*sigh* Even Firefox isn't 100% safe under Windows

[ciphergoth]

If you are running Firefox, Thunderbird or Mozilla under Windows, you need this patch right away or you will still be vulnerable to remote exploit. Users of other operating systems are not affected; the vulnerability is in Windows, but Firefox has been patched to work around it.

If you have just gone through the inconvenience of installing Firefox because of the vulnerability in IE, my heart goes out to you. I hope you'll take comfort in the fact that a fix for this problem is already available in Firefox and Mozilla (within a day of the exploit being published), while it seems there is still no effective fix for the problem in IE, so you still made the right choice.

Comments

mayeb this'll make some people feel better *grin*

[bondagewoodelf.livejournal.com]

It appears this is not really a coding bug in the Mozilla software. Rather, they forgot to block a feature of Windows that can use the shell: handler. Actually, Firefox (and friends) try to be nice a offer all external protocol handlers registered to Windows (such as eg. aim:). Apparently windows itself offers something called shell: that can be use to fire commands and the Mozilla coders forgot to block the access from the browser to it.

Re: mayeb this'll make some people feel better *grin*

[deliberateblank.livejournal.com]

Hmm. Cross-protocol exploits were well-known in IE in September 2002.

I think there's definitely an argument here for not allowing any protocol i) you don't fully understand or control the consequences of using, or ii) the user hasn't specifically enabled.

(A base set of http:, https:, ftp:, mailto:, news:, file: and javascript: ought to be enough for 99% of users.)

Re: mayeb this'll make some people feel better *grin*

[stgpcm.livejournal.com]

personally, I think the problem lies with whoever thought registering a 'shell:' handler was a good idea.

installing an inernal stub handler for 'shell:' is technically bad, but definately the right thing to do.

Re: mayeb this'll make some people feel better *grin*

[deliberateblank.livejournal.com]

I can see it being useful for some intranet applications. And dangerous for (untrusted) internet use.

To deny its existence (which would have to be done by disallowing any extensibility in the protocol handler namespace - anyone can create a new protocol handler which could potentially also be abused) is not a practical option because it limits legitimate implementation of valuable functionality.

The key is ensuring that powerful features like this operate with very strict security restrictions, and/or are available only to callers that are trusted. Clearly this has not been done.

Re: mayeb this'll make some people feel better *grin*

[ciphergoth.livejournal.com]

If you follow the bug, you'll find a debate among Firefox developers about whether whitelisting or blacklisting was most appropriate for protocol handlers. Blacklisting won out: the argument is that the whole *point* of having protocol handlers was so that the browser could defer to them if it didn't recognise a protocol. Whitelisting turns out to be the right thing: the argument is that the Windows security people couldn't pour piss from a boot if the instructions were written on the sole.