demands that we all use it. To suggest that it is now not ready for prime-time is not only a complete reversal of what everyone is saying, it is indeed hypocritical.
To suggest it is Microsoft's fault shows not only a uninformed bigoted opinion, it also shows ignorance. If you actually read the report, it was based on how Firefox uses shell in Windows. Name one other Windows platform software that is affected by the same issue. NONE! Why can't you just admit that the Mozilla developers goofed on this one and get over it? At least it doesn't get a weekly vulnerability each week like MSIE does.
Case closed, idiot.
"Take the URI file:///c:/windows/system32/mspaint.exe Type it into the Address bar of IE - it works. Toss it into a webpage on the local machine and click on it - it works"
C urre ntVersion\Internet Settings\Zones\0
Doesn't work on mine. I see VERY few good reasons to need to be able to launch/download applications (or download fonts and run active script etc) from a local html page and thus I have disabled those options in the My Computer zone. I've also set things up so that copying and pasting gives me a prompt too.
Change the Flags to 1 in
HKEY_CURRENT_USER\Software\Microsoft\Windows\
And the My Computer zone becomes configurable.
However do note that windows explorer seems to rely on activex or active scripting IF you are not using the classic view.
yada yada yada. Just install the patch and mozilla's still great. The more people who use mozilla-especially developers-the more people who can fix bugs. That's the best reason why mozilla is more secure-it gets better as more work on it. Imagine thousands of people not just reporting bugs but also with the ability to fix them? That's something even Microsoft with its billions of $ simply can't compete with. And the modularity and extension features of Firefox means it can evolve and benefit from such parallelism even faster than before. Small design team, thousands of maintainers:that's the key to success.
arielb
Umm. How does this differ from IE running malicious ActiveX-components, which is considered to be one of the major security flaws in IE?
So, MS is bashed for having a bad security model since IE can run all sorts of bad code without user knowing it. If Mozilla does the same thing, it's again MS's fault? Come on... this smells like double standards to me. One standard for the mean, mean Microsoft, and another one for the good guys of open source.
This particular flaw may be in the Windows, but based on your explanation the security model of Mozilla doesn't seem any better to me than the one implemented in IE.
When I download a WEB browser, I expect by default to be able to browse the web. That means, to me at least, http: and https:. If I want to enable anything else (and I'm going to go a long way here by possibly permitting ftp: by default...) I want it to be because I have enabled it. Hell, I don't even want possible exploits through the browser being able to examine (by default) the local file system via file:.
Fuck Windows with its happy "universal-everything-handler" URLs. My kitchen sink doesn't start freezing its water when it's decided that actually, I put the meat in there to keep cool, not to defrost. Please give me a prize for stupidest analogy of the day, but you know what I mean. Right, 9am, time work.
You speak about this bug1 67473
http://bugzilla.mozilla.org/show_bug.cgi?id=
Vote it, fix it!
Then the points should be argued, not censored. Thanks for playing.
I think, #2 is right approach. Invoking external handlers in is nonsense and should be denied.
d =229168
See also:
http://bugzilla.mozilla.org/show_bug.cgi?i
Of course, I mean this.
GRR. I don't want to know what XPrint is. When do I get print command support back?
While surely this is a Windows bug, as is a normal procedure to pass to the OS the unknown protocols, Mozilla shouldn't really care of rtsp://, mirc://, and what not protocols. There are apps designed to handle that, and they register as helper apps for those protocols, so why Mozilla shouldn't trust them? How would Mozilla ever imagine there was a shell:// protocol? On the other hand it should probably do a white list of common protocols and issue a warning when clicking on an unknown one. If the user is just going to click OK on whatever he see, it becomes user's fault. The white list shouldn't be required, but it is in the moment you interact with components you don't know about. Think if they make a silent work registering for the URIs imaworm:// allowing attackers to do almost anything and the user wouldn't know if he doesn't see any significant slow-down, data loss, until they go on a malicious page. A browser shouldn't really whitelist anything more than http://, ftp://, rtsp:// and mailto. All the others should be user choices
most of the answers modereated up around here are only wishful thinking .. people just love to fool themselves into "firefox is safer", no matter what ...lets see some samples
-- Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. ... plus this is like saying : i know i eat approximately the same shit as the other party, but im way better because mine gets no attention.
i wont bet a single cent on that
-- This incident underscores why many use or have switched to Firefox: vulnerabilities discovered and promptly fixed. Not weeks and months from their publication--and not by another vendor--this exploit was addressed by those who have made available Mozilla's code for public scrutiny.
as Microsoft demonstrated in maaaaaaany occasions, IT DOES NOT MATTER how fast you release the patch.
-- This isn't really a fix for a security problem in Mozilla, it's a workaround for a security problem in windows. .. but it sounds like : i live in an appartment building and its administrator's fault that any burglar can break into my appartment bare handed... so easy to blame "the other guy"
it may be so
and so on.. and so on. ... i use it since the first version and this week i got the first pop-up and pop-under windows that somehow managed to slip through firefox' block mechanism ... and now this embarrasing flaw .. sadly, it seems that going mainstream its enough to evaporate the "security" of ANY application.
going mainstream was not exactly benefic to firefox
"There is nothing more frightful than ignorance in action." Johann Wolfgang von Goethe
They advise you to install an extension to prevent untrusted sites hijacking your browser, and in the window that says 'we do not advise that you install unsigned extensions' it shows you that the extension is unsigned!
Come on Mozilla, get with the program!
Mark
Liked this comment? Why not buy me something nice
A one line patch to a default option and the Mozilla Foundation releases complete new builds of its products. That's the right way to go.
I'm still waiting for MDAC 2.8 SP1 incorporating the MS04-003 security patch.
And a Directx 9.0c incorporating MS04-016.
Are you guys crazy???!!! Mozilla had a remote code execution bug for ***2 years*** and no one fixed it! And, don't give me that junk about the OS shouldn't take the request so its really MS's fault - what do you think the OS is for?? It's there to execute programs, so of course it will have functionality built into it to execute code. Simply, a web browser should never, ever, ever pass a code execution event off to the OS just because a web site tells it to - that is really dumb! If the browser doesn't know what to do with an event, it should ignore it or give an error, don't just trust it and pass it on to the OS.
that is the tale of open source developers...
This is off-topic, but nonetheless should be of interest to mozilla users who are forced to use Outlook at work. Even more so for people who use linux at work and are forced to access email via Outlook Web Access (sob!).
Mozilla support for exchange servers (without IMAP) looks like it should now be implementable.
Bug 128284
Please vote for this bug if you desperately _desperately_ (like me!) need support for exchange!
it did not sit for 2 years. the correct bug is 250180, which is 2 days old.
I'm still using Moz 1.5 on Windows[1]. I can't find any information about which versions of Moz contain this vulnerability, nor any information about whether the patch provided applies. Given that 1.5 isn't exactly an old version by any real-world standards, it's disappointing that it (and other recent releases apart from the latest) appear to be so poorly supported. Can anyone provide more information for these apps?
[1] This is mostly because I tried to install 1.6 when it was first released, and it irretrievably toasted my e-mail database and profile. FWIW, I'd successfully installed every .x version since 1.1, so I had some clue what I was doing. It was just broken, seriously enough that I will no longer trust updates to the Mozilla tree. I'm now waiting for Firebird/Thunderbird to reach official release, in the hope that tools for migrating Mozilla profiles to those apps will be independent and thoroughly tested.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Microsoft-style? WTF? I am no fan of MS, but have you ever worked in the software industry? Sweeping bugs under the rug is the way things are done, period. I have been doing QA/Testing for 10 years, and it is like that all over the place.
And I am not necessarily passing judgement on it either, because software development is about mitigating risk. You have to balance all the aspects of software development, you can't fix everything. Here is how sofware projects work: (think of it as a grid)
Optimize Contstrain Accept
Cost
Schedule
Scope
Quality
From the items on the left, you can optimize one, constrain one, and accept the other two. Usually, it is optimize scope, constrain schedule, and accept the cost and quality. But for places like NASA, I am sure it is not like that at all.
This is reality.
My beliefs do not require that you agree with them.
Anyone know if it is easy enough to block this exploit with squid? (Without blocking articles that mention shell:) We just finished rolling out 0.9.1 and would really like to avoid another rollout so quickly.
What do you want me to tell you? And if you rename it to something obscure, how is an exploit writer going to guess what it is? It has to be put on a website, he'd better make a guess that affects more than one individual...
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
No, there is too much. Let me sum up....
From what I'm seeing, two schools are puddling on this: one that claims Moz isn't responsible for handing off a protocol to the OS that it doesn't know what to do with (i.e., MS's fault) and the other claiming Moz should know better to do exactly that -- that if it doesn't know what a protocol is doing it has no business passing it on to the OS (i.e., Moz's fault). From the sound of the upcoming fix, it appears Moz feels the latter to be true, since in the future fix it's going to do exactly that: not just hand off something to the OS unless it meets a specific "white list" instead of what it was doing which was handing off anything to the OS unless it met a specific "black list."
Please forgive my lack of gray matter. They said only the weak cells would die....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Users expect to be able to launch other protocols from a browser. Examples: mailto: , irc: , news: , rtsp: etc etc. The interface provided for this is to pass them to Windows. However, at the same time, there are protocols registered that are not secure - vbscript: , shell: etc. which should never be launched by the browser. The problem is, the interface is exactly the same.
This implies that a browser would have to constantly keep a whitelist/blacklist and would still run into new and unknown protocols. The entire concept is flawed. Give the Mozilla people some way to determine which protocols they should launch and not, and they will follow it. Something like zoning, because it is not Mozillas job to be aware of every protocol on windows, past, present and future.
Kjella
Live today, because you never know what tomorrow brings
After reading the comments on the front page of the update page, I've decided to pull Firefox from our corporate network.
After release, I'll review the decision.
Feel free to read the comments and determine for yourself if this is a sign of enterprise ready software.
NCSA Mosaic?
I'd avoid it.
I believe it launches downloaded documents without asking for confirmation from the user.
Also, Internet Explorer was based on it. That ain't a good recommendation.
See, it's like this. . .
Tools are not just tools. Yes, people are getting rather worked up; in looking over the posts here, I've seen those who are laughing maniacally and pointing and name calling. I've seen others throwing up walls of denial, etc. I mean. . , Wow!
The natural response is to say, "You are not your tools. You are not your clothes. Get over it!"
That's wrong, though. We all know this on an instinctive level!
Everything you do is an expression of who you are. You are what you eat. You are the truths or lies that you take into yourselves and embody, and give power to.
For my part, I like to use the tools which break down least often, and get the job done with the fewest hassles and hangups. But I also want my tools to work in the same spirit that I strive to.
I'm very glad that Mozilla exists. It's not perfect, but the rise from Netscape's original and highly unstable browser has been continual and very positive in many, many respects. It has been a fun and friendly ride! Support is community based and highly effective, rather than a hierarchical and lumbering (and largely ineffectual) system like Microsoft's.
--The best part about Mozilla is how it seems to manage to be almost entirely free of corporate greed and the desire to manipulate people and the welfare of the information universe for selfish purposes. This might change at some point, but at the moment, Mozilla seems to be pretty darned clean. Whereas, the life blood of Microsoft is that of Greed, based on the fear of losing power and control; this taints all they do. Mozilla, and similar projects provide an alternative way, not just a way of programming and making software, but of how to exist. Open-source, community-based software feels nice to use and it does so for a reason. Those are feelings you can trust. Open-source creates and concentrates vast human powers and it does so using a system of collaboration and sharing, and thus no need for Greed as a motivating force. Greed sucks. (Literally!) The opposite is very uplifting, in many ways. Constantly-improving software which is given freely to anybody as it is required. . ? Why do some people hate this so much?
Well, there is an answer to that of course, but none of those who hate Open-Source are able to stand the answer. It's an ugly answer, after all. It's an old division, and it delineates people in very obvious ways. The world is at war right now, on many levels because of those very same forces.
Interestingly, the world in many, many ways is moving unstoppably towards a paradigm based on non-greed, non-selfish shared resources. This will spell the end of centralized power and men like George Bush and all that they represent. The only problem is that there is going to be a massive melt-down as the old, dark structures which make up most of the world collapse under their own morbid weight. We are seeing the beginning of this, and our current masters, sensing that this is coming, are cranking up the controls to increasingly high levels, knowing that if they lose control, they will be ended. They are working from fear, and the conflict is going to kill many of us. It has already started and it is going to get a lot worse. But is a natural process, not one to be feared.
The lesson we all can learn through such simple means as community produced software are far, far more powerful and far-reaching than most people are capable of realizing.
We are literally learning the tools necessary to survive in the coming age.
In my case, I'll continue using my rusty old copy of Win98 until I finally decide to tackle the Linux learning curve and re-acquire all the software I need. (That is, change my library of tools into 'open-source' as opposed to 'pirated'.)
I figure the whole process will probably take about two weeks of screwing around, and another series of hiccups as I settle into the new 'reality'. --After which I'm sure I'd
is there a better/quicker way to install the patch?
Telling my users to go folder X and then double click on file Y would be a lot nicer than having to go to all their machines.
Yes, I know, it's not at 1.0 yet. It's just constructive criticism.
A clever person solves a problem. A wise person avoids it. -- Einstein
The Mozilla team and some of the posters, should be embarrased by the attitudes displayed here and in the bugzilla threads when this was repoted back in **September**. I recently recommended Firefox to my parents, but now I think that was premature. The team doesn't have protecting my parents in mind.
Several things were missing from the response:
* The charge to protect regular, unsophisticated users. Regular users do not care whose fault a wide open security hole is. They only care whether they are safe when they are acting reasonably. In this case they weren't, but the team was ok with that for months.
* Security without usability is like a parachute you are not wearing. The Register article was the easiest way of finding the advisory and fix, imho. 1) Back in September, how did the team think I was supposed to know to disable shell: scripting? ESP? Reading all of bugzilla? 2) Where in fact would I have done this? Certainly nothing easy to find. 3) Even today, where is the super prominent link on the home page? Why does the home page (http://www.mozilla.org/products/firefox/)link to the 1.9.1 page, not the 1.9.2 page?
* Put products before the blame game. Why should mozilla not be embarrassed? There's a known hole in windows, that is only a problem when an untrusted source has a channel to access it. Mozilla provides that channel. Again, from a user perspective, who cares?
The community has lost a lot of trust with me today. Looks like a team that is no longer ready for prime-time.
the bug is on windows only versions of mozilla/firefox/thunderbird.
other operating systems aren't affected
.....is yet again stregthened.
Replace for a second all IE installations with Mozilla in your mind. Can anyone see the impact of this *small* glitch?
Which is why the old age theory that if you are highly visible, you'll also be a primary target still stands strong. You'll have to fend off relentlesly those who want to break you.....and like Troy, someone with Achilles smarts will find a way to breach your walls. Does that make you dumb? Incompetent? Uncaring? Recless coder? Not at all. It's just that the more you get attacked...the better you build your walls.....or else, you'd just stick with a fence to keep the sheep away from shitting in your yard. I think holes like this can and should be expected as other versions of browsers start to become significant in their relevant markets. Welcome, and please take a moment to analyze the pain MS has been going through for a long time now. Popularity does come with a price. I am a Mozilla and Opera user. I like both browsers. But I never slept on the fact that they are *100% secure* and I had nothing to worry about. The question running thorugh my mind was: When? When will someone find a hole. And how well prepared is the Mozilla team to handle it? Fix it. Let me update it. And get me on my way. I want them to be the Ferrari pit stop team....and I am their Schumacer. In retrospcet...a fix will do however. I also stand by the fact that we do not know software deeply enough to built it bullet proof. The art of 1 and 0 is far more complicated to understand, work with and perfect than it might seem. Only when we've perfected the way to test what we build will we be able to perfect writing good software. Buildings and railway tracks for example are checked inch by inch by live human engineers, which is why they (almost never) fail. In the software world we don't have the ability to send a human at a port entrance and examine each 1 and 0 that comes in a goes out. We have (already buggy) software that does that. So we go back to step 1. In time it'll all get better.....but now is definitely not that time.
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
We can not allow reporters to simply throw Mozilla in the heap with IE -- any mention of similarities must fairly address the significant differences.
For example (my CNET feedback)
Hi John, Rob;
Since you are drawing similarities between the security exploits of Mozilla and IE ("Like recent Internet Explorer vulnerabilities...") you need to fairly and specifically address the differences between the way the Mozilla Foundation and Microsoft have issued security patches.
Please don't lead your readers to think that Mozilla and IE are more similar than different.
Thanks for your consideration.
Name City, State
Tell me you're kidding. Do you even read Slashdot? If you believe what the majority here says, all OSS is infallible. Hell, that whole "many eyes" factor should have come into play here and the hole should have never existed. Right?
var prefs = Components.classes[ "@mozilla.org/preferences-service;1" ]
prefs.setBoolPref( "network.protocol-handler.external.shell", false );
prefs.getBoolPref( "network.protocol-handler.external.shell" );
Note:
-- wil
Not that this example was especially worrying imho: you'd still have to be tricked to visit a specific website that plans to harm you. Not that likely unless you to tend to visit the bowels of the web...
You mean like [img src="shell:...] in a spam e-mail?
Yes, but when you know that the security model for windows isn't by definition as secure as linux... you should code around that concept.
Coding an application for windows Vs coding an app for linux is different. Privilege seperation is one issue, and there are many others. Just because you are coding an application that works similarly on both doesn't mean that they have to be exactly the same, because the operating environment isn't.
Mozilla should make their security bulletins more prominent on their web site. Near the top. It is not even there on their firefox page, which I use as my home page. I only found out about it today.
It is nice that the patch is available already.
-- I ignore anonymous replies to my comments and postings.
RTFP. The parent didn't claim that the minority of OSS people and fanboys accept that OSS isn't infallible. They said that the OSS COMMUNITY doesn't follow that way of thinking. They work on their projects and try to improve on them, not sit back and claim the bugs are features.
I was replying to an AC, maybe it's below your threshold. He said "int main() is invalid, it should be int main(int argc, char **argv)". Obviously implying that it should not be int main(void) either.
I was pointing out that int main(void) is valid and equally preferable to the longer version, in the eyes of the standard (in the eyes of me, the short version is preferable if you do not intend to use commandline arguments).
"the only thing I see at this point is that they need to start maintaining a black list of protocol schemes"
Arggh! No! They (the Mozilla developers) should assume everything external is dangerous, because they have no control over it. Mozilla should prompt the user with a variation on the same "Save/Open/Cancel" dialog they use for other external handlers. That way, the user has to take a very specific action to invoke an external handler.
This doesn't solve the problem of stupid users (who will open anything), of course, but that is not a Mozilla problem.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"this is the way the OS asks applications to behave"
/etc/mailcap without asking first. (BTW, Mozilla does not do that, because it would be dangerous. What a concept.)
Where does Windoze ask that applications should run anything they find, from any source, any way they can figure out how, without asking the user first?
It must be the same place that Linux asks applications to run anything they can find in the
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"This is not an executable, it's an URL (or at least it looks like one), and Windows is supposed to handle it as an URL."
I don't see anything anywhere that says "URLs are always safe". Please point me to the section of some document where that is claimed.
"An URL firefox doesn't understand could be news: - and calling Windows' URL-handler is supposed to open the news reader."
Right. And I don't want Mozilla opening any external program without asking first, unless I've explictly told it to do so. Period. It doesn't do that on *nix; why does it do that on *doze?
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"The fact that once they realized it could be a problem they did block it is only a good thing."
Unfortunately, it appears it took Mozilla at least two years to fix this problem.
See my comment here for details.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"you're not differentiating between a protocol handler and /bin/sh... this is just silly."
You are required to do more then just say "this is just silly" before one can reasonably say you have submitted sufficient evidence to justify an argument.
What is the difference between a "protocol handler" and a "script interpreter" in this discussion? Both are programs which handle data Mozilla could not otherwise handle. Both are external to Mozilla. Both are provided by the host OS. Both can be matched to data using facilities provided by the host OS. Neither should be blindly trusted with untrusted input.
What is the difference between the "URI scheme registry" and "/etc/mailcap" in this discussion? Both are a central location where external mechanisms can be looked up. Both are provided by the host OS. Neither should be blindly used with untrusted input.
If your only proof-point is to say "this is just silly", I can only conclude you are arguing from emotion rather then logic. I'd like to blame this on Microsoft incompetence, too. But the fact of the matter is, there is/was a security exposure in Mozilla.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"sigh... OK, you're right, I'm just arguing from emotion."
Look, do you have a point to make, or not? You keep asserting there is some fundamental difference between the *doze and *nix features I am describing, but don't detail what those differences are. I list what I think are critical similarities, and you tell my I'm silly. Maybe I am, but that's not the subject under discussion. If you honestly believe what you say, I expect you to back it up. Maybe you've got some angle or data-point I haven't considered. Something that might change my mind. However, I am unlikely to change my mind based solely on the fact that you think I'm silly.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Mozilla hands off protocols to windows in a simplistic way because it is not a part of the OS - just as any other program does.
Ah, but the difference is that Mozilla isn't taking protocols that, say, the user has entered when looking up a file, or URIs that were generated at compile-time - but rather, URIs that were pulled randomly from the 'net. Very few other programs do that, and that's the key difference here.
You're special forces then? That's great! I just love your olympics!
Excellent, an exploit fix in double quick time. But as Windows proves over and over again, the dumb users just don't install the patches. the bad dooods aren't targetting these open source products yet because they are in the minority (and potentially owned by 'power users'). when/if they get market saturation like windows/ie they *will* target these OS products and becuase (l)users will still be dumb I don't think we will be in any better situation. I mean come on the average joe is still moronic enough to give out their bank details as a security check over the phone if the 'bank' phones them up (instead of asking which department they are calling from then calling the bank on a number you know and asking for the department). so what chance has software updated got?
Friends don't help friends install M$ junk.
He knew what it meant. He was just making a point.
In backing everything up.
:-)
I wouldn't really regard it as the case that old versions are not supported; its a simple statement that you should use the latest stable milestone, which fixes all major issues known at that stage.
Take, in comparison MS IE. It also does not support patches to every single version, but encourages upgrade to at least major milestones rather than intermediate ones.
Moz introduces new features in new releases, but its also a bugfix release at the same time, and it is a reflection of the fact the software has not got to the same version level as IE. However, I'm sure you've noticed Windows Update still gives you an IE related patch as often, if not more, than Moz gives you a formal update...
Should emphasise at this point I'm not truly anti IE, but I can't live without tabbed browsing, popup blocking, a less vulnerable email client......
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
That's true, of course, but the point here is that Windows Update does give them to me for IE. Even if I'm not using the most up-to-date version, I still get patches for critical vulnerabilities, and they still get sent to my notifications tray automatically if Windows Update is on.
My objection here is that, as a Mozilla 1.5 user, I couldn't find any information on whether this vulnerability affected me (aside from a one-liner I eventually found deep within Mozilla's site that said "versions up to 1.7") or any information at all on what I needed to do to fix it in 1.5. As a programmer, I can extrapolate from the descriptions I have seen, but none of this would help Joe Family-Member who I'd convinced to switch to Moz when 1.5 was current.
I like them too; that's why I use Mozilla. And for the avoidance of doubt, I think the dev team on the whole do a great job, and I'm grateful for their efforts. I've just seen them drop the ball in a Very Bad Way twice too often now -- once to stop me upgrading, and again in apparently not supporting the "old" version -- and I'm starting to get worried. As a geek, I can understand that, and tolerate it. It's just a shame for the mainstream, because it reduces what should be a superior solution to the level of IE/Outlook.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Well, opera use the whitelisting, i just tryed the exploit on my friends pc (thats right, i have one), and he is using opera on 2k (he wont install linux the fool), and it reported shell as unknown, thus the whitelisting claim i made earlier.
___
Exeel -
whisper 'mov cat,rooster' > public.bar.stool->girl.ear 2> hell.nofury >
So WHY the [expletive deleted in compliance with new FCC rules] would Mozilla's developers allow it on Windows? _Do_ they also allow it on Linux, or is it _only_ on Windows? Why didn't the Mozilla users community notice it earlier? When was it added?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Do you know it only affects Windows? If Mozilla is handing unrecognized commands to an operating system's native command interpreter to do things with, then it's a dangerous Mozilla bug, unless the people who wrote it knew the OS couldn't do anything dangerous with it, and face it, nobody'd say that about Windows and keep a straight face. If it only affects Windows and not Unix-like OSs, that's because the syntax for handing commands to the operating system's command interpreter is different on the different OSs and they either were too lazy to write it for Unix once they'd done it for Windows, or else the Unix maintainers had more sense, but not quite enough sense to realize that it had been done for Windows.
Go away until you can spell "r00tkit" and "affect"...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks