Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 Released

Thursday July 8th, 2004

The Mozilla Foundation has just released a trio of new Mozilla releases to the fix the Windows shell: security vulnerbility reported earlier. Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 contain no new features other than a preference change that disables the shell: protocol handler. Users who have installed the ShellBlock 1.0 XPI patch in all their Mozilla applications do not need to upgrade. Visit the sample exploit page to see if you are at risk. More details and download links are available in the Mozilla Foundation's security bulletin about the shell: exploit.

#25 Win2000

by Ark42

Friday July 9th, 2004 11:00 AM

You are replying to this message

I tested IE6SP1 and Moz 1.8a2 nightly on both Win2000SP4 and WinXPSP1 and just typing shell:windows\system32\calc.exe in the location bar would start calculator under WinXP but do nothing under Win2000, regardless of browser, so I really think the flaw is WinXP specific. Going to just shell:windows or would open the windows folder in a new explorer window regardless of browser or OS, but that doesn't seem the same as being able to run arbitrary exe files like only happened with XP.