*sigh* Even Firefox isn't 100% safe under Windows

[ciphergoth]

If you are running Firefox, Thunderbird or Mozilla under Windows, you need this patch right away or you will still be vulnerable to remote exploit. Users of other operating systems are not affected; the vulnerability is in Windows, but Firefox has been patched to work around it.

If you have just gone through the inconvenience of installing Firefox because of the vulnerability in IE, my heart goes out to you. I hope you'll take comfort in the fact that a fix for this problem is already available in Firefox and Mozilla (within a day of the exploit being published), while it seems there is still no effective fix for the problem in IE, so you still made the right choice.

Comments

Help!

[purplerabbits.livejournal.com]

I've patched Firefox, but can't work out how to do Thunderbird because the extension item isn't in the tools menue like they tell me it should be...

Re: Help!

[ciphergoth.livejournal.com]

I'm not at a Windows box right now, but running it under Linux it's under Tools > Options > Extensions. Annoying that they get their own instructions wrong. And thanks for the heads-up - I'll fix the article to mention Thunderbird.

Did you get my reply to your mail, BTW? I've had a slight hold-up in that I can't find my CD-ROM drive for my laptop...

Re: Help!

[purplerabbits.livejournal.com]

Ah, than works, thanks.

Now I have to decide whether to upgrade to the latest version...

Re: Help!

[kimble.livejournal.com]

It's under Tools/Extensions in 0.7.1. I vaguely recall the menus changing since 0.6, I think you used to be able to get at it via one of the sections in the options window.

[wechsler.livejournal.com]

Hey, I had to click THREE TIMES to install that patch! I want a refund! ;)

Ignoring, of course, the fact that I had to manually reconfigure windows update and install a 100-MB Service Pack to 'fix' it in IE, and could only do so for IEv6 on the XP box.

[deliberateblank.livejournal.com]

It worked first time for me (but you do have to restart Firefox to see it.)

And it was out within a day of disclosure. MS still haven't completely fixed IE.

[keirf.livejournal.com]

Worked first time for me as well. But it installed so quickly that I wasn't sure it was there until I checked...

[deliberateblank.livejournal.com]

Well quite, it's a tiny fix. And the fact it doesn't show on the "Extensions" list even though installing it displays that list is confusing.

[reddragdiva]

That's because the 'patch' actually changes one line of an obscure user preference, to disable use of the "shell" extension.

[wechsler.livejournal.com]

As in I had to make three mouseclicks, not as in I had to try three times.

Admittedly it's all of 6 mouseclicks if you count the restart.

[lilitufire.livejournal.com]

Thanks for pointing this out - Firefox goes like the clappers anyway, so I was still impressed with it :)

[ruis.livejournal.com]

As soon as other browsers get a bigger market share more people will bother trying to exploit them.

[ciphergoth.livejournal.com]

This isn't how it's worked out with Apache and IIS.

[princealbert.livejournal.com]

Now that it's been proven that the exploits are spammers using other peoples boxes to generate spam i dont think any platform or browser will be safe. It's moved on from skriptkiddies to big business.

[ciphergoth.livejournal.com]

Nothing is 100% safe. I don't think there's any platform that is both practical for everyday use and built with security in mind the way I'd like to see it.

However, some things seem to be much safer than others - not just less often attacked, but actually less likely to yield to attack. Apache is vastly more popular than IIS, but crackers are still relying on IIS holes to propogate their malware; this is at least in part because your average Apache web server is actually more secure against such attacks than its IIS counterpart.

[keirf.livejournal.com]

Well, I'm quite glad I've switched to FireFox - it seems to run faster, and the middle-click to open a link in a new tab is excellent. They also did a really good job with the import favorites section of the install.

mayeb this'll make some people feel better *grin*

[bondagewoodelf.livejournal.com]

It appears this is not really a coding bug in the Mozilla software. Rather, they forgot to block a feature of Windows that can use the shell: handler. Actually, Firefox (and friends) try to be nice a offer all external protocol handlers registered to Windows (such as eg. aim:). Apparently windows itself offers something called shell: that can be use to fire commands and the Mozilla coders forgot to block the access from the browser to it.

Re: mayeb this'll make some people feel better *grin*

[deliberateblank.livejournal.com]

Hmm. Cross-protocol exploits were well-known in IE in September 2002.

I think there's definitely an argument here for not allowing any protocol i) you don't fully understand or control the consequences of using, or ii) the user hasn't specifically enabled.

(A base set of http:, https:, ftp:, mailto:, news:, file: and javascript: ought to be enough for 99% of users.)

Re: mayeb this'll make some people feel better *grin*

[stgpcm.livejournal.com]

personally, I think the problem lies with whoever thought registering a 'shell:' handler was a good idea.

installing an inernal stub handler for 'shell:' is technically bad, but definately the right thing to do.

Re: mayeb this'll make some people feel better *grin*

[deliberateblank.livejournal.com]

I can see it being useful for some intranet applications. And dangerous for (untrusted) internet use.

To deny its existence (which would have to be done by disallowing any extensibility in the protocol handler namespace - anyone can create a new protocol handler which could potentially also be abused) is not a practical option because it limits legitimate implementation of valuable functionality.

The key is ensuring that powerful features like this operate with very strict security restrictions, and/or are available only to callers that are trusted. Clearly this has not been done.

Re: mayeb this'll make some people feel better *grin*

[ciphergoth.livejournal.com]

If you follow the bug, you'll find a debate among Firefox developers about whether whitelisting or blacklisting was most appropriate for protocol handlers. Blacklisting won out: the argument is that the whole *point* of having protocol handlers was so that the browser could defer to them if it didn't recognise a protocol. Whitelisting turns out to be the right thing: the argument is that the Windows security people couldn't pour piss from a boot if the instructions were written on the sole.

[wildeabandon.livejournal.com]

Thanks for the heads up.

[countess-sophia.livejournal.com]

Thanks for the reminder about this. Duly done.

Soph x

[pavlos.livejournal.com]

I continue to laugh at the misfortunes of Windows users, but not too loudly in case someone decides to connect my mac forcibly with my head ;-)