MozillaZine

Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 Released

Thursday July 8th, 2004

The Mozilla Foundation has just released a trio of new Mozilla releases to the fix the Windows shell: security vulnerbility reported earlier. Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 contain no new features other than a preference change that disables the shell: protocol handler. Users who have installed the ShellBlock 1.0 XPI patch in all their Mozilla applications do not need to upgrade. Visit the sample exploit page to see if you are at risk. More details and download links are available in the Mozilla Foundation's security bulletin about the shell: exploit.

#1 Reply

by Racer

Thursday July 8th, 2004 6:44 PM

I am still getting 0.9.1 in my FireFox update window (I have 0.9.1). Shouldn't it be telling me to install 0.9.2 now?

#2 Installer had wrong version

by neilparks1

Thursday July 8th, 2004 6:56 PM

When I installed the nightly release of 0.9.2 the installer said it was installing 0.9.1. But after installation the UA string reported 0.9.2.

(OTOH the Release Notes option on the Help menu sent me to the original RN for 0.9.)

#3 What's the exact changelog?

by avih

Thursday July 8th, 2004 7:25 PM

i downloaded the xpi patch for pre 0.92, and saw that it only sets the relevant about:config shell pref to false. is that the only difference between 0.91 and 0.92? or does 0.92 include other changes too?

#4 Re: What's the exact changelog?

by mlefevre

Thursday July 8th, 2004 7:30 PM

No other changes - that's it. Just setting that pref to disable the shell protocol, and bumping the user agent to say 0.9.2 (if you want your Firefox to say 0.9.2, you can change that with a pref too...)

#5 More than Windows XP

by Jack

Thursday July 8th, 2004 7:36 PM

Just FYI, more than Windows XP is affected. I'm using Windows 2000 Professional Service Pack Four, and the exploit works just dandy on my Firefox as well. :(

#25 Win2000

by Ark42

Friday July 9th, 2004 11:00 AM

I tested IE6SP1 and Moz 1.8a2 nightly on both Win2000SP4 and WinXPSP1 and just typing shell:windows\system32\calc.exe in the location bar would start calculator under WinXP but do nothing under Win2000, regardless of browser, so I really think the flaw is WinXP specific. Going to just shell:windows or would open the windows folder in a new explorer window regardless of browser or OS, but that doesn't seem the same as being able to run arbitrary exe files like only happened with XP.

#6 One question

by pkb351

Thursday July 8th, 2004 8:07 PM

Is this a security design fault caused by a poor design of Mozilla or is this a design fault of Windows? In other words: who caused the security breach: Mozilla, Windows, or both?

Why I ask this question is that news sites such as ZDNET are reporting this story as a security problem created by a insecure Mozilla browser. Really should this issue actually be viewed as another story about how insecure Windows is?

#7 Re: One question

by Racer

Thursday July 8th, 2004 9:21 PM

The underlying problem is that Mozilla has a blacklist for bad protocols and there should really be a whitelist for accepted protocols instead. The problem introduced itself when a new shell feature was added to Windows XP. So, shell: did not cause any problems before (in Windows 2000 or previous) and nobody thought to check it until now. If there would be a white list, then new protocols could not cause these problems as they wouldn't be allowed unless explicitly enabled.

#12 Re: Re: One question

by mlefevre

Friday July 9th, 2004 4:27 AM

The feature was added before XP, and this does affect Windows 2000 as well - it's Windows 95/98/ME where it isn't a problem.

A whitelist would be better in security terms. However, that's not what Windows programs are "supposed" to do - the idea is that other programs can add protocols that they want to handle. If you make it a whitelist, then the user would have to explicitly reconfigure their browser in order for that to work. It's the usual choice between being more secure and making things easier for the user - people do want Mozilla to integrate into Windows. If you don't want Windows stuff, then it'd make sense to switch to a different OS, but people don't because it's more effort.

#16 Reply

by Racer

Friday July 9th, 2004 6:46 AM

I think a white list, with a popup (asking the user if they wish to allow the blocked protocol) would easily be "simple" enough for most users. In any case, what headline would you rather have: "Critical security vunerability discovered in Mozilla" or "FireFox annoys users with unnecessary popups" ?

#8 Can someone update the release names

by darkdazzle

Thursday July 8th, 2004 9:46 PM

Can someone update the release names at the top of the homepage

#9 The patch extension....

by lkisser

Thursday July 8th, 2004 10:07 PM

does it patch my current profile only, or will it patch every profile? Nothing is mention in the article I read.

#19 Re: The patch extension....

by roseman

Friday July 9th, 2004 8:46 AM

mozillazine says: "Alternatively, you can set the pref network.protocol-handler.external.shell in about:config to false to remove the exploit. (This will only set it on your current profile, if you have more than one profile, or could be creating more, you should use the XPI or the updated build.)" so in other words, the XPI patch fixes ALL profiles; whereas adjusting the "pref" setting by hand only fixes the current profile.

#10 Re: The patch extension....

by sanderg

Thursday July 8th, 2004 11:20 PM

It patches the current profile only.

I wonder when Netscape comes out with a fix.

#11 Importing mail

by Galik

Friday July 9th, 2004 1:42 AM

When will Thunderbird allow you to import mail from Mozilla? Then we can all start using it.

#17 Importing mail

by sinchi

Friday July 9th, 2004 7:03 AM

Just create new Thunderbird profile in profile manager and point your older Mozilla profile directory as a profile folder. Works fine.

#13 The "Releases" page on www.mozilla.org still needs

by prandal

Friday July 9th, 2004 5:52 AM

http://www.mozilla.org/releases/#1.7 has links to Mozilla 1.7, not 1.71.

#14 re:

by arielb

Friday July 9th, 2004 6:18 AM

Opera also came out with a security update this week: 7.52. There will be a lot of attention on security related issues for these 2 browsers -nobody was affected and the bugs are fixed. So I guess we should expect the moz team will look even harder to preemptively deal with security issues.

#15 Opera 7.52 Address Bar Spoofing Issue

by prandal

Friday July 9th, 2004 6:27 AM

Even Opera 7.52 is not without its little problems, according to this Full-Disclosure mailing list post: http://lists.netsys.com/pipermail/full-disclosure/2004-July/023601.html

#18 Opera 7.52 Address Bar Spoofing Issue

by prandal

Friday July 9th, 2004 7:32 AM

Even Opera 7.52 is not without its little problems, according to this Full-Disclosure mailing list post: http://lists.netsys.com/pipermail/full-disclosure/2004-July/023601.html

#20 Timeline of Bug Fix

by Asacarny

Friday July 9th, 2004 8:47 AM

I have created a timeline outlining just how quickly the bug was fixed. It speaks worlds about Mozilla's handling of security:

http://www.sacarny.com/blog/index.php?p=104

Now all we need is for the automatic update feature to take effect, and we are golden.

Adam

#21 Borken Patch

by afx114

Friday July 9th, 2004 9:32 AM

I click on the XPI patch and nothing happens. Any ideas?

#22 Re: Borken Patch

by wmhb1

Friday July 9th, 2004 9:43 AM

I'm new to Firefox and certainly no expert at this stuff ... had the same problem until I found a clue via a Google search -- just now went to Tools | Options | Advanced, and then found the area for Software Update and clicked on the box in front of "Allow websites to install software." May I suggest that this information could be part of the patch instruction/information to assist folks like me who are not experts? Thanks. B

#23 Re: Borken Patch

by afx114

Friday July 9th, 2004 9:52 AM

Thanks! Yeah it wouldn't even work if I tried to install it from my harddrive, so "Allow websites to install software" is probably not the best description for that option. Perhaps "Never install software" better describes the option.

#24 Re: Re: Borken Patch

by wmhb1

Friday July 9th, 2004 10:06 AM

Right. I couldn't install from the hard drive either. Glad it worked. B.

#26 Security updates

by PC1

Friday July 9th, 2004 1:36 PM

This would have been perfect for an "update alert" thingy.

What does this "unsigned" thing mean? I never saw a "signed" extension. Why is the security patch/extension "unsigned"? It would be better if the MF starts signing selected "approved/reviewed" patches/extensions similar to the extensions of Macromedia Dreamweaver (at least the previous versions since I haven't used the recent ones)?

Any suggestions/comments?

#27 Pentium 4 Optimised Builds Available...

by mgillespie

Friday July 9th, 2004 1:43 PM

http://www.mgillespie.plus.com/Mozilla/Firefox.htm http://www.mgillespie.plus.com/Mozilla/Thunderbird.htm

Optimised for SSE2 enabled processors (P4, newer Celerons, AMD64), noticably quicker than the standard builds.

NOTE: These ONLY work on SSE2 processors.

#28 Note to Microsoft: THIS is the way to fix a bug!!

by DP3_001

Friday July 9th, 2004 6:54 PM

People used to Microsoft dragging their feet when it comes to fixing bugs in IE (or anything else they put out) probably got blown away when the Mozilla Organization (yet again) managed to find out about a bug, create fixes for Mozilla, Firefox & Thunderbird and making bug-free editions of each avaliable for download in 2 to 3 days. In case anybody up in Redmond is reading this, it's an example of what you're supposed to do when it comes to this type of stuff. Get out your notebooks, because you need to write this down. ;-)

#29 WinLibre 0.2.1 : Security fix

by pjco

Thursday July 15th, 2004 2:00 AM

WinLibre, the french free sotfware distribution for Windows, has integrated the latest Firefox and ThunderBird releases.

http://www.winlibre.com (french site)

#30 Ratings

by morpheus222

Monday July 19th, 2004 11:52 AM

I used IE: rating: 1 out of 10, Netscape: 5, Mozilla: 6, Firefox: 10, Thunderbird: 10.