Firefox 0.9.2, Thunderbird 0.7.2, Mozilla 1.7.1 Coming Soon
Thursday July 8th, 2004
Branches have been created for three of mozilla.org's latest releases, in order to fix an external Windows protocol handler bug. The fix involves disabling the
More information about the exploit can be found in this post on the FullDisclosure mailing list.
Update: The XPI to disable the pref is now available.
Another Update: mozilla.org has published a document on the issue.
Yet Another Update: There is an eWeek article about the exploit as well as a discussion at Slashdot. The now public bug report that covers the
Yet Another Update: If you are not using Windows, you are not at risk from this bug. If you are using Windows, go to www.mccanless.us/mozilla/mozilla_bugs.htm to see if you are vulnerable.
#50 Found Easy Workaround at CERT.org
Saturday July 31st, 2004 8:25 PM
You are replying to this message
Apparently the following will work just as easily as downloading the .xpi file (found this info at CERT.org):
Workarounds Disable the shell: protocol handler Mozilla and Firefox users, particularly those who are unable to apply the patches supplied by the Mozilla Project, are encouraged to consider disabling the shell: protocol handler. This can be accomplished by adding the following line to the prefs.js file: user_pref("network.protocol-handler.external.shell", false);
Will edit the prefs.js file as described.
BUT: Again, I ask:
Isn't there somewhere in WINDOWS itself where we can disable this shell: protocol handler? What does the average person use Shell: protocol for? If we do not use TelNet and similar programs, do we need shell?
Thanks in advance for any clarification anyone can provide.