Firefox 0.9.2, Thunderbird 0.7.2, Mozilla 1.7.1 Coming Soon
Thursday July 8th, 2004
Branches have been created for three of mozilla.org's latest releases, in order to fix an external Windows protocol handler bug. The fix involves disabling the
More information about the exploit can be found in this post on the FullDisclosure mailing list.
Update: The XPI to disable the pref is now available.
Another Update: mozilla.org has published a document on the issue.
Yet Another Update: There is an eWeek article about the exploit as well as a discussion at Slashdot. The now public bug report that covers the
Yet Another Update: If you are not using Windows, you are not at risk from this bug. If you are using Windows, go to www.mccanless.us/mozilla/mozilla_bugs.htm to see if you are vulnerable.
#6 Popup for auto install
Thursday July 8th, 2004 12:36 PM
You are replying to this message
Hmmm ... I'm not so pleased. I, too, had thought to use about:config to reset the value and was surprised not to see it. I grant that it's nice that the xpi patches it so easily, but how many mainstream users come to Mozillazine.org every day? There ought to be a pop-up alert: Critical security update required, Download now! I also am troubled that new preference items can so easily be created in about:config . What prevents malware from creating a new entry expressly designed to open the door to an exploit?