Firefox 0.9.2, Thunderbird 0.7.2, Mozilla 1.7.1 Coming Soon
Thursday July 8th, 2004
Branches have been created for three of mozilla.org's latest releases, in order to fix an external Windows protocol handler bug. The fix involves disabling the
More information about the exploit can be found in this post on the FullDisclosure mailing list.
Update: The XPI to disable the pref is now available.
Another Update: mozilla.org has published a document on the issue.
Yet Another Update: There is an eWeek article about the exploit as well as a discussion at Slashdot. The now public bug report that covers the
Yet Another Update: If you are not using Windows, you are not at risk from this bug. If you are using Windows, go to www.mccanless.us/mozilla/mozilla_bugs.htm to see if you are vulnerable.
#46 When were you planning on telling me?
Saturday July 10th, 2004 10:52 AM
You are replying to this message
I downloaded 0.9.1 a few days ago, since I have heard about the flurry of security issues with IE. I just got around to installing it yesterday. I liked it. Lots of nifty stuff. I saw the extensions, and thought I'd browse around to see what all was there. Buried at the bottom was a security update(!). This is scarier than Windows. At least Windows tells me that a patch is available, I don't have to dig around. As the proverbial Joe Blow user, I think you need to consider some kind of automatic notification of security patches as a very high priority...if you guys can patch this in 24 hours, how long would it take to make something that checks a secured page at intervals to see if there are any critical issues or updates. Automatic updates might be harder to do, but something like this might do, in the meantime. I could find a patch, if I knew I should be looking for one.