Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 ReleasedThursday July 8th, 2004The Mozilla Foundation has just released a trio of new Mozilla releases to the fix the Windows I am still getting 0.9.1 in my FireFox update window (I have 0.9.1). Shouldn't it be telling me to install 0.9.2 now? When I installed the nightly release of 0.9.2 the installer said it was installing 0.9.1. But after installation the UA string reported 0.9.2. (OTOH the Release Notes option on the Help menu sent me to the original RN for 0.9.) i downloaded the xpi patch for pre 0.92, and saw that it only sets the relevant about:config shell pref to false. is that the only difference between 0.91 and 0.92? or does 0.92 include other changes too? No other changes - that's it. Just setting that pref to disable the shell protocol, and bumping the user agent to say 0.9.2 (if you want your Firefox to say 0.9.2, you can change that with a pref too...) Just FYI, more than Windows XP is affected. I'm using Windows 2000 Professional Service Pack Four, and the exploit works just dandy on my Firefox as well. :( I tested IE6SP1 and Moz 1.8a2 nightly on both Win2000SP4 and WinXPSP1 and just typing shell:windows\system32\calc.exe in the location bar would start calculator under WinXP but do nothing under Win2000, regardless of browser, so I really think the flaw is WinXP specific. Going to just shell:windows or would open the windows folder in a new explorer window regardless of browser or OS, but that doesn't seem the same as being able to run arbitrary exe files like only happened with XP. Is this a security design fault caused by a poor design of Mozilla or is this a design fault of Windows? In other words: who caused the security breach: Mozilla, Windows, or both? Why I ask this question is that news sites such as ZDNET are reporting this story as a security problem created by a insecure Mozilla browser. Really should this issue actually be viewed as another story about how insecure Windows is? The underlying problem is that Mozilla has a blacklist for bad protocols and there should really be a whitelist for accepted protocols instead. The problem introduced itself when a new shell feature was added to Windows XP. So, shell: did not cause any problems before (in Windows 2000 or previous) and nobody thought to check it until now. If there would be a white list, then new protocols could not cause these problems as they wouldn't be allowed unless explicitly enabled. The feature was added before XP, and this does affect Windows 2000 as well - it's Windows 95/98/ME where it isn't a problem. A whitelist would be better in security terms. However, that's not what Windows programs are "supposed" to do - the idea is that other programs can add protocols that they want to handle. If you make it a whitelist, then the user would have to explicitly reconfigure their browser in order for that to work. It's the usual choice between being more secure and making things easier for the user - people do want Mozilla to integrate into Windows. If you don't want Windows stuff, then it'd make sense to switch to a different OS, but people don't because it's more effort. I think a white list, with a popup (asking the user if they wish to allow the blocked protocol) would easily be "simple" enough for most users. In any case, what headline would you rather have: "Critical security vunerability discovered in Mozilla" or "FireFox annoys users with unnecessary popups" ? Can someone update the release names at the top of the homepage does it patch my current profile only, or will it patch every profile? Nothing is mention in the article I read. mozillazine says: "Alternatively, you can set the pref network.protocol-handler.external.shell in about:config to false to remove the exploit. (This will only set it on your current profile, if you have more than one profile, or could be creating more, you should use the XPI or the updated build.)" so in other words, the XPI patch fixes ALL profiles; whereas adjusting the "pref" setting by hand only fixes the current profile. It patches the current profile only. I wonder when Netscape comes out with a fix. When will Thunderbird allow you to import mail from Mozilla? Then we can all start using it. Just create new Thunderbird profile in profile manager and point your older Mozilla profile directory as a profile folder. Works fine. http://www.mozilla.org/releases/#1.7 has links to Mozilla 1.7, not 1.71. Opera also came out with a security update this week: 7.52. There will be a lot of attention on security related issues for these 2 browsers -nobody was affected and the bugs are fixed. So I guess we should expect the moz team will look even harder to preemptively deal with security issues. Even Opera 7.52 is not without its little problems, according to this Full-Disclosure mailing list post: http://lists.netsys.com/pipermail/full-disclosure/2004-July/023601.html Even Opera 7.52 is not without its little problems, according to this Full-Disclosure mailing list post: http://lists.netsys.com/pipermail/full-disclosure/2004-July/023601.html I have created a timeline outlining just how quickly the bug was fixed. It speaks worlds about Mozilla's handling of security: http://www.sacarny.com/blog/index.php?p=104 Now all we need is for the automatic update feature to take effect, and we are golden. Adam I click on the XPI patch and nothing happens. Any ideas? I'm new to Firefox and certainly no expert at this stuff ... had the same problem until I found a clue via a Google search -- just now went to Tools | Options | Advanced, and then found the area for Software Update and clicked on the box in front of "Allow websites to install software." May I suggest that this information could be part of the patch instruction/information to assist folks like me who are not experts? Thanks. B Thanks! Yeah it wouldn't even work if I tried to install it from my harddrive, so "Allow websites to install software" is probably not the best description for that option. Perhaps "Never install software" better describes the option. This would have been perfect for an "update alert" thingy. What does this "unsigned" thing mean? I never saw a "signed" extension. Why is the security patch/extension "unsigned"? It would be better if the MF starts signing selected "approved/reviewed" patches/extensions similar to the extensions of Macromedia Dreamweaver (at least the previous versions since I haven't used the recent ones)? Any suggestions/comments? http://www.mgillespie.plus.com/Mozilla/Firefox.htm http://www.mgillespie.plus.com/Mozilla/Thunderbird.htm Optimised for SSE2 enabled processors (P4, newer Celerons, AMD64), noticably quicker than the standard builds. NOTE: These ONLY work on SSE2 processors. People used to Microsoft dragging their feet when it comes to fixing bugs in IE (or anything else they put out) probably got blown away when the Mozilla Organization (yet again) managed to find out about a bug, create fixes for Mozilla, Firefox & Thunderbird and making bug-free editions of each avaliable for download in 2 to 3 days. In case anybody up in Redmond is reading this, it's an example of what you're supposed to do when it comes to this type of stuff. Get out your notebooks, because you need to write this down. ;-) WinLibre, the french free sotfware distribution for Windows, has integrated the latest Firefox and ThunderBird releases. http://www.winlibre.com (french site) I used IE: rating: 1 out of 10, Netscape: 5, Mozilla: 6, Firefox: 10, Thunderbird: 10. |