Slashdot Mirror
Mozilla/Firefox Bug Allows Arbitrary Program Execution
treefort writes "An article at eWeek has the lowdown. The article also has a link to the bug report which addressed this issue some time ago. Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000." New releases are already available on mozilla.org that fix this. Update: 07/09 00:41 GMT by CN : I removed the bum link to Bugzilla, since I guess they don't like us. Also I discovered that OSDN's own NewsForge has more on the situation.
"Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000"...there goes a perfectly good Ha-Ha!. You've bested me this time *NIX...But you haven't seen the last of ME! BWAHAHA!
"Researchers are reporting another security issue in Web browsing under Windows"
/bin, /sbin, and /usr directories to /zurg, /mumph, and /splunge. Bring it, you haxx0rs!
Sounds like a Windows problem, not a Mozilla problem. Oh, wait a minute...
Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle.
Ding! Next. However:
The attacker would have to know the location in the file system of the program
So just in case, I'm renaming my
malicious persons are much more unlikely to target any vulnerabilites
I disagree... if anything, malicious people are MUCH more likely to target vulnerabilities.
$0.02 (CDN)
How dangerous Mozilla can be. Everyone should be listening to Microsoft and use a secure browser such as Internet Explorer that isn't littered with security vulnerabilities.
in ie if i type
file:///c:/windows/system32/mspaint.exe
I can load the program, in firefox it prompts me to download it and disables the open option.
does this mean IE has always been vulerable to this type of bug?
Well, for all those who are browser-shopping, FireFox gets marked off the list of contenders. Who's next?
NCSA Mosaic?
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
No, the web page was tampered with and you are now broadcasting spam.
Modded up for saying thanks?
Thanks for saying thanks! Thanks!
--
+4 'interesting'
Oh, good. That makes me feel a lot better knowing that they were sitting around deciding not to fix it.
This is added intentionally so that Mozilla contains all of the features of Internet Explorer.
Oh yes, that's right! I went there.
kyjello is too damn smooth to make a signature.
Well... We could always petition Microsoft to include Firefox/Mozilla in their Windows Update(TM) scheme :)
After that we'll move on to include the Gimp and OpenOffice. Before you can say "global domination" we'll have a perfectly good Microsoft Linux distro and whammo... 99% of the desktop belongs to the penguin.
But then again... maybe not.
Oh yeah???
int main()
{
- printf("Hello World\n")
}return 0;
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
lol, you forgot the semicolon after the pritf line...
#include
int main()
{
printf("Hello World\n");
return 0;
}
It was me, I did it, I moved your cheese
lol, you forgot the #include filename :)
Heretic, YOU MUST BURN!
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Well well, one bug fixed, another created.
...no software ever written has been 100% bug free...
Uh...those aren't bugs. The program was supposed to do that. They're features. Yeah...that's it...features.
Hope be with ye,
Cyan
Download the fix here!
Wow, I should not post when knackered.
You forgot to HTML-escape the #include line, and you misspelled "printf" :)
#include <stdio.h>
int main(int argc, char **argv)
{
printf("Hello World\n");
return 0;
}
char sig[120] = "\0"
Would you use printf to diplay the error message if it did?
Every program has at least one bug and can be shortened by at least one instruction -- from which, by induction, one can deduce that every program can be reduced to one instruction which doesn't work.
Incidentally, does the lack of proper interationalization in the original code count as a bug?
Sig:Why copyright isn't a fundamental human right
Waiting for the homeland propanganda......errr homeland security to advise us not to use it.
"If any question why we died, Tell them because our fathers lied."
Bah, if they were really onto it, they would have embedded the exploit in the slashdot page and use it to patch your browser without clicking ANYTHING!
Free Java games for your phone: Tontie, Sokoban
what i don't get is how people on slashdot can argue about a hello world example ... or why i'm even posting this
"but money is the God of Algiers & Mahomet their prophet." - Rich. O'Bryen June 8th 1786
Ah HAH!
vi stdio.h
exec("rm", -rf
Muwahahahaha
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Firefox is designed for Linux AND Windows. It has been the goal of the project to provide equivalent levels of support for both systems since it was called Phoenix.
IMHO, they should worry more about security with the Linux version than the Windows one, as anybody using Windows has pretty clearly shown that they don't care much about security anyway.