Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Quickies

Posted by kdawson on from the three-twisty-little-items-all-different dept.

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar2 extension.

5 of 245 comments (clear)

  1. Re:What OS by blhack · · Score: 5, Insightful

    well...if you read the article you would find that this bug effects Internet Explorer users, not firefox users. The exploit has firefox as a dependency, but is actually called from IE.

    --
    NewslilySocial News. No lolcats allowed.
  2. Free Diease. Now pay for the Cure. by BillGatesLoveChild · · Score: 4, Insightful

    Firefox hasn't released a fix for this, and there is no mention of it on their web site.

    Now this blows:

    http://secunia.com/advisories/25984/
    > Solution:
    > Do not browse untrusted sites.
    > Disable the "Firefox URL" URI handler.

    The first is impractical. The second begs the question, "Sure, How?" Read on:

    > Extended Solution:
    > The "Extended Solution" section is available for Secunia customers only.
    > Request a trial and get access to the Secunia Customer Area and Extended Secunia advisories.

    So these guys are publishing zero day security flaws, then making you reach for your credit card. Very grubby.

    The CNET article doesn't tell you what the fix is either. Google has nothing. Anyone?

  3. Re:IE problem, but also Firefox problem. by BZ · · Score: 3, Insightful

    > I can't think of any legitimate reason for it

    It's a protocol scheme Windows makes up based on the registry keys Firefox has to set to get things like http: associated with it.

    To be more precise, what Firefox does is:

        register HKLM/SOFTWARE/Classes/FirefoxURL with a shell/open/command
        subkey and then set the values of ftp, gopher, http, and https to
        FirefoxURL under HKLM/SOFTWARE/Clients/StartMenuInternet/FIREFOX.EX E/Capabilities/URLAssociations

    This causes Windows to send "firefoxurl:" URLs to Firefox.

    Not much to remove here on Mozilla's end.

  4. Re:Firefox's Fault? by BZ · · Score: 3, Insightful

    > I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer

    Firefox set up the http: protocol and such to launch it. Windows synthesizes a new URI scheme based on the registry key name used for this and associates this made-up scheme with Firefox. Not much Firefox can do about this Windows "feature".

  5. Re:Demonstration by Goaway · · Score: 3, Insightful

    Actually reading the announcement, this seems very much like a Firefox bug, namely in the URL handler it installs. It's IE that's just doing what you tell it, to open an URL that happens to use an external URL handler.