Timeline of Mozilla shell: Security Vulnerability
Friday July 9th, 2004
Adam Sacarny writes: "I have created a timeline of the latest security bug. It shows how quickly the Mozilla developers handled the problem, tracking from the first mention in Bugzilla to the last CVS commit to the webpage. Readers get a peak into how development works over at mozilla.org, in particular into how security issues get resolved."
We reported on the
Update: Adam, author of the timeline, has written a followup post with further commentary on the bug and its fix.
But the point is that it can be done remotely. You can put a link on a webpage titled 'Get free porn here!' or whatever, and when people click it, it loads Notepad on their computer.
If you don't think Notepad is all that scary then I suppose maybe you could imagine it loading:
rd /s /q "c:\documents and settings\my documents"
Now if you think a situation where somebody can click a harmless-looking link (or go to a page that has an iframe, not needing to click a link at all) and have it delete their entire documents folder without warning isn't a security hole, then, um...
I don't know whether this is doable remotely in IE, I can't be arsed to set up a test page, or whether that particular command would work in either case (rd specifically would not be available using the shell: protocol, since it's a shell builtin command not an actual program, but there are programs that do similarly nasty things) - but this is the *type* of thing that would've been possible with Mozilla before the hole was fixed.