Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 Released

Thursday July 8th, 2004

The Mozilla Foundation has just released a trio of new Mozilla releases to the fix the Windows shell: security vulnerbility reported earlier. Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 contain no new features other than a preference change that disables the shell: protocol handler. Users who have installed the ShellBlock 1.0 XPI patch in all their Mozilla applications do not need to upgrade. Visit the sample exploit page to see if you are at risk. More details and download links are available in the Mozilla Foundation's security bulletin about the shell: exploit.

#12 Re: Re: One question

by mlefevre

Friday July 9th, 2004 4:27 AM

You are replying to this message

The feature was added before XP, and this does affect Windows 2000 as well - it's Windows 95/98/ME where it isn't a problem.

A whitelist would be better in security terms. However, that's not what Windows programs are "supposed" to do - the idea is that other programs can add protocols that they want to handle. If you make it a whitelist, then the user would have to explicitly reconfigure their browser in order for that to work. It's the usual choice between being more secure and making things easier for the user - people do want Mozilla to integrate into Windows. If you don't want Windows stuff, then it'd make sense to switch to a different OS, but people don't because it's more effort.