Timeline of Mozilla shell: Security Vulnerability
Friday July 9th, 2004
Adam Sacarny writes: "I have created a timeline of the latest security bug. It shows how quickly the Mozilla developers handled the problem, tracking from the first mention in Bugzilla to the last CVS commit to the webpage. Readers get a peak into how development works over at mozilla.org, in particular into how security issues get resolved."
We reported on the
Update: Adam, author of the timeline, has written a followup post with further commentary on the bug and its fix.
#13 Re: Why does this kind of functionality exist ....
Saturday July 10th, 2004 8:06 AM
You are replying to this message
Well, what it looks like to me is that Mozilla linked to an API / windows feature that can grow infinitely in functionality. When this was first implemented either shell: wasn't around or not on enough computers for people to notice. Finally somebody pointed out how this could be exploited. Unfortunately the "correct" fix to this matter is a matter of philosophy. Blacklisting "shell:" doesn't prevent some other faulty or dangerous external protocol handler from popping up in the future, yet some protocol handlers can be useful.
Personally I think there should be a blacklist of known bad ones in addition to a warning message for any new or unknown ones, something to the effect of "/!\ You are about to launch an external protocol handler for the protocol whaterverprotocol:, this may be dangerous. Are you sure you want to launch the external handler? [ ] don't show this message for this protocol next time. | Yes | | [NO] |"