Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla/Firefox Bug Allows Arbitrary Program Execution

Posted by CowboyNeal on from the no-one's-perfect dept.

treefort writes "An article at eWeek has the lowdown. The article also has a link to the bug report which addressed this issue some time ago. Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000." New releases are already available on mozilla.org that fix this. Update: 07/09 00:41 GMT by CN : I removed the bum link to Bugzilla, since I guess they don't like us. Also I discovered that OSDN's own NewsForge has more on the situation.

10 of 940 comments (clear)

  1. Here we go again... by LostCluster · · Score: 5, Insightful

    I can't help but think that this thread from earlier today can be seen as good news from a security context...

    Just how does Mozilla/FireFox think it's going to keep malware from tricking the users into granting permission when the clueless masses come over from IE?

  2. Re:A clear advantage by Anonymous Coward · · Score: 5, Insightful

    Well, if you're going to brag about standards support, you need to support standards. Including the stupid ones.

  3. Re:bias by azadam · · Score: 5, Insightful

    "A serious security flaw has been found. But don't worry, it's no big deal!"

    It's just frustrating to hear people whine about security via lower market share, but then excuse serious flaws using that logic when it's convenient.

    I don't, however, refute the point. I'm just of the camp that would prefer stories to at least feign subjectivity, and leave the opinion for the comments.

  4. Update system by supercytro · · Score: 5, Insightful

    Whilst it's easy to take pot-shots at Microsoft when it comes to IE, their update system isn't too bad. Firefox needs a easy to use mechanism for automatically retreiving and installing critical update, in a manner similar to MS windows update service.

    Even better, take a leaf out of Norton's liveupdate program.

  5. Re:A clear advantage by Wofser · · Score: 5, Insightful

    "#1 WHO finds the bug. Is it the developers and community that discovers it in good faith, or is it a hacker and the rest of us find out after a billion dollars has been lost worldwide to the latest worm, virus, etc." The problem is not who find out about it. The problem is that a big portion of the users dont upgrade. I mean the latest 4-5 big worms did not use any unknown exploits. It used old and well documented exploits, exploits that you could find example-code for. Copy-paste-compile!!

  6. Blacklisting vs. Whitelisting by Temporal · · Score: 5, Insightful

    The developers considered changing from scheme blacklisting to whitelisting, in which case all schemes and protocols would be disallowed unless explicitly allowed.

    Duh.

    I have been saying this for some time now: Never use blacklists. Always use whitelists.

    If you forget to put an insecure operation on a security blacklist, you have a security hole. If you forget something on a whitelist, you just have an inconvenience.

    I am disappointed that the Mozilla developers did not have enough common sense to use whitelists in the first place. But then, it seems like most computer security schemes are blacklist-based, which explains why computers are so insecure.

  7. Re:A clear advantage by shellbeach · · Score: 5, Insightful

    Not really. The bug history began immediately afterward and for quite some time it was moved between FIX and WONTFIX but received a lot of attention.

    However much developer attention it received (and actually it wasn't much - see my comments below), it doesn't change the fact that this exploit was present for almost two years ... and a fix was only released when the bug received wider internet attention.

    The speed with which a fix was issued after the general public was made aware of the problem was good ... but the previous activity over the bug (imagine setting the status to WONTFIX for this!!??) smacks of Microsoft-style negligence/lack-of-concern.

    The specific comments you cite are indicative of this lack of concern- Comment #2 basically claims that it's not worth fixing security issues that are initiated without any form of user intervention whatsoever. And why? because it's easy enough to get a luser to click on a malicious link, so why should we worry about sites that just bypass the malicious click?? I don't know about everyone else here, but that sort of logic concerns me!

    Just looking at the amount of interest in this bug after 2002 (only brief two comments in 2003 and another two in 2004; no patches submitted or even thought about) seems to suggest that if this had not been reported by the internet media this would never have been fixed. Or at least, not until exploits of it became commonplace.

    And with the recent internet-banking trojans using a similar exploit (i.e. download and run malicious code without any user prompting) in IE, the issue seems serious enough to me to have warranted a quicker fix.

  8. Re:A clear advantage by johkir · · Score: 5, Insightful
    Another big difference between the two is the fact that Mozilla even uses a publicly available bug list - Bugzilla. Theoreticaly, we all have a list of potential exploits at our finger tips. Could you imagine a list like that for IE? Maybe that's just what they need.

    --
    These are some of the things molecules do...... given 4 billion years -Carl Sagan
  9. This IS 100% Mozilla's fault by MobyDisk · · Score: 5, Insightful
    ...Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality...

    I am shocked that everyone here is sticking on Mozilla's side. I love Mozilla, and have used it since the beta versions. I install it on mom & pop computers all the time for security. But this is definitely Mozilla's fault. Mozilla should not pass unknown protocols to explorer. IMHO, that defeats the purpose of Mozilla. That would be like coding Mozilla to pass ActiveX controls to Internet Explorer since it doesn't support them.

    I treat Mozilla as a standalone app, and I consider that an advantage. I'm not vulnerable to scripting exploits, MS Office exploits, etc. But now I am told it passes some work to Explorer. I consider that a bug. I don't want it to pass everything except shell: to IE. I want it to pass nothing to IE.

  10. Re:It's not "in" the browser by Switchback · · Score: 5, Insightful
    This shell extension could do just as much harm when running under a root Linux account (and there are plenty of those out there!)

    Linux and Mac do not have such as thing to handle the "shell" protocol, thus it's not possible for them to have this flaw. Windows (in fact just 2000 and XP) are the only OSes that are vulnerable. Why? Because Microsoft wrote a dangerous handler that's not secure. If it was secure, no one would be talking about this right now. That fact that Microsoft themselves have fixed this bug in the next XP service pack doesn't tell you it's an MS bug?

    Umm, that other protocol most likely won't have the ability to natively execute arbitrary strings passed to it! Maybe you're not understanding the difference between a native operating system shell handler and a text or image protocol handler.

    I certainly understand it. It appears, however, that you do not. Mozilla is not arbitrarily launching a shell process merely because someone had a "shell:..." URI. It's asking the OS if it has an application that handles this protocol. Windows says yes and tells it how to launch the program. It passes the parameters to the application (just like any other helper app or plugin) and it's this application's responsiblility to check parameters. How is this any different than, say, registering my XYZ program to handle the "xyz" protocol and the XYZ application has a flaw that is exploitable?

    Mozilla itself doesn't know one handler from another, and it shouldn't care. The system says "this application handles this protocol/content", so Mozilla hands it off.