Welcome to WebmasterWorld Guest from 54.167.0.111

Forum Moderators: incrediBILL

Message Too Old, No Replies

Update for Windows Mozilla/Firefox

Firefox 0.9.2 and Mozilla 1.7.1 and the shell: protocol

     

encyclo

11:36 pm on Jul 8, 2004 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



A little oops from the Mozilla team which shows that even the best browsers can have bugs! The bug fix is needed because links in web pages can execute arbitrary commands on computers running Windows 2000 or XP. Here's the full details:

[mozilla.org...]

You can download the patched versions from [mozilla.org...]

<added>Just noticed, the problem also affects Thunderbird, which has a new version 0.7.2.</added>

Dudermont

7:01 pm on Jul 13, 2004 (gmt 0)

10+ Year Member



Well whatever anyone says, this bug just goes to show you how much faster and more security oriented mozilla is then microsoft.

As someone pointed out above but no one seemed to notice was.

Maybe it's just me, but my fully patched win2k and IE6 still open shell: links.

And I have a fully patched winXP pro and home with IE6 that still opens them.

Microsoft didn't think it was worth fixing so why would another browser designed to work with windows think that it was a big deal?

Anyways relating to this "bug" mozilla was at no point behind microsoft in security.

[sarcasm]Way to drop the ball mozilla[/sarcasm]

john_k

7:08 pm on Jul 13, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Anyways relating to this "bug" mozilla was at no point behind microsoft in security.

My point was that there is no reason to feel smug about fixing something that was hanging out there for almost two years. Just fix it and move on. There will be other opportunities to take pot shots and point fingers.

Hester

9:01 am on Jul 14, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



They were/are developing an application to work within the context of a specific OS.

But Mozilla is multi-platform. It isn't Windows-only.

john_k

12:18 pm on Jul 14, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



But Mozilla is multi-platform. It isn't Windows-only.

But the version that runs on Windows is for Windows.

I'm not here to defend Microsoft. I just thought it should be pointed out that they are not the only ones that have put things off because immediate action wasn't convenient.

Yes, I think it is great that Mozilla has been modified to account for a security hole in the OS. But they should have done it when they encountered it in 2002.

There are other areas of the Mozilla effort that deserve attention as being superior to MS. There isn't any reason to manufacture attention by saying they fixed something within 24 hours of finding the problem when it is blatantly not the case.

encyclo

1:04 pm on Jul 14, 2004 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



john_k, as I mentioned in message #17 of this thread, I agree that the Mozilla team should have dealt with this issue earlier. The vulnerability is most definitely in Microsoft's code, but there needs to be a greater sense of responsibility from the part of third-party developers to mitigate any potential security issues in the supported OS, and try to ensure that their product is not a vector for exploiting a weakness in the underlying OS code.

On a different note, I've not seen anywhere any mention of Netscape shipping an updated version of Netscape 7.1, which is also vulnerable to this problem. There is also no mention of this problem on Netscape's website or on their "Browser Central" page. It looks to be a final confirmation that Netscape is dead as a browser company - anyone still using Netscape products should move over to the supported Mozilla equivalent immediately. Sadly, the K-Meleon project (also based on Mozilla) also does not seem to be offering advice or a fix either.

Of course, there is another browser which remains vulnerable to the shell: exploitation - Internet Explorer.

Farix

8:30 pm on Jul 15, 2004 (gmt 0)

10+ Year Member



Microsoft had finally gotten around to patching the problem on the OS, rendering the Mozilla "problem" and patch moot. But I have this nagging felling that the only reason that MS patch the problem was because Mozilla's workaround made the real security hole all too public.

bird

8:40 pm on Jul 15, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



If this is a bug with the OS, does this mean that every browser is vulnerable then?

not only browsers [infoworld.com].

Interestingly, Microsoft has released a patch [microsoft.com] roughly one week after the Mozilla project released theirs. Sometimes a little publicity can do wonders even in Redmond... ;)

This 37 message thread spans 2 pages: 37