Mozilla Developers Respond to Malware

An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."

not so fast of a fix

[true_majik]

wasn't this bug known for a while and was just recently issued a fix for it?

Re:not so fast of a fix

[it0]

Wasn't it also that it was a shell bug in win2k/xp that actually only was an OS bug, that MS didn't fixed so they eventually did it?

Re:not so fast of a fix

[ZZeta]

Not really.

A report had been out for a while detailing some improvements that could have prevented that vulnerability. However, the bug itself wasn't exploited until one day before the patch was released.

Re:not so fast of a fix

[Diabolical]

Why is this modded interesting?

First of all, it wasn't a bug at all, it was a problem in Windows' URI handler. Mozilla merely redirected unknown uri's to this handler as it was expected. The "bug" the op mentions was a discussion about whether this feature was safe or not.

When it turned out that it wasn't safe, the Mozilla team was very quick to solve it.

Very simple solution by the way, just turn the redirect off... now the user has to explicitly consent with this action instead of automagical launching of apps.

By the way, this feature was a MS one, not Mozilla's idea. Recent bugs in the MS product family are actually the same. Just an exploit of the URI handling of Windows.

Re:not so fast of a fix

Wrong, generic bug about potentially hazardous protocol handlers was opened in 2002, and framework for dealing with them was created.

The specific shell: protocol was pointed out as maybe dangerous one day before it was fixed (with just a configuration change, because that framework was already there).

Very quickly fixed.

Re:not so fast of a fix

[EulerX07]

Want to know what the best part is?

The original poster was right, and your uninformed bash at his comment caused the truth to be modded down. Maybe he doesn't like Microsoft, but even paranoid people get it right sometimes.

You may want to read this interesting article. In it, you'll find that this "shell bug" he's talking about is exactly what the mozilla bug was, and that it also affects word and MSN messenger.

Sorry to burst your bubble. And technically MS didn't fix it yet, they just disabled ADODB.Stream until they do.

Re:not so fast of a fix

[Short+Circuit]

Link fix. Those go to a specific mirror. These should be redirected as needed:

FireFox:
http://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/0.9.2/shellblock.xpi

Mozilla:

http://ftp.mozilla.org/pub/mozilla.org/mozilla/rel eases/mozilla1.7.1/shellblock.xpi

Re:not so fast of a fix

[KevinKnSC]

The 'bug report' opened at Mozilla in 2002 was essentially trying to deal with the way Mozilla handles unknown protocols. The normal way was just to pass them to the OS.

Did you even read the bug report? The link is:

http://bugzilla.mozilla.org/show_bug.cgi?id=1674 75 (you have to copy/paste and strip out the extra space, they disable links from /.)

Look at comment #11, which links to a duplicate bug. It was known in October of 2002 that it was possible for certain HTML to launch code locally. Yes, this was a result of passing unknown protocols to the operating system, which then handled them in an irresponsible manner. That doesn't change the fact that the Mozilla team just kept on trusting the OS to do the right thing. If they had allowed HTML like <img src="del c:\*.*"> to get through to Windows, would you also write that off as a bug in the OS?

Re:not so fast of a fix

[_xeno_]

As many people have mentioned, this bug was found two years ago.

Since Mozilla doesn't like people on Slashdot being able to trash-talk their browser by linking to bug reports, you'll have to copy the links to actually visit them, but:

2002-08-20 - http://bugzilla.mozilla.org/show_bug.cgi?id=163767 - root of all these bugs, Mozilla passes unknown protocols to Windows
2002-08-20 - http://bugzilla.mozilla.org/show_bug.cgi?id=163648 - same bug, spefically could launch IE and allow the execution of VBScript (possibly in the local security zone)
2002-10-03 - http://bugzilla.mozilla.org/show_bug.cgi?id=172498 - same bug, hcp: protocol could delete any file on your computer (wildcards allowed)
2002-10-07 - http://bugzilla.mozilla.org/show_bug.cgi?id=173010 - requested a whitelist to avoid future instances of the same bug

This bug has been known about for two years. It still hasn't been fixed. When SP2 adds the "delete:" protocol or similar, then Mozilla is going to be vulnerable to that, too. And it looks like the developers have decided not to bother fixing it.

This isn't a triumph of open source - it's an example of how open source falls prey to exactly the same problems closed source does. Except publically, so you can point to these discussions to demonstrate that they knew about the issues for two years.

IE

[shackma2]

It wasnt just Mozilla Firefox and the like.

Some microsoft products were affected also.

Misleading

[sepluv]

reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware)

I would like to point out that this is slightly misleading (as it implies Mozilla had a security flaw before the fix), because, even before the whitelist fix was added, you had to do the following to get infected by any malware:

1. Enable Javascript
2. Enable install from XPI locally and globally
3. Click on a Javascript link on a WWW page (which would be shown in status bar) (N.B. Mozilla does not execute XPI-related JS automatically--the user must have clicked the link)
4. Wait a few seconds while watching a very large uncancellable dialog box saying "A website is requesting permission to install the following item", giving full details of the program it is installing (including its signatures in big red letters, its name and its URI), and saying in big bold letters, "Malicious software can damage your computer or violate your privacy. You can only install software from source you can trust."
5. After waiting a few seconds you, you then had to press a button labelled "install now".

I'm guessing that even some ex-MSIE users might not go through all that on the request of a malicious WWW site they have found.

I digress.

more IE swiss cheese

[Ari_Haviv]

see http://secunia.com/advisories/12048/

Mozilla exploit?

[panamahank]

Whoa! If this was a Mozilla exploit, does that mean I have to patch my Linux version?

Re:Mozilla "innovation" reaches new low?

[That's+Unpossible!]

I would like to point out that this is slightly misleading (as it implies Mozilla had a security flaw before the fix), because, even before the whitelist fix was added, you had to do the following to get infected by any malware...

I don't think this is true. The specific exploit in XP allows shell: protocol links to run arbitrary code if crafted properly. Mozilla was passing these links right on to the OS.

I think you are confusing this bug with the idea that people can install malware via XPI.

Re:the interesting thing

[Finuvir]

Firefox will have auto-update (optional, on by default) in version 1.0.