homepage Welcome to WebmasterWorld Guest from 54.205.242.179
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Home / Forums Index / Browsers / Firefox Browser Usage and Support
Forum Library, Charter, Moderators: incrediBILL

Firefox Browser Usage and Support Forum

This 37 message thread spans 2 pages: 37 ( [1] 2 > >     
Update for Windows Mozilla/Firefox
Firefox 0.9.2 and Mozilla 1.7.1 and the shell: protocol
encyclo




msg:1589198
 11:36 pm on Jul 8, 2004 (gmt 0)

A little oops from the Mozilla team which shows that even the best browsers can have bugs! The bug fix is needed because links in web pages can execute arbitrary commands on computers running Windows 2000 or XP. Here's the full details:

[mozilla.org...]

You can download the patched versions from [mozilla.org...]

<added>Just noticed, the problem also affects Thunderbird, which has a new version 0.7.2.</added>

 

encyclo




msg:1589199
 12:31 am on Jul 9, 2004 (gmt 0)

Just found an even better way to update - rather than downloading a hefty 17Mb install file, just get the ShellBlock patch (extension) from here:

[update.mozilla.org...]

It weighs in at only a few bytes, which is a hell of a lot easier if you're on dialup!

CritterNYC




msg:1589200
 4:44 am on Jul 9, 2004 (gmt 0)

Heh... we knew it would happen sooner or later... but DAMN that was a quick patch. IE is at, what, 4+ weeks on their latest?

CritterNYC




msg:1589201
 4:55 am on Jul 9, 2004 (gmt 0)

One additional note... this ONLY affects Windows XP (and Windows 2000 with a different syntax) and is due to the way Mozilla handles unknown schemes... it passes them on to the operating system. (which isn't really the best idea with Windows) Needless to say, this is also fixed by Windows XP SP2.

Teknorat




msg:1589202
 5:37 am on Jul 9, 2004 (gmt 0)

That was very stress free :) Incidentally it's a Microsoft Flaw™ not a Mozilla flaw.

kaled




msg:1589203
 10:04 am on Jul 9, 2004 (gmt 0)

Just downloaded the patch. Now what - I'm running Win 2000 at the moment and it doesn't know what to do with .xpi files.

I'd say that was a bit of a cockup!

Kaled.

creative craig




msg:1589204
 9:16 am on Jul 9, 2004 (gmt 0)

[software.silicon.com...]

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their web browsers have a security flaw that could theoretically allow attackers to crash computers or launch unauthorised programs.

Developers said the flaw affected only Windows users, not computers running either the Macintosh or Linux operating systems..

Typical ;)

Hester




msg:1589205
 11:03 am on Jul 9, 2004 (gmt 0)

Just downloaded the patch. Now what - I'm running Win 2000 at the moment and it doesn't know what to do with .xpi files.

I'd say that was a bit of a cockup!

Kaled.

You need to install it directly from Mozilla or Firefox.

Receptional Andy




msg:1589206
 11:19 am on Jul 9, 2004 (gmt 0)

>>You need to install it directly from Mozilla or Firefox.

You can just drag and drop the downloaded file into a Mozilla window too.

kaled




msg:1589207
 12:09 pm on Jul 9, 2004 (gmt 0)

Yep, I guess the cockup was mine (should learn to read I guess). Dragged the file as suggested and it worked fine.

Thanks,

Kaled.

webdevsf




msg:1589208
 12:23 pm on Jul 9, 2004 (gmt 0)

At least my windows update will tell me about these patches. For Moz i have to read about them on ww.

Its not even publicized on the firefox home page.

And if someone didn't tell me, i'd have to download the 4.7mb file for this.

This is a Mozilla flaw, not a windows flaw.

I think that IE has problems (using firefox now) but the moz team could take a lesson from the IE team in the MEA CULPA category.

I'll let the stream of apologists continue now.

Leosghost




msg:1589209
 12:39 pm on Jul 9, 2004 (gmt 0)

When you have to pay them to use firefox I think is the time you can suggest that they need lessons in anything ..

BTW ..for an only XP "hole" the test page showed multiple links available prior to my installing the patch .I'm on 98II ..don't ever want XP ..

all flavours of 'doze have serious shell problems so maybe it's better to be safe than sorry ...

The installed patch ( if it's redundant on this OS ) hasn't harmed it none either ...

py9jmas




msg:1589210
 1:37 pm on Jul 9, 2004 (gmt 0)

This is a Mozilla flaw, not a windows flaw.

From [secunia.com...]
The shell: URI handler is inherently insecure and should only be accessed from a few trusted sites - or not from a browser at all. Multiple exploits in Internet Explorer also utilise "shell:" functionality.

The security flaw is MS Window's protocol handling. The patch from Mozilla is a workaround for a MS Windows flaw.

webdevsf




msg:1589211
 1:41 pm on Jul 9, 2004 (gmt 0)

When you have to pay them to use firefox I think is the time you can suggest that they need lessons in anything ..

No suggestions for open source developers then, since they already know best I guess.

I wonder if we'll see a steady stream of security holes in Moz that will always be "the OS's fault".

webdevsf




msg:1589212
 1:51 pm on Jul 9, 2004 (gmt 0)

The security flaw is MS Window's protocol handling. The patch from Mozilla is a workaround for a MS Windows flaw.

Every OS and programming language has bugs, flaws, etc. Sometimes features that are useful in one sense need to be disabled for a particular application.

But when i deliver a product, that has a bug, or a memory leak, or a security hole, do I think the customer gives a darn when I say "well, sir, the device driver for the whatsit was incompatible with the kernel! Those darn sloppy programmers in (Redmond/Mt. View/Santa Cruz/New Delhi) messed it up!"

No, the customer doesn't care. And if you push the blame to someone else, when its your application, with your company's name on it, you don't care about the customer.

No, it is not their fault. When I write an app, I am responsible for it.

If I can write a "patch" for an OS flaw, then i could have foreseen that before I released my product. So its my fault.

The developers for Moz put out a pretty good product and I applaud them. But I've always been irritated with this childish blaming of others by MS-bashers and Open Source apologists when something goes wrong and doesn't fit the "model".

Receptional Andy




msg:1589213
 1:54 pm on Jul 9, 2004 (gmt 0)

Maybe it's just me, but my fully patched win2k and IE6 still open shell: links.

encyclo




msg:1589214
 2:15 pm on Jul 9, 2004 (gmt 0)

All browsers are under intense scrutiny by bug-hunters at the moment - there have been several (fairly minor) security-related updates for Opera, and we are all aware of the problems with IE. This can only be a good thing as Opera and Mozilla will come out stronger and more secure (and IE too, let's hope).

Interestingly, this bug in Mozilla was first reported in 2002, but it is only now that the need has been felt to patch. The argument was that it is an OS problem rather than a Mozilla problem, and for a while there was no consensus within the Mozilla development team that anything needed to be done. It is because of the current fiasco with IE security, and the ensuing move towards Mozilla (their downloads have skyrocketed recently) that attention was brought to the problem again, and it was decided to apply a fix.

It is a good move by the Mozilla team, which should probably have been made much earlier. Even when the problem is not in your code, if your program can act as a vector for an exploit on the most prevalent OS, then it's best to do what you can to mitigate the problem.

encyclo




msg:1589215
 2:22 pm on Jul 9, 2004 (gmt 0)

At least my windows update will tell me about these patches. For Moz i have to read about them on ww.

Microsoft won't give third-party applications access to Windows Update - which is a terrible shame, because they would be on to a very good thing if there was a one-stop shop for security patches for all Windows programs - much like what exists already for the majority of Linux distributions (and they say Linux is less user-friendly than Windows!). Not even all Microsoft programs are available via Windows Update - have you applied all the recent patches to Office? They don't show up at all.

Its not even publicized on the firefox home page.

It's in the column on the left on the front page of mozilla.org, under Latest News.

isitreal




msg:1589216
 4:01 pm on Jul 9, 2004 (gmt 0)

At least my windows update will tell me about these patches. For Moz i have to read about them on ww.

This is a good criticism, and is being dealt with as part of the process of moving to Firefox 1.0. Keep in mind that we are still using a beta browser here, it's not at 1.0 yet, for these kinds of reasons.

Future versions of Mozilla Firefox will include automatic update notifications, which will make it even easier for users to be alerted to security fixes.moz security [mozilla.org]

There is not need to download the 0.9.2 upgrade if you don't want to, if you are using only the default profile, you can just download a tiny 1 kB patch here [update.mozilla.org].

You can do it manually too, it's just a matter of turning off the shell: support.

From what I've gathered, this affects only Windows XP pre service pack 2, that particular windows vulnerability has been patched in sp2.

jcoronella




msg:1589217
 11:00 pm on Jul 9, 2004 (gmt 0)

Amazing. I just installed firefox 4 days ago to replace IE, and had several co-workers do the same. Wouldn't you know it.

isitreal




msg:1589218
 11:33 pm on Jul 9, 2004 (gmt 0)

just download the tiny 1kB fix and you're set, takes a second. This wasn't a serious thing in a sense, it wasn't actually implemented like last week's IE exploits, it was just proven to be a problem, and resolved almost instantly.

The autoupdate feature is definitely a must-have for standard users, since most people won't ever keep up with this stuff by themselves. No browser is exploit proof, both Opera and Firefox have had holes discovered, but they were almost immediately resolved. It's much easier to fix most of these holes I believe since the browser is a true stand alone application, unlike IE.

Sanenet




msg:1589219
 2:14 pm on Jul 13, 2004 (gmt 0)

[news.com.com...]

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their Web browsers have a security flaw that could allow attackers to run existing programs on the Windows XP operating system.

Didn't see any other post about this, so...

Farix




msg:1589220
 2:34 pm on Jul 13, 2004 (gmt 0)

It's already been fixed within 24 hours.

[mozilla.org...]

encyclo




msg:1589221
 2:49 pm on Jul 13, 2004 (gmt 0)

It's here: [webmasterworld.com...]

john_k




msg:1589222
 2:54 pm on Jul 13, 2004 (gmt 0)

It's already been fixed within 24 hours.

Here is a link to another article on this.
[eweek.com...]

It contains a link to the original bug report or "feature discussion."
[bugzilla.mozilla.org...]

Maybe they fixed it in 24 hours, but it took almost 2 YEARS to decide that it was a problem.

Leosghost




msg:1589223
 3:20 pm on Jul 13, 2004 (gmt 0)

could it be that they were sorta vainly hoping that M$ would clean up "the real problem" and write a "real OS" ..?

Sanenet




msg:1589224
 3:24 pm on Jul 13, 2004 (gmt 0)

*cough* I was reading my ezines and didn't notice that I was into last weeks news <blush>

Thanks for the heads up guys.

Farix




msg:1589225
 3:31 pm on Jul 13, 2004 (gmt 0)

Maybe they fixed it in 24 hours, but it took almost 2 YEARS to decide that it was a problem.

Because it wasn't really a Mozilla problem but a bug with the Windows OS. The basic question comes down to, is Mozilla responsible for fixing bugs in the OS or just its own software?

RammsteinNicCage




msg:1589226
 3:34 pm on Jul 13, 2004 (gmt 0)

If this is a bug with the OS, does this mean that every browser is vulnerable then?

Jennifer

john_k




msg:1589227
 4:50 pm on Jul 13, 2004 (gmt 0)

could it be that they were sorta vainly hoping that M$ would clean up "the real problem" and write a "real OS" ..?

Because it wasn't really a Mozilla problem but a bug with the Windows OS. The basic question comes down to, is Mozilla responsible for fixing bugs in the OS or just its own software?

I agree whole-heartedly that the OS shouldn't permit the behavior. But I also believe this was a huge blunder on the part of the Mozilla developers. They were/are developing an application to work within the context of a specific OS. Part of that task is to leverage strengths and to work-around weaknesses. They knew about this particular issue and consequently they should have dealt with it sooner. The 24-hour fix description is a spin that isn't needed.

Playing loose with blame and responsibility (which is the treatment people give MS), a different spin might be to say that, even as they publicly deride MS for its lack of security expertise and committment, they knowingly let a gaping hole hang out in their own software for almost two years. Apparently someone had some down-time and decided to address this mid-level priority issue.

This 37 message thread spans 2 pages: 37 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Browsers / Firefox Browser Usage and Support
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved