Slashdot Mirror
Mozilla/Firefox Bug Allows Arbitrary Program Execution
treefort writes "An article at eWeek has the lowdown. The article also has a link to the bug report which addressed this issue some time ago. Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000." New releases are already available on mozilla.org that fix this. Update: 07/09 00:41 GMT by CN : I removed the bum link to Bugzilla, since I guess they don't like us. Also I discovered that OSDN's own NewsForge has more on the situation.
Releases are available already. One of the (many) reasons I switched to the Gecko browsers from IE, because they actually update their software.
Note how fast it was patched compared to the fact that IE still doesn't have tabbed browsing.
If you liked my post,
"Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites."
Seriously.
I can't help but think that this thread from earlier today can be seen as good news from a security context...
Just how does Mozilla/FireFox think it's going to keep malware from tricking the users into granting permission when the clueless masses come over from IE?
Of course bugs will appear in Firefox.
Nobody in their right mind can expect a product to be perfect, but what makes Mozilla different is that bugs are fixed instantly. And that's because of the open source community, which is far more reliable than the competition.
People might disagree with me, but I still think these bugs (and their immediate fixes) only show how great open source really is.
Erm, the exploit is fixed. I hate hypocrisy as much as the next person, but RTFP.
I watched C-beams glitter in the dark near the Tannhauser gate.
shellblock.xpi fixes the hole in 0.9.1 so that 0.9.1 users don't have to download the whole browser again.
The shareholder is always right.
Strictly speaking, it's not an exploit in Mozilla/Firefox. It's a hole that can be used to access exploits in other software -- basically, it can turn what was a local exploit into a remote one.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Well, if you're going to brag about standards support, you need to support standards. Including the stupid ones.
It sounds like it is a Windows hole to me, not a Firefox one. Notice it doesn't work with XP SP2, meaning Microsoft has fixed the problem.
Please point out the hypocrasy.
I don't hear the OSS community pretending their software has no bugs or holes.
Silly rabbit
Problems in IE get a lot of attention too, but somehow every open bug is a blotch on MS, whereas for Mozilla here, its just fine and dandy.
"I use a Mac because I'm just better than you are."
OK, that's it you guys. No more talk of how IE is so insecure because of Microsoft's 'monoculture.' Security issues, it seems, are a way of life in software. There are plenty of other arguments against Microsoft so there's no reason to use this one any more.
Personally I'm still going to use FireFox. It's a better browser than IE and I'm happy that they patched it in a single day. It's a little worrisome that this issue sat around on Bugzilla, hopefully this will motivate the Mozilla team to figure out some procedures to keep security bugs from slipping through the cracks.
And this is beta software. It's supposed to be buggy. The fact that IE is in it's 6.x series and still an open porthole to the world while today MozOrg fixed this issue in one day should say enough.
If you think there are any browsers out there that are totally secure, you're bleeding insane.
Slashdot in 5 Paragraphs
But some people seem to be of the opinion that too many patches would be confusing.
If this other vendor is right that people want no more than monthly patches, such a fix may have to wait weeks.Whilst it's easy to take pot-shots at Microsoft when it comes to IE, their update system isn't too bad. Firefox needs a easy to use mechanism for automatically retreiving and installing critical update, in a manner similar to MS windows update service.
Even better, take a leaf out of Norton's liveupdate program.
Actually, **Windows** has a hole in its API's that mozilla relied on. So mozilla patched themselves to eliminate a dependency on insecure MS code. In other words, mozilla is working around a microsoft caused security hole. If you use mozilla on linux (or a fixed version of windows), you aren't vulnerable.
Is it still security hole in Mozilla????
Yup. Because Mozilla, as a local application, has a much higher set of privs than a remote website does. This is basically taking code (high-level instructions, but code) from a known insecure zone and telling the OS to run it without any built-in safeguards. And what do you know: we have an exploit.
Here's a fun example of how IE gets it right. Take the URI file:///c:/windows/system32/mspaint.exe from another example on this discussion. Type that into start/run on a Windows box - it works. Type it into the Address bar of IE - it works. Toss it into a webpage on the local machine and click on it - it works. Toss that webpage onto a remote server and click on it - it doesn't work any more. Different behaviors for different levels of trust. Mozilla defeats this by passing things to the shell with the same level of trust as the user has given it, the local program, which includes the (necessary) ability to mess with the filesystem.
You're special forces then? That's great! I just love your olympics!
"#1 WHO finds the bug. Is it the developers and community that discovers it in good faith, or is it a hacker and the rest of us find out after a billion dollars has been lost worldwide to the latest worm, virus, etc." The problem is not who find out about it. The problem is that a big portion of the users dont upgrade. I mean the latest 4-5 big worms did not use any unknown exploits. It used old and well documented exploits, exploits that you could find example-code for. Copy-paste-compile!!
The developers considered changing from scheme blacklisting to whitelisting, in which case all schemes and protocols would be disallowed unless explicitly allowed.
Duh.
I have been saying this for some time now: Never use blacklists. Always use whitelists.
If you forget to put an insecure operation on a security blacklist, you have a security hole. If you forget something on a whitelist, you just have an inconvenience.
I am disappointed that the Mozilla developers did not have enough common sense to use whitelists in the first place. But then, it seems like most computer security schemes are blacklist-based, which explains why computers are so insecure.
Not really. The bug history began immediately afterward and for quite some time it was moved between FIX and WONTFIX but received a lot of attention.
... and a fix was only released when the bug received wider internet attention.
... but the previous activity over the bug (imagine setting the status to WONTFIX for this!!??) smacks of Microsoft-style negligence/lack-of-concern.
However much developer attention it received (and actually it wasn't much - see my comments below), it doesn't change the fact that this exploit was present for almost two years
The speed with which a fix was issued after the general public was made aware of the problem was good
The specific comments you cite are indicative of this lack of concern- Comment #2 basically claims that it's not worth fixing security issues that are initiated without any form of user intervention whatsoever. And why? because it's easy enough to get a luser to click on a malicious link, so why should we worry about sites that just bypass the malicious click?? I don't know about everyone else here, but that sort of logic concerns me!
Just looking at the amount of interest in this bug after 2002 (only brief two comments in 2003 and another two in 2004; no patches submitted or even thought about) seems to suggest that if this had not been reported by the internet media this would never have been fixed. Or at least, not until exploits of it became commonplace.
And with the recent internet-banking trojans using a similar exploit (i.e. download and run malicious code without any user prompting) in IE, the issue seems serious enough to me to have warranted a quicker fix.
These are some of the things molecules do...... given 4 billion years -Carl Sagan
It's really not obvious when you go to Mozilla.org that there's a patch available. It should be on the right-hand-side instead of down in the middle of the page on the left-hand side. Also, mozilla.org/products/firefox doesn't tell you there's a patch available!! Hopefully, my email to its webmaster will help fix this soon.
...AND forget to check the return value of printf. It really CAN fail.
https://www.accountkiller.com/removal-requested
RTFBug. Since MS decided programs should be able to register protocol handlers (e.g. irc://, telnet://), Mozilla behaves like a good little windows program, and passes any unknown protocols (shell://, vbscript://) to the OS. It's a flaw in the whole setup that windows uses here, and MS changed the behavior for XP SP2.
My server
And if you read that bug #, it reveals that:
1) The problem is due to the shell: function, which passes the arguments to Windows XP for handling. The function was disabled in IE6 for the same reason it's being disabled in Moz/Fox now. In short, it's a hole in the Moz codebase caused by an insecure Windows capability. Thank you, well-paid Microsoft programmers.
2) The bug was opened on July 7. Today is July 8. One day.
Nice.
Someday, you're going to die. Get over it.
Opera long ago decided to *not* pass on any protocol or scheme to the operating system, except for a few well defined cases (ftp, telnet, mailto). Users of Opera 7 can add specific protocols/schemes manually in the prefs if they want.
Lesson of today: there is always a danger in presenting yourself as 'the save alternative'. Proper engineering can reduce risks, but there are never garantees. Not that this example was especially worrying imho: you'd still have to be tricked to visit a specific website that plans to harm you. Not that likely unless you to tend to visit the bowels of the web...
If you don't like having choices made for you, you should start making your own. - Neal Stephenson
Having to run a windows site I was once again looking at the ADODB:stream bug and pondering directions to take and look into.
Some of the issues I pondered was if I spent a lot of time ripping out the user access to the none removable IE, and installing either Firefox, Mozilla, or another browser, or a combination of that or similar.
On the browser side, removal of Active X and the IE gubbins brings security, but also none working websites. Perhaps a lot of companies aare going to move back to the standards that form web rather than MS specific technology. I can't blame them, as most people outside tech areas like slash tend to use or aim for market leading pitches. The bulk of users use IE.
That will continue to be the issue, however, looking deeper into this, I looked at machines and figiured I would have to keep IE patched, but in addition, if I role another product or more, I merely add quite possible extra vectors of concern and attack.
All the browsers go through security and exploit issues, at least from time to time. What I settled on was continuing with IE. Its built into windows, there is'nt an easy undo for that.
Somewhere between Sunday/Monday, MS got a patch out. IMHO while this is not perhaps upto the highest levels of OSS error and fix correction, it is'nt bad or horrific.
In the main, so long as they deal with issues quickly and provide answers, I can tolerate them. They are not as bad as some make out.
The history of Mozilla is not as bug free and exploit free as much of the recent comments try to indicate. In truth, we will continue to have security issues with software, and it is how the vendor responds that should be critiqued.
AdmV
We`re all equal
Uh. This was a Windows-specific bug caused by the underlying OS. It's not a bug in Mozilla's code.
When you're writing cross platform code, and it that works perfectly fine on other platforms, and Microsoft keeps saying it's going to fix the bug, but stumbles around like a drunken barfly instead of releasing a fix... this is Mozilla's fault?
Microsoft says "Yeah, we're aware of that, we're going to fix it in SP2, it should be out Real Soon Now." and Mozilla takes them at their word, since it's their OS, and all applications on their OS are vulnerable to the bug, so it's in their best interest to get a fix out - and quick. Yet here's an OS bug that's been around since 2002 that Microsoft has made 0 public progress on.
And this is Mozilla's fault. For not making a hack to close an OS bug that the OS manufacturer should patch in a reasonably timely fashion. Yet doesn't. Yes, I agree, Mozilla is horrible, and Bill Gates is a saint. Yes.
BTW, could I have some of the pills you're taking? They sound wonderful.
The bug listed in the summary is about a general issue - no actual exploit was known. When an exploit was made known YESTERDAY, bug 250180 was filed, and fixed within 24hrs.
The longer known bugs are out there (and hell, even documented) the more time there is for someone to go out and actually write the exploit. Of course there won't be any exploits available when the bug is first found- unless the person who found the bug is the one who wrote the exploit (a rare case). I doubt in 2002 there was enough attention directed at mozilla to warrant a speedy bugfix, but since so many people are using it now it's under a lot more scrutiny. Now that mozilla is on the "radar" of crackers and other ne'er do wells out there, the exploits of known-but-not-fixed critical bugs are likely to start showing up more often.
Not only that, but it's a known (almost) ten year old bug in Windows - the use of the same set of handlers for local and remote services - and one I've been trying to tell people about for that long.
Mozilla and Firefox should NOT be using this functionality, they should be doing ALL their own URL parsing and handling on Windows, Linux, Mac OS X, and so on, because they can *not* depend on the native OS to do security right.
Even Apple doesn't do it right (see how they 'fixed' the help: problem), and Microsoft has refused to fix it on their side even under threat of judicial dismemberment.
From the article:
Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows.
The only way to deal with this is ONLY use external handlers you know are safe, rather than using all but the handlers you know have holes in them. Anything else is just following Microsoft's lead into a decade of virus-mania.
I am shocked that everyone here is sticking on Mozilla's side. I love Mozilla, and have used it since the beta versions. I install it on mom & pop computers all the time for security. But this is definitely Mozilla's fault. Mozilla should not pass unknown protocols to explorer. IMHO, that defeats the purpose of Mozilla. That would be like coding Mozilla to pass ActiveX controls to Internet Explorer since it doesn't support them.
I treat Mozilla as a standalone app, and I consider that an advantage. I'm not vulnerable to scripting exploits, MS Office exploits, etc. But now I am told it passes some work to Explorer. I consider that a bug. I don't want it to pass everything except shell: to IE. I want it to pass nothing to IE.
This isn't really a fix for a security problem in Mozilla, it's a workaround for a security problem in windows...
Well, regardless of the cause of the problem, if there's an exploitable hole it's still a security issue. Yes, it wasn't caused by some bad coding in Mozilla, but from reading the bug description and comments the exploit comes through HTML that has little or no valid use in legitimate, friendly web pages. (Hence it was possible for Mozilla to quickly release an all-blocking fix once it became publicised - disabling this funcitonality is not going to inconvenience anyone)
In that situation, it still seems negligent to me when you're failing to fix an exploitable hole once it's come to your attention and when there's no disadvantage to doing so.
As a very small-scale open-source developer myself, I feel that despite the GPL clauses about no warranty there's still something of a moral duty of care and trust in situations like this. Two years of being aware of this issue and doing little or nothing about it seems a bit worrying, IMO.
Your analogy isn't quite right... let's think about this another way... you have a plugin you've installed that has a security flaw in it. Is Mozilla (or IE or any other browser) responsible for the security flaw?
The registration of external protocol handlers is common practice across different platforms and browsers. I use OS X primarily at work and at home. I also run Linux here and have a Windows laptop at work. All three platforms use external protocol handlers to register helper applications.
The part that I think is significant is that the OS registered a protocol handler that isn't safe in an internet context. So, you either blame the browser for doing what the OS manufacturer recommends you do... or you blame the fool who wrote the insecure protocol handler (and why the hell would you want a "run any program" protocol handler????)
Sujal
politics, food, music, life: FatMixx
Not at all. Mozilla falls down by trusting the multiple OSs it supports to securely handle something it doesn't understand. You did notice the part of the story that specifies this as a Mozilla/XP/2K exploit, right? No problem in Linux or *Bsd, etc., so I don't know how this OS intregration angle is relevant at all.
You DO realize that there have been some rather high-profile bugs, malware, exploits, and viruses for Linux (and even BSD), don't you?
And you also realize that, if Gecko had only been put in Free Computing systems, it would have essentially rotted away to nothingness years ago.
Of course, you're also completely ignoring the amazing PR spin Mozilla is for Open Source. Sure, it has a bugs and holes--but those bugs are publicly filed, honestly reported, and fixed in a VERY timely fashion.
(Then again, you're comparing Free Computing and pregnancy.)
"If you were able to run Windows with real restricted user accounts, this wouldn't really be such a problem."
You can. The fact that your either not familiar enough with it or too FUD bound to mention it doesn't change anything.
As long as OSS zealots keep fighting their IMAGE of MS software instead of what is actually out there they will continue to look like morons.
--> Fight tyranny and repression.... read
Is there some way I can disable them all?
Request your free CD of my piano music.
Yes, blame Microsoft. If you RTFA, you'd notice that Microsoft themselves fixed this bug in the next XP service pack (which won't be released for several more months...)
Mozilla's quickfix was to just turn the protocol off. The Mozilla developer's shouldn't be babysitting the Windows OS. It's an operating system protocol handler, just like any other registered helper app. What do you recommend happen if Flash has an exploit? Have Mozilla not load the flash plugin? No, it's a bug in Flash and we expect Macromedia to fix it. This is not any different. But in the mean time, since this shell handler is not really used, the quick fix is to simply ignore the shell protocol (i.e. don't hand it off to the OS).
The other fix is to dig into the registry and turn off the shell handler yourself.
Linux and Mac do not have such as thing to handle the "shell" protocol, thus it's not possible for them to have this flaw. Windows (in fact just 2000 and XP) are the only OSes that are vulnerable. Why? Because Microsoft wrote a dangerous handler that's not secure. If it was secure, no one would be talking about this right now. That fact that Microsoft themselves have fixed this bug in the next XP service pack doesn't tell you it's an MS bug?
I certainly understand it. It appears, however, that you do not. Mozilla is not arbitrarily launching a shell process merely because someone had a "shell:..." URI. It's asking the OS if it has an application that handles this protocol. Windows says yes and tells it how to launch the program. It passes the parameters to the application (just like any other helper app or plugin) and it's this application's responsiblility to check parameters. How is this any different than, say, registering my XYZ program to handle the "xyz" protocol and the XYZ application has a flaw that is exploitable?
Mozilla itself doesn't know one handler from another, and it shouldn't care. The system says "this application handles this protocol/content", so Mozilla hands it off.
Mozilla hands off schemes it doesn't know to the operating system (Windows), and WINDOWS executes the shell scheme
The question remains: why does Mozilla "hand off" stuff from the Internet to the operating system? It obviously can't determine that doing so is safe, so it shouldn't do it.
If you were able to run Windows with real restricted user accounts, this wouldn't really be such a problem.
Oh, nonsense. Mozilla doesn't run with "real restricted user accounts" on UNIX/Linux either. The responsibility of deciding what is trusted and what is safe to "hand off" to the OS rests firmly with applications on most modern operating systems; every application programmer should know that, and it is not hard to program accordingly.
What do you recommend happen if Flash has an exploit?
I expect you might start by not installing Flash by default.
Mozilla doesn't install Flash by default, and it doesn't install Windows by default either.
Seriously, if I was writing a web browser for Windows, no content would be passed straight to Windows without user intervention.
This page wants to display an image of type image/jpg [Ok] [Cancel]
This page wants to display an image of type image/gif [Ok] [Cancel]
This page wants to open an url of type news: [Ok] [Cancel]
This page wants to open an url of type mailto: [Ok] [Cancel]
This page wants to open an url of type irc: [Ok] [Cancel]
This page wants to open an url of type shell: [Ok] [Cancel]
Yeah, that would be an effective way to get people to move to Internet Explorer.
Obviously Windows has flaws and bugs. Is it the job of programmers to gripe and complain about these flaws or is it their job to deal with them?
A programmer is not supposed to sit in his own little closed world working around other peoples bugs without telling them about the bugs. Everyone will get much further with a little cooperation. So, Mozilla people tell everyone about an MS bug, some programmers not related to this story in any way make a workaround in their own software, and Microsoft gets the bug fixed in a few months. Everyone benifits. Your way would have everyone spending all their time working around eachothers bugs, without anything ever getting fixed, and in the end, nothing gets done.
Again I ask, does Opera have this flaw?
Why don't you check it yourself? I'm not putting that destructive piece of junk on my machine again. God know which files it will destroy next time.
No, they don't guarantee anything, so we shouldn't ever connect a windows machine to the internet?
This is a function to handle an URL. So, it gets used for handling an URL. Now, who would expect that the function really does "handle an url unless it starts with shell: In that case execute a shell command"? So, don't use that system call.
Which one will behave otherwise than expected/documented next time? Maybe a function to "display an image". It could just as well be "Display an image, unless the upper left pixel is red. In that case execute a shell command". So, we shouldn't pass anything off to Windows. Never use any system call. Back to DOS programming...
There are two programs: one is the OS, the other is a user program, connected to the internet. There are four possibilities for (this part of) how they interact:
Neither of them checks to see if the input is coming from a trusted source Obviously bad, as was the case here Just the user program checks to see if the data is trusted Provides the security, but means this has to be implemented in every single user program Just the OS checks to see if the input is trusted Provides security, and only needs to be implemented once Both the OS and the user program check to see if the input is trusted Redundant, though arguably more secureIf you're paranoid, you should have both of them check to see if the data is trusted, otherwise just the OS should check.
My diagnosis is that this is a severe bug in Windows and is Microsoft's fault, however, since it was there, Mozilla should have blocked it from showing up.
The fact that once they realized it could be a problem they did block it is only a good thing.
There are 11 types of people in the world: those who can count in binary, and those who can't.
Mozilla should just handle the protocols it knows to handle and give an error message for everything else. What it is actually doing, handing off unknown things to the OS is just the sort of OS integration that causes so many problems for Microsoft applications as well.
What about when you click on a 'mailto:' link? Do you want Mozilla to pop up and say it can't handle it? Or do you want it to use your default mail application to start up a compose message window?
Of course, you're also completely ignoring the amazing PR spin Mozilla is for Open Source. Sure, it has a bugs and holes--but those bugs are publicly filed, honestly reported, and fixed in a VERY timely fashion.
I really hope that if the mainstream media does stories on this they will make it clear that:
1. This is not a problem with the browser, it is a problem with the OS
2. The problem with the OS was alegedly fixed by a previous MS patch... except it wasn't - MS obviously don't test their patches.
3. Even though it was not Mozilla's own problem they still jumped and fixed it within a day of the report.
4. Microsoft knew about the latest IE hole 10 months before it was exploited and still did nothing about it.
http://blog.nexusuk.org
While surely this is a Windows bug, as is a normal procedure to pass to the OS the unknown protocols, Mozilla shouldn't really care of rtsp://, mirc://, and what not protocols. There are apps designed to handle that, and they register as helper apps for those protocols, so why Mozilla shouldn't trust them? How would Mozilla ever imagine there was a shell:// protocol? On the other hand it should probably do a white list of common protocols and issue a warning when clicking on an unknown one. If the user is just going to click OK on whatever he see, it becomes user's fault. The white list shouldn't be required, but it is in the moment you interact with components you don't know about. Think if they make a silent work registering for the URIs imaworm:// allowing attackers to do almost anything and the user wouldn't know if he doesn't see any significant slow-down, data loss, until they go on a malicious page. A browser shouldn't really whitelist anything more than http://, ftp://, rtsp:// and mailto. All the others should be user choices
most of the answers modereated up around here are only wishful thinking .. people just love to fool themselves into "firefox is safer", no matter what ...lets see some samples
-- Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. ... plus this is like saying : i know i eat approximately the same shit as the other party, but im way better because mine gets no attention.
i wont bet a single cent on that
-- This incident underscores why many use or have switched to Firefox: vulnerabilities discovered and promptly fixed. Not weeks and months from their publication--and not by another vendor--this exploit was addressed by those who have made available Mozilla's code for public scrutiny.
as Microsoft demonstrated in maaaaaaany occasions, IT DOES NOT MATTER how fast you release the patch.
-- This isn't really a fix for a security problem in Mozilla, it's a workaround for a security problem in windows. .. but it sounds like : i live in an appartment building and its administrator's fault that any burglar can break into my appartment bare handed... so easy to blame "the other guy"
it may be so
and so on.. and so on. ... i use it since the first version and this week i got the first pop-up and pop-under windows that somehow managed to slip through firefox' block mechanism ... and now this embarrasing flaw .. sadly, it seems that going mainstream its enough to evaporate the "security" of ANY application.
going mainstream was not exactly benefic to firefox
"There is nothing more frightful than ignorance in action." Johann Wolfgang von Goethe
If the Mozilla guys knew about this all this time and decided to sit on it just because technically it was a problems with the OS, shame on them.
It was also "known" that MS had released a patch that claimed to fix this exact security problem with the OS... shame it didn't actually do that.
http://blog.nexusuk.org
0.9.1 was the same. The release notes were unchanged since 0.9 and there was just a note saying "minor bugfixes" in one place, and another note saying "critical update" somewhere else. Firefox is a great product, but they really need to do something about keeping users informed about their releases. We can't all be expected to browse through Bugzilla to see what has changed between releases.
What it looks to me like is that both sides screwed up. Mozilla/Firefox passing on requests to a known Windows vulnerability is not a smart move.
That said, as much as Mozilla should have looked into this earlier, so should Microsoft.
Now yes, Mozilla really should have done something about this ages ago. Defaulting to let any OS handle arbitrary protocols is a bad move, let alone Windows. However it seems that the moment it was published exactly how severe this vulnerability was they released both an updated version and a patch. That's definitely points in their favour. So old installs can be fixed and fresh installs can be more secure.
So far it looks like Mozilla have handled this well. Yes, they made an initial mistake, but they seem to have handled it well now. I just hope they can learn and not make any more mistakes like this. if they do learn better it will be major poitns in their favour.
TiggsWhat remains to be seen is what they'll do about protocol-handling in general. Have an option in the UI-menu to alter, add and remove protocols would be nice.
Tiggs
"120 chars should be enough for everyone..."
"How many people have had their machines turned into spam zombies because of this exploit?"
Wrong question.
How many thunderbird users COULD have their machines turned into zombies because of this kind of exploit?
Until THAT number is zero then saying "it hasn't happened yet" is like a 5 year old saying "but I didn't get run over" when told he shouldn't run across the road because he might get run over.
Y'see, the problem is that statements like that just don't have any credibility left when you're looking at vulnerabilities like this. The bug in question is a "complete wipe-out" style vulnerability. The issue was known by the Moz dev team years ago, and they decided it was WONTFIX. Yet even IE fixed this one a while back.
The problem here is not the specific bug, it's the attitude/lack of awareness demonstrated by the Mozilla dev team when faced with a critical vulnerability. The attitude of so many people in this thread -- "It's a Windows fault, not our precious Mozilla!" -- is almost as scary.
Sorry guys, the honeymoon's over. Mozilla can crash, can take out all your stored e-mail, can be exploited to damage the rest of your system, and doesn't get fatal security flaws fixed for years, just like IE. It may still be a better product, but there's no mileage left in claims that it will always and necessarily be so.
BTW, assuming there are no exploits out there for this vulnerability is staggeringly naive. Just because no widespread worm/virus-style exploits are known doesn't mean it hasn't been used by the geek who disliked the other guy down the hall or by the company emloyee wanting a quiet raise.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
let's think about this another way... you have a plugin you've installed that has a security flaw in it. Is Mozilla (or IE or any other browser) responsible for the security flaw?
Look though my comment history and see what I think of plugins. (hint, they suck)
Yes, this is a mozilla problem. Here is the deal. When you develop an application where anyone in the world has input to that program you check the input for valid data and reject anything that is not valid. Period.
A uri handler called shell:// is stupid. Thats as if your leaving an open rsh or ssh port with no password. Again, this is the first time I've heard of such a handler, and I don't know exactly what it does or is supposed to do but the fact that its called shell tells me that its not something that belongs on an internet application. Name me one more network application that would accept arbitrary commands without a password to be run on a computer. Just one.
We agree about the stupidity of a shell:// handler... but Mozilla didn't provide it. I'm not sure what "valid data" they should be checking for here... the only thing I see at this point is that they need to start maintaining a black list of protocol schemes... Of course, if a particular bit of spyware/adware becomes popular, for example, they'll just be chasing down changing schemes.
Sujal
politics, food, music, life: FatMixx
Either go all the way to changing the OS AND the browser, do the right thing, all the way,or don't bother, it's naieve wishful thinking and at best a finger in the dike stopgap measure to try and make windows "secure" on the internet, and at best an incredible waste of time and resources in the OPEN source coding community.
I totally disagree with you. As a user that is stuck on an XP platform because where I work I have no say (and I am far from alone here!), I am absolutely overjoyed that the coding community "wastes" its time and resources to allow me to use my home browser at work. Last time I checked, the community was not out to "make windows 'secure'," but was instead out to make good software for people to use freely. Granted, I am probably starting another flamewar here (which free, blablabla), but I think you need to leave it to the people doing the coding to decide how to spend their time and energy and not foist alternate agendas upon them.
Presumably it also affects the Netscape browser assuming Netscape is based on Mozilla, and Mozilla is a version 7 browser, IIRC?
Backup not found: (A)bort (R)etry (P)anic