MozillaZine

Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 Released

Thursday July 8th, 2004

The Mozilla Foundation has just released a trio of new Mozilla releases to the fix the Windows shell: security vulnerbility reported earlier. Mozilla 1.7.1, Mozilla Firefox 0.9.2 and Mozilla Thunderbird 0.7.2 contain no new features other than a preference change that disables the shell: protocol handler. Users who have installed the ShellBlock 1.0 XPI patch in all their Mozilla applications do not need to upgrade. Visit the sample exploit page to see if you are at risk. More details and download links are available in the Mozilla Foundation's security bulletin about the shell: exploit.


#7 Re: One question

by Racer

Thursday July 8th, 2004 9:21 PM

You are replying to this message

The underlying problem is that Mozilla has a blacklist for bad protocols and there should really be a whitelist for accepted protocols instead. The problem introduced itself when a new shell feature was added to Windows XP. So, shell: did not cause any problems before (in Windows 2000 or previous) and nobody thought to check it until now. If there would be a white list, then new protocols could not cause these problems as they wouldn't be allowed unless explicitly enabled.