Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Quickies

Posted by kdawson on from the three-twisty-little-items-all-different dept.

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar2 extension.

7 of 245 comments (clear)

  1. Demonstration by blhack · · Score: 5, Informative

    Demonstration

    Cmd.exe
    This should launch cmd.exe....

    Notice that you must click that link from internet explorer, firefox will warn you that an external application is being called.

    above example taken from here

    --
    NewslilySocial News. No lolcats allowed.
    1. Re:Demonstration by froggero1 · · Score: 5, Funny

      Weird, I get an error message:

      "Iceweasel doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program."

      and when I try to open this "ie" program:

      "~ $ ie
      bash: ie: command not found"

      maybe there's something wrong with your operating system?

      --
      ~/.sig: No such file or directory
    2. Re:Demonstration by Anonymous Coward · · Score: 5, Funny

      Hey, 1996 called, and they want their snooty, elitist, linux user tude' back.

  2. Re:What OS by blhack · · Score: 5, Insightful

    well...if you read the article you would find that this bug effects Internet Explorer users, not firefox users. The exploit has firefox as a dependency, but is actually called from IE.

    --
    NewslilySocial News. No lolcats allowed.
  3. Re: Firefox crashes by bunratty · · Score: 5, Informative

    Firefox crashes for you? Read the MozillaZine Knowledge Base article about Firefox crashes and you can probably fix your problem.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  4. Here's how... by mario_grgic · · Score: 5, Informative

    Open Windows Exporer (not Internet Explorer) and from the Tools menu select "Folder Options" menu. On the dialog that appears select the "File Types" tab.

    Now in the list of registered file types find the one that says:

    "(NONE)" for extension and "Firefox URL" for file type

    Select it and click on delete button to delete it.
    Click on "OK" to close the "Folder Options" dialog.

    --
    As the island of our knowledge grows, so does the shore of our ignorance.
  5. Re:What earthly use is "firefoxurl" anyway?! by _xeno_ · · Score: 5, Informative

    Except that's still retarded, since it's by definition a remotely executable code exploit. URLs don't have to be loaded by users, and in some cases, can even be loaded without any user interaction. (<meta http-equiv="Refresh"> comes to mind, although I haven't gotten the exploit to work on my system yet).

    XUL applications have access to basically everything on the system. You know how you can launch files from the Firefox's Downloads window? There's nothing that prevents a skeleton XUL application from downloading a EXE and then launching it with no user interaction. The dialog that Firefox displays when launching executables is handled by the download dialog, there's nothing that requires it be displayed. (I've written an extension that launched a Windows Control Panel applet before, trust me that there's nothing really preventing XUL applications from being nasty.)

    So I'm still left wondering, what was this intended for, and who thought it was a good idea?

    --
    You are in a maze of twisty little relative jumps, all alike.