Just found an even better way to update - rather than downloading a hefty 17Mb install file, just get the ShellBlock patch (extension) from here:

[update.mozilla.org...]

It weighs in at only a few bytes, which is a hell of a lot easier if you're on dialup!

Heh... we knew it would happen sooner or later... but DAMN that was a quick patch. IE is at, what, 4+ weeks on their latest?

One additional note... this ONLY affects Windows XP (and Windows 2000 with a different syntax) and is due to the way Mozilla handles unknown schemes... it passes them on to the operating system. (which isn't really the best idea with Windows) Needless to say, this is also fixed by Windows XP SP2.

That was very stress free :) Incidentally it's a Microsoft Flaw™ not a Mozilla flaw.

Just downloaded the patch. Now what - I'm running Win 2000 at the moment and it doesn't know what to do with .xpi files.

I'd say that was a bit of a cockup!

Kaled.

[software.silicon.com...]

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their web browsers have a security flaw that could theoretically allow attackers to crash computers or launch unauthorised programs.

Developers said the flaw affected only Windows users, not computers running either the Macintosh or Linux operating systems..

Typical ;)

Just downloaded the patch. Now what - I'm running Win 2000 at the moment and it doesn't know what to do with .xpi files.

I'd say that was a bit of a cockup!

Kaled.

You need to install it directly from Mozilla or Firefox.

>>You need to install it directly from Mozilla or Firefox.

You can just drag and drop the downloaded file into a Mozilla window too.

Yep, I guess the cockup was mine (should learn to read I guess). Dragged the file as suggested and it worked fine.

Thanks,

Kaled.

At least my windows update will tell me about these patches. For Moz i have to read about them on ww.

Its not even publicized on the firefox home page.

And if someone didn't tell me, i'd have to download the 4.7mb file for this.

This is a Mozilla flaw, not a windows flaw.

I think that IE has problems (using firefox now) but the moz team could take a lesson from the IE team in the MEA CULPA category.

I'll let the stream of apologists continue now.

When you have to pay them to use firefox I think is the time you can suggest that they need lessons in anything ..

BTW ..for an only XP "hole" the test page showed multiple links available prior to my installing the patch .I'm on 98II ..don't ever want XP ..

all flavours of 'doze have serious shell problems so maybe it's better to be safe than sorry ...

The installed patch ( if it's redundant on this OS ) hasn't harmed it none either ...

This is a Mozilla flaw, not a windows flaw.

From [secunia.com...]

The shell: URI handler is inherently insecure and should only be accessed from a few trusted sites - or not from a browser at all. Multiple exploits in Internet Explorer also utilise "shell:" functionality.

The security flaw is MS Window's protocol handling. The patch from Mozilla is a workaround for a MS Windows flaw.

When you have to pay them to use firefox I think is the time you can suggest that they need lessons in anything ..

No suggestions for open source developers then, since they already know best I guess.

I wonder if we'll see a steady stream of security holes in Moz that will always be "the OS's fault".

The security flaw is MS Window's protocol handling. The patch from Mozilla is a workaround for a MS Windows flaw.

Every OS and programming language has bugs, flaws, etc. Sometimes features that are useful in one sense need to be disabled for a particular application.

But when i deliver a product, that has a bug, or a memory leak, or a security hole, do I think the customer gives a darn when I say "well, sir, the device driver for the whatsit was incompatible with the kernel! Those darn sloppy programmers in (Redmond/Mt. View/Santa Cruz/New Delhi) messed it up!"

No, the customer doesn't care. And if you push the blame to someone else, when its your application, with your company's name on it, you don't care about the customer.

No, it is not their fault. When I write an app, I am responsible for it.

If I can write a "patch" for an OS flaw, then i could have foreseen that before I released my product. So its my fault.

The developers for Moz put out a pretty good product and I applaud them. But I've always been irritated with this childish blaming of others by MS-bashers and Open Source apologists when something goes wrong and doesn't fit the "model".

Maybe it's just me, but my fully patched win2k and IE6 still open shell: links.

All browsers are under intense scrutiny by bug-hunters at the moment - there have been several (fairly minor) security-related updates for Opera, and we are all aware of the problems with IE. This can only be a good thing as Opera and Mozilla will come out stronger and more secure (and IE too, let's hope).

Interestingly, this bug in Mozilla was first reported in 2002, but it is only now that the need has been felt to patch. The argument was that it is an OS problem rather than a Mozilla problem, and for a while there was no consensus within the Mozilla development team that anything needed to be done. It is because of the current fiasco with IE security, and the ensuing move towards Mozilla (their downloads have skyrocketed recently) that attention was brought to the problem again, and it was decided to apply a fix.

It is a good move by the Mozilla team, which should probably have been made much earlier. Even when the problem is not in your code, if your program can act as a vector for an exploit on the most prevalent OS, then it's best to do what you can to mitigate the problem.

At least my windows update will tell me about these patches. For Moz i have to read about them on ww.

Microsoft won't give third-party applications access to Windows Update - which is a terrible shame, because they would be on to a very good thing if there was a one-stop shop for security patches for all Windows programs - much like what exists already for the majority of Linux distributions (and they say Linux is less user-friendly than Windows!). Not even all Microsoft programs are available via Windows Update - have you applied all the recent patches to Office? They don't show up at all.

Its not even publicized on the firefox home page.

It's in the column on the left on the front page of mozilla.org, under Latest News.

At least my windows update will tell me about these patches. For Moz i have to read about them on ww.

This is a good criticism, and is being dealt with as part of the process of moving to Firefox 1.0. Keep in mind that we are still using a beta browser here, it's not at 1.0 yet, for these kinds of reasons.

Future versions of Mozilla Firefox will include automatic update notifications, which will make it even easier for users to be alerted to security fixes.moz security [mozilla.org]

There is not need to download the 0.9.2 upgrade if you don't want to, if you are using only the default profile, you can just download a tiny 1 kB patch here [update.mozilla.org].

You can do it manually too, it's just a matter of turning off the shell: support.

From what I've gathered, this affects only Windows XP pre service pack 2, that particular windows vulnerability has been patched in sp2.

Amazing. I just installed firefox 4 days ago to replace IE, and had several co-workers do the same. Wouldn't you know it.

just download the tiny 1kB fix and you're set, takes a second. This wasn't a serious thing in a sense, it wasn't actually implemented like last week's IE exploits, it was just proven to be a problem, and resolved almost instantly.

The autoupdate feature is definitely a must-have for standard users, since most people won't ever keep up with this stuff by themselves. No browser is exploit proof, both Opera and Firefox have had holes discovered, but they were almost immediately resolved. It's much easier to fix most of these holes I believe since the browser is a true stand alone application, unlike IE.

[news.com.com...]

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their Web browsers have a security flaw that could allow attackers to run existing programs on the Windows XP operating system.

Didn't see any other post about this, so...

It's already been fixed within 24 hours.

[mozilla.org...]

It's here: [webmasterworld.com...]

It's already been fixed within 24 hours.

Here is a link to another article on this.
[eweek.com...]

It contains a link to the original bug report or "feature discussion."
[bugzilla.mozilla.org...]

Maybe they fixed it in 24 hours, but it took almost 2 YEARS to decide that it was a problem.

could it be that they were sorta vainly hoping that M$ would clean up "the real problem" and write a "real OS" ..?

*cough* I was reading my ezines and didn't notice that I was into last weeks news <blush>

Thanks for the heads up guys.

Maybe they fixed it in 24 hours, but it took almost 2 YEARS to decide that it was a problem.

Because it wasn't really a Mozilla problem but a bug with the Windows OS. The basic question comes down to, is Mozilla responsible for fixing bugs in the OS or just its own software?

If this is a bug with the OS, does this mean that every browser is vulnerable then?

Jennifer

could it be that they were sorta vainly hoping that M$ would clean up "the real problem" and write a "real OS" ..?

Because it wasn't really a Mozilla problem but a bug with the Windows OS. The basic question comes down to, is Mozilla responsible for fixing bugs in the OS or just its own software?

I agree whole-heartedly that the OS shouldn't permit the behavior. But I also believe this was a huge blunder on the part of the Mozilla developers. They were/are developing an application to work within the context of a specific OS. Part of that task is to leverage strengths and to work-around weaknesses. They knew about this particular issue and consequently they should have dealt with it sooner. The 24-hour fix description is a spin that isn't needed.

Playing loose with blame and responsibility (which is the treatment people give MS), a different spin might be to say that, even as they publicly deride MS for its lack of security expertise and committment, they knowingly let a gaping hole hang out in their own software for almost two years. Apparently someone had some down-time and decided to address this mid-level priority issue.