Firefox 0.9.2, Thunderbird 0.7.2, Mozilla 1.7.1 Coming Soon

Thursday July 8th, 2004

Branches have been created for three of's latest releases, in order to fix an external Windows protocol handler bug. The fix involves disabling the shell: protocol handler, which was found to enable pages to run executables on Windows via a link. Builds should officially be available shortly, and there will also be an XPI offered to disable the pref. Alternatively, you can set the pref in about:config to false to remove the exploit. (This will only set it on your current profile, if you have more than one profile, or could be creating more, you should use the XPI or the updated build.)

More information about the exploit can be found in this post on the FullDisclosure mailing list.

Update: The XPI to disable the pref is now available.

Another Update: has published a document on the issue.

Yet Another Update: There is an eWeek article about the exploit as well as a discussion at Slashdot. The now public bug report that covers the shell: vulnerability is bug 250180 (no unnecessary comments please). Some may find it notable that a patch was issued less than forty-eight hours after this bug was filed.

Yet Another Update: If you are not using Windows, you are not at risk from this bug. If you are using Windows, go to to see if you are vulnerable.

#12 Re: Auto-update

by Grauw

Thursday July 8th, 2004 4:02 PM

You are replying to this message

"...which was found to enable pages to run executables on Windows via a link."

It does NOT download executables. However it apparantly allows someone to run an arbitrary executable, which is by itself already dangerous enough.

As for the auto-update not kicking in yet - it's obvious that it's still much of a work in progress, but that's what Firefox/Thunderbird are called 'preview releases' for. For Mozilla though, that's not much of an excuse. Then again, there's so many software around which doesn't have auto-update features, doesn't make them inherently bad. But, not real 'good' either, 'cause with browsers security is of course an important issue. Fortunately Mozilla is still the minority browser, so I doubt someone will actually exploit this security leak.