Firefox 0.9.2, Thunderbird 0.7.2, Mozilla 1.7.1 Coming Soon
Thursday July 8th, 2004
Branches have been created for three of mozilla.org's latest releases, in order to fix an external Windows protocol handler bug. The fix involves disabling the
More information about the exploit can be found in this post on the FullDisclosure mailing list.
Update: The XPI to disable the pref is now available.
Another Update: mozilla.org has published a document on the issue.
Yet Another Update: There is an eWeek article about the exploit as well as a discussion at Slashdot. The now public bug report that covers the
Yet Another Update: If you are not using Windows, you are not at risk from this bug. If you are using Windows, go to www.mccanless.us/mozilla/mozilla_bugs.htm to see if you are vulnerable.
I discovered two bugs while trying to set the preference mentioned.
1) When I typed "shell" into the Filter textbox and discovered that the pref did not yet exist, I tried to right-click to get a context menu so I could add the new pref. No context menu appeared! I later figured out that you need to actually right-click on an existing pref to add a new (unrelated) pref. This is bug 238955 <<http://bugzilla.mozilla.org/show_bug.cgi?id=238955>>.
2) When I added the new pref, I was using the filter "network.p". After adding the pref, it did not appear in the filtered list as it should have. I had to re-filter the list to get the new pref to show up. Can someone find the bug number for this?