Welcome to WebmasterWorld Guest from 54.145.213.148

Forum Moderators: incrediBILL

Message Too Old, No Replies

Update for Windows Mozilla/Firefox

Firefox 0.9.2 and Mozilla 1.7.1 and the shell: protocol

     
11:36 pm on Jul 8, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


A little oops from the Mozilla team which shows that even the best browsers can have bugs! The bug fix is needed because links in web pages can execute arbitrary commands on computers running Windows 2000 or XP. Here's the full details:

[mozilla.org...]

You can download the patched versions from [mozilla.org...]

<added>Just noticed, the problem also affects Thunderbird, which has a new version 0.7.2.</added>

12:31 am on July 9, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


Just found an even better way to update - rather than downloading a hefty 17Mb install file, just get the ShellBlock patch (extension) from here:

[update.mozilla.org...]

It weighs in at only a few bytes, which is a hell of a lot easier if you're on dialup!

4:44 am on July 9, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Feb 23, 2003
posts:207
votes: 0


Heh... we knew it would happen sooner or later... but DAMN that was a quick patch. IE is at, what, 4+ weeks on their latest?
4:55 am on July 9, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Feb 23, 2003
posts:207
votes: 0


One additional note... this ONLY affects Windows XP (and Windows 2000 with a different syntax) and is due to the way Mozilla handles unknown schemes... it passes them on to the operating system. (which isn't really the best idea with Windows) Needless to say, this is also fixed by Windows XP SP2.
5:37 am on July 9, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 13, 2004
posts:428
votes: 0


That was very stress free :) Incidentally it's a Microsoft Flaw™ not a Mozilla flaw.
10:04 am on July 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


Just downloaded the patch. Now what - I'm running Win 2000 at the moment and it doesn't know what to do with .xpi files.

I'd say that was a bit of a cockup!

Kaled.

9:16 am on July 9, 2004 (gmt 0)

Senior Member from ZA 

WebmasterWorld Senior Member 10+ Year Member

joined:July 15, 2002
posts:1721
votes: 4


[software.silicon.com...]

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their web browsers have a security flaw that could theoretically allow attackers to crash computers or launch unauthorised programs.

Developers said the flaw affected only Windows users, not computers running either the Macintosh or Linux operating systems..

Typical ;)

11:03 am on July 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts:1318
votes: 0


Just downloaded the patch. Now what - I'm running Win 2000 at the moment and it doesn't know what to do with .xpi files.

I'd say that was a bit of a cockup!

Kaled.

You need to install it directly from Mozilla or Firefox.

11:19 am on July 9, 2004 (gmt 0)

Senior Member

joined:Jan 27, 2003
posts:2534
votes: 0


>>You need to install it directly from Mozilla or Firefox.

You can just drag and drop the downloaded file into a Mozilla window too.

12:09 pm on July 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


Yep, I guess the cockup was mine (should learn to read I guess). Dragged the file as suggested and it worked fine.

Thanks,

Kaled.

12:23 pm on July 9, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Dec 6, 2002
posts:279
votes: 0


At least my windows update will tell me about these patches. For Moz i have to read about them on ww.

Its not even publicized on the firefox home page.

And if someone didn't tell me, i'd have to download the 4.7mb file for this.

This is a Mozilla flaw, not a windows flaw.

I think that IE has problems (using firefox now) but the moz team could take a lesson from the IE team in the MEA CULPA category.

I'll let the stream of apologists continue now.

12:39 pm on July 9, 2004 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


When you have to pay them to use firefox I think is the time you can suggest that they need lessons in anything ..

BTW ..for an only XP "hole" the test page showed multiple links available prior to my installing the patch .I'm on 98II ..don't ever want XP ..

all flavours of 'doze have serious shell problems so maybe it's better to be safe than sorry ...

The installed patch ( if it's redundant on this OS ) hasn't harmed it none either ...

1:37 pm on July 9, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Mar 8, 2004
posts:311
votes: 0


This is a Mozilla flaw, not a windows flaw.

From [secunia.com...]

The shell: URI handler is inherently insecure and should only be accessed from a few trusted sites - or not from a browser at all. Multiple exploits in Internet Explorer also utilise "shell:" functionality.

The security flaw is MS Window's protocol handling. The patch from Mozilla is a workaround for a MS Windows flaw.

1:41 pm on July 9, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Dec 6, 2002
posts:279
votes: 0


When you have to pay them to use firefox I think is the time you can suggest that they need lessons in anything ..

No suggestions for open source developers then, since they already know best I guess.

I wonder if we'll see a steady stream of security holes in Moz that will always be "the OS's fault".

1:51 pm on July 9, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Dec 6, 2002
posts:279
votes: 0


The security flaw is MS Window's protocol handling. The patch from Mozilla is a workaround for a MS Windows flaw.

Every OS and programming language has bugs, flaws, etc. Sometimes features that are useful in one sense need to be disabled for a particular application.

But when i deliver a product, that has a bug, or a memory leak, or a security hole, do I think the customer gives a darn when I say "well, sir, the device driver for the whatsit was incompatible with the kernel! Those darn sloppy programmers in (Redmond/Mt. View/Santa Cruz/New Delhi) messed it up!"

No, the customer doesn't care. And if you push the blame to someone else, when its your application, with your company's name on it, you don't care about the customer.

No, it is not their fault. When I write an app, I am responsible for it.

If I can write a "patch" for an OS flaw, then i could have foreseen that before I released my product. So its my fault.

The developers for Moz put out a pretty good product and I applaud them. But I've always been irritated with this childish blaming of others by MS-bashers and Open Source apologists when something goes wrong and doesn't fit the "model".

1:54 pm on July 9, 2004 (gmt 0)

Senior Member

joined:Jan 27, 2003
posts:2534
votes: 0


Maybe it's just me, but my fully patched win2k and IE6 still open shell: links.
2:15 pm on July 9, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


All browsers are under intense scrutiny by bug-hunters at the moment - there have been several (fairly minor) security-related updates for Opera, and we are all aware of the problems with IE. This can only be a good thing as Opera and Mozilla will come out stronger and more secure (and IE too, let's hope).

Interestingly, this bug in Mozilla was first reported in 2002, but it is only now that the need has been felt to patch. The argument was that it is an OS problem rather than a Mozilla problem, and for a while there was no consensus within the Mozilla development team that anything needed to be done. It is because of the current fiasco with IE security, and the ensuing move towards Mozilla (their downloads have skyrocketed recently) that attention was brought to the problem again, and it was decided to apply a fix.

It is a good move by the Mozilla team, which should probably have been made much earlier. Even when the problem is not in your code, if your program can act as a vector for an exploit on the most prevalent OS, then it's best to do what you can to mitigate the problem.

2:22 pm on July 9, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


At least my windows update will tell me about these patches. For Moz i have to read about them on ww.

Microsoft won't give third-party applications access to Windows Update - which is a terrible shame, because they would be on to a very good thing if there was a one-stop shop for security patches for all Windows programs - much like what exists already for the majority of Linux distributions (and they say Linux is less user-friendly than Windows!). Not even all Microsoft programs are available via Windows Update - have you applied all the recent patches to Office? They don't show up at all.

Its not even publicized on the firefox home page.

It's in the column on the left on the front page of mozilla.org, under Latest News.

4:01 pm on July 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 15, 2004
posts:1300
votes: 0


At least my windows update will tell me about these patches. For Moz i have to read about them on ww.

This is a good criticism, and is being dealt with as part of the process of moving to Firefox 1.0. Keep in mind that we are still using a beta browser here, it's not at 1.0 yet, for these kinds of reasons.

Future versions of Mozilla Firefox will include automatic update notifications, which will make it even easier for users to be alerted to security fixes.moz security [mozilla.org]

There is not need to download the 0.9.2 upgrade if you don't want to, if you are using only the default profile, you can just download a tiny 1 kB patch here [update.mozilla.org].

You can do it manually too, it's just a matter of turning off the shell: support.

From what I've gathered, this affects only Windows XP pre service pack 2, that particular windows vulnerability has been patched in sp2.

11:00 pm on July 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 4, 2002
posts:1958
votes: 0


Amazing. I just installed firefox 4 days ago to replace IE, and had several co-workers do the same. Wouldn't you know it.
11:33 pm on July 9, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 15, 2004
posts:1300
votes: 0


just download the tiny 1kB fix and you're set, takes a second. This wasn't a serious thing in a sense, it wasn't actually implemented like last week's IE exploits, it was just proven to be a problem, and resolved almost instantly.

The autoupdate feature is definitely a must-have for standard users, since most people won't ever keep up with this stuff by themselves. No browser is exploit proof, both Opera and Firefox have had holes discovered, but they were almost immediately resolved. It's much easier to fix most of these holes I believe since the browser is a true stand alone application, unlike IE.

2:14 pm on July 13, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 22, 2002
posts:1001
votes: 0


[news.com.com...]

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their Web browsers have a security flaw that could allow attackers to run existing programs on the Windows XP operating system.

Didn't see any other post about this, so...

2:34 pm on July 13, 2004 (gmt 0)

Full Member

10+ Year Member

joined:July 30, 2003
posts:322
votes: 0


It's already been fixed within 24 hours.

[mozilla.org...]

2:49 pm on July 13, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


It's here: [webmasterworld.com...]
2:54 pm on July 13, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 3, 2003
posts:792
votes: 0


It's already been fixed within 24 hours.

Here is a link to another article on this.
[eweek.com...]

It contains a link to the original bug report or "feature discussion."
[bugzilla.mozilla.org...]

Maybe they fixed it in 24 hours, but it took almost 2 YEARS to decide that it was a problem.

3:20 pm on July 13, 2004 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


could it be that they were sorta vainly hoping that M$ would clean up "the real problem" and write a "real OS" ..?
3:24 pm on July 13, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 22, 2002
posts:1001
votes: 0


*cough* I was reading my ezines and didn't notice that I was into last weeks news <blush>

Thanks for the heads up guys.

3:31 pm on July 13, 2004 (gmt 0)

Full Member

10+ Year Member

joined:July 30, 2003
posts:322
votes: 0


Maybe they fixed it in 24 hours, but it took almost 2 YEARS to decide that it was a problem.

Because it wasn't really a Mozilla problem but a bug with the Windows OS. The basic question comes down to, is Mozilla responsible for fixing bugs in the OS or just its own software?
3:34 pm on July 13, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:May 20, 2003
posts:493
votes: 0


If this is a bug with the OS, does this mean that every browser is vulnerable then?

Jennifer

4:50 pm on July 13, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 3, 2003
posts:792
votes: 0


could it be that they were sorta vainly hoping that M$ would clean up "the real problem" and write a "real OS" ..?

Because it wasn't really a Mozilla problem but a bug with the Windows OS. The basic question comes down to, is Mozilla responsible for fixing bugs in the OS or just its own software?

I agree whole-heartedly that the OS shouldn't permit the behavior. But I also believe this was a huge blunder on the part of the Mozilla developers. They were/are developing an application to work within the context of a specific OS. Part of that task is to leverage strengths and to work-around weaknesses. They knew about this particular issue and consequently they should have dealt with it sooner. The 24-hour fix description is a spin that isn't needed.

Playing loose with blame and responsibility (which is the treatment people give MS), a different spin might be to say that, even as they publicly deride MS for its lack of security expertise and committment, they knowingly let a gaping hole hang out in their own software for almost two years. Apparently someone had some down-time and decided to address this mid-level priority issue.

This 37 message thread spans 2 pages: 37
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members