Well whatever anyone says, this bug just goes to show you how much faster and more security oriented mozilla is then microsoft.

As someone pointed out above but no one seemed to notice was.

Maybe it's just me, but my fully patched win2k and IE6 still open shell: links.

And I have a fully patched winXP pro and home with IE6 that still opens them.

Microsoft didn't think it was worth fixing so why would another browser designed to work with windows think that it was a big deal?

Anyways relating to this "bug" mozilla was at no point behind microsoft in security.

[sarcasm]Way to drop the ball mozilla[/sarcasm]

Anyways relating to this "bug" mozilla was at no point behind microsoft in security.

My point was that there is no reason to feel smug about fixing something that was hanging out there for almost two years. Just fix it and move on. There will be other opportunities to take pot shots and point fingers.

They were/are developing an application to work within the context of a specific OS.

But Mozilla is multi-platform. It isn't Windows-only.

But Mozilla is multi-platform. It isn't Windows-only.

But the version that runs on Windows is for Windows.

I'm not here to defend Microsoft. I just thought it should be pointed out that they are not the only ones that have put things off because immediate action wasn't convenient.

Yes, I think it is great that Mozilla has been modified to account for a security hole in the OS. But they should have done it when they encountered it in 2002.

There are other areas of the Mozilla effort that deserve attention as being superior to MS. There isn't any reason to manufacture attention by saying they fixed something within 24 hours of finding the problem when it is blatantly not the case.

john_k, as I mentioned in message #17 of this thread, I agree that the Mozilla team should have dealt with this issue earlier. The vulnerability is most definitely in Microsoft's code, but there needs to be a greater sense of responsibility from the part of third-party developers to mitigate any potential security issues in the supported OS, and try to ensure that their product is not a vector for exploiting a weakness in the underlying OS code.

On a different note, I've not seen anywhere any mention of Netscape shipping an updated version of Netscape 7.1, which is also vulnerable to this problem. There is also no mention of this problem on Netscape's website or on their "Browser Central" page. It looks to be a final confirmation that Netscape is dead as a browser company - anyone still using Netscape products should move over to the supported Mozilla equivalent immediately. Sadly, the K-Meleon project (also based on Mozilla) also does not seem to be offering advice or a fix either.

Of course, there is another browser which remains vulnerable to the shell: exploitation - Internet Explorer.

Microsoft had finally gotten around to patching the problem on the OS, rendering the Mozilla "problem" and patch moot. But I have this nagging felling that the only reason that MS patch the problem was because Mozilla's workaround made the real security hole all too public.

If this is a bug with the OS, does this mean that every browser is vulnerable then?

not only browsers [infoworld.com].

Interestingly, Microsoft has released a patch [microsoft.com] roughly one week after the Mozilla project released theirs. Sometimes a little publicity can do wonders even in Redmond... ;)