Neowin.net - Mozilla updated to correct Windows protocol bug

Mozilla updated to correct Windows protocol bug

Posted by Michael Stanclift on 08 July 2004 - 23:52 · 68 comments & 17978 views

Thanks to ibetheone in BPN for the heads up.

Three new branches have been created for Firefox, Thunderbird, and the original Mozilla suite, in order to fix an external windows protocol handler bug. The new version numbers are Firefox 0.9.2, Thunderbird 0.9.2, and Mozilla 1.7.1.

Alternatively, you can set the pref network.protocol-handler.external.shell in about:config to false to remove the exploit, or install the XPI listed below. (This will only set it on your current profile, if you have more than one profile, or could be creating more, you should use the XPI or the updated build.)

It should be noted that this patch was released within hours of the flaw being discovered. Future versions of Mozilla Firefox will include automatic update notifications, which will make it even easier for users to be alerted to security fixes.

Update: It should also be noted that this flaw effects all browsers for the Windows operating system which take advantage of the "shell" function, not just Mozilla.

Download: Download Firefox 0.9.2 | XPI fix for older builds

Download: Mozilla 1.7.1

Download: Thunderbird 0.7.2

News source: In-House

Building on the success of the Warcraft® series, Blizzard hopes to expand the MMORPG genre by creating a deep, immersive, user-friendly experience that will appeal to both veteran gamers and casual players alike. World of Warcraft™ takes place three years following the aftermath of Warcraft III: The Frozen Throne™, when a great tension has settled over the ravaged world of Azeroth. As the various races begin to rebuild their shattered kingdoms, new threats, both ancient and terrifying, have arisen to plague the world once again. Players must explore the lands of Azeroth, forge fellowships with other players, and build their strength in order to prevail. World of Warcraft™ will be fully localized into French, German, and English in Europe.

Best known for blockbuster hits including the Warcraft, StarCraft, and Diablo series, Blizzard Entertainment (www.blizzard.com), a division of Vivendi Universal Games, is a premier developer and publisher of entertainment software renowned for creating many of the industry’s most critically acclaimed games. Blizzard’s track record includes eight #1-selling games and multiple Game of the Year awards. The company’s free Internet gaming service Battle.net® reigns as the largest in the world, with millions of active users.

Hide additional information

About the Author
Full name: Michael Stanclift
Forum name: Marshalus
Contact: via forum PM
Submissions: Normal · Headline

Total votes: 0

Bookmark on del.icio.us

Advertisement

#1 Posted by kirk26 on 08 Jul 2004 - 23:54: That was fast. Thanks dudes!

(1 reply) #2 Posted by sadatkarim on 08 Jul 2004 - 23:57: read mozilla releases

#3 Posted by Sim31 on 09 Jul 2004 - 00:02: Thanks sadat

#4 Posted by sadatkarim on 09 Jul 2004 - 00:08: i did it sow people could get it for other mozilla products

(2 replies) #5 Posted by kainashi on 09 Jul 2004 - 00:08: thunderbird 0.7.2, btw.

#6 Posted by Hidr0 on 09 Jul 2004 - 00:08: guess who aint sleeping well... LOL, damn funny!

Plus awesome work this guys have been doing with mozilla suit!... thx a LOT

(14 replies) #7 Posted by tterb on 09 Jul 2004 - 00:09

QUOTE

a patch was issued less than forty-eight hours after this bug was filed

this is the real security difference between open source and M$. No software is perfect, but in the open source development community they work hard and *fast* to fix any problems. Now, how many unpatched vulnerabilities are there in IE atm (around 25 last time i had a look). This will be the doom of microsoft

#7.1 Posted by WishX on 09 Jul 2004 - 00:13: I don't know about the doom of Microsoft, but you have to admit, the Mozilla folks jump on vulnerabilities pretty darn fast! Kudos!

#7.2 Posted by PanicButton on 09 Jul 2004 - 00:14: The exploit attacks a Windows vulnerability, Linux and Mac are not affected.

#7.3 Posted by BigBoy on 09 Jul 2004 - 00:26

QUOTE

Now, while this is cool (and I am writing this through .9.2 Firefox release

) - let's also be realistic... I don't think the problem with Microsoft is that the "closed source" developer can not figure out the way to fix the problem in the code as fast as "open source" developer.

The truth of the matter is that MS has to test this stuff a LOT more than Mozilla people need to. Sure - if something was broken by the FF fix - it would suck but - only us people that use it will ever care. If a fix that came out for IE was breaking stuff, with Windows Update pushing the fix to millions of machines - now that would suck just big time. The test procedure has got to be hideously complex with so many MS apps depending on IE.

I am of course not trying to make excuses for 2+ months of no fixes for known issues. That just sucks.

#7.4 Posted by Cryton on 09 Jul 2004 - 01:10: the bug has been known about for 2yrs

#7.5 Posted by em_te on 09 Jul 2004 - 01:41

QUOTE (#7.0)

this is the real security difference between open source and M$.

How can you compare a process with a company? It should be either a difference between open source and closed source, or a difference between the Mozilla Foundation and MS. And I'm leaning towards the latter because there's no direct relation between speed and effort with the openess of code. Some open source code can go untouched for years and be never updated by the author.

#7.6 Posted by mram on 09 Jul 2004 - 02:34

QUOTE

No software is perfect, but in the open source development community they work hard and *fast* to fix any problems.

Stupid rhetoric. I'm in the open source community. I was busy avoiding this problem. Clearly, either you just assume that the ENTIRE community must be working on THIS problem, or you've just single handedly defined what is totally wrong about the mere definition of "open source": that the reality was it was probably under 10 people working on this problem.

And, by the way, while you're at it explain to me how it is they keep finding security flaws in linux's kernel? Don't preach to me about how "hard working and fast" open source is unless you're willing to hear how it fails as well.

Bear in mind I'm not saying Microsoft is leaps and bounds better. But this argument has been debunked, killed, buried and beaten many times over. Open source and closed source are fundamentally the same quality and speed (and that's being nice in some contexts).

#7.7 Posted by code_monkey™ on 09 Jul 2004 - 02:45

QUOTE (#7.4)

the bug has been known about for 2yrs

actually, the bugzilla report doesn't mention a bug, just suggests that it _could_ be exploited. The exploit was found two days ago.

#7.8 Posted by insurektion on 09 Jul 2004 - 02:47: mram if you part of the open source community why not work on it. hater. im so good at shooting people down

#7.9 Posted by tomaras on 09 Jul 2004 - 03:08: Ok...now let's imagine that Mozilla had as many users as Internet Explorer. Chances are the patch would make it to very few users. While Microsoft and Apple have a decent way to update applications on thier platforms it seems that the open source community has NO way to reach the uneducated computing masses who would make up the majority of the users in that scenario.

#7.10 Posted by virtorio on 09 Jul 2004 - 03:25: I think disabling the shell: protocol is much simplier to correct than most of the issues with Windows.

#7.11 Posted by code_monkey™ on 09 Jul 2004 - 05:55

QUOTE (#7.10)

I think disabling the shell: protocol is much simplier to correct than most of the issues with Windows.

and thats a bad thing?

#7.12 Posted by code_monkey™ on 09 Jul 2004 - 05:56

QUOTE (#7.9)

Ok...now let's imagine that Mozilla had as many users as Internet Explorer. Chances are the patch would make it to very few users. While Microsoft and Apple have a decent way to update applications on thier platforms it seems that the open source community has NO way to reach the uneducated computing masses who would make up the majority of the users in that scenario.

Mozilla Firefox 0.9 comes with an auto-updater.

#7.13 Posted by cpu on 09 Jul 2004 - 07:55: In OS community almost no one cares, that your fix could broke smth - so, no tests. If you would have 300000000 installations, you would care about some testing before....

#7.14 Posted by CheeseCow on 09 Jul 2004 - 17:49

QUOTE (#7.9)

If you had checked your latest FireFox version, you would have noticed that annoying "updates available" notice.

#8 Posted by sumeet on 09 Jul 2004 - 00:29: skins still don't work for me

#9 Posted by aristotle-dude on 09 Jul 2004 - 00:33: To be fair guys, this bug has been filed in bugzilla since 2002. It may be that an exploit was discovered recently causing an escalation of the bug priority from "wontfix" to critical.

Anyways this exploit takes advantage of a flaw in Windows 2000 and XP API which the windows version relies on. Apparently SP2 of XP will fix it for non-admin users.

Mac and linux mozilla/firefox users are not affected by this bug.

#10 Posted by beardly on 09 Jul 2004 - 00:35: updated with everything working as normal. thanks

(3 replies) #11 Posted by Space Guy on 09 Jul 2004 - 00:43: i'm gonna wait for the moox optimized release... (anyone know of any other optimized releases? that are better then moo

also... i was missing the value in about:config... so i just created a new one... does that work?

(3 replies) #12 Posted by em_te on 09 Jul 2004 - 02:05: And they incremented the version number for this patch? What happens if the patch doesn't entirely fix the exploit? They only had 3 hours of testing, right?

(3 replies) #13 Posted by slarkin on 09 Jul 2004 - 02:13: I keep seeing these updates to Firefox on Neowin and all over the net everyone is bragging about it. However, everytime I try to install it on my system, the only thing that runs is the error reporting. Reminds me of Roxio's garbage. How come there are no comments about the damn program not even opening a web browser window? What is wrong with you guys?

(3 replies) #14 Posted by slarkin on 09 Jul 2004 - 02:24: The build posted and referred to here: 0.9.2. The program installs then when I launch it I get a box saying it sent the error to mozilla. I'm sorry; I don't leave stuff that doesn't work on my computer. I immediately uninstall it after trying it a few times. Seems like such a waste of my time. I do this about once a week.

#15 Posted by jmole on 09 Jul 2004 - 02:45

Here is the full story on the mozilla security page: Link.

QUOTE

What Mozilla users should know about the shell: protocol security issue:

On July 7 (yesterday) a security vulnerability affecting browsers for the Windows operating system was posted to Full Disclosure, a public security mailing list. On the same day, the Mozilla security team confirmed the report of this security issue affecting the Mozilla Application Suite, Firefox, and Thunderbird and discussed and developed the fix at Bugzilla bug 250180. We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users.

Today, the Mozilla team released a configuration change which resolves this problem by explicitly disabling the use of the shell: external protocol handler. The fix is available in two forms. The first is a small download which will make this configuration adjustment for the user. The second fix is to install the newest full release of each of these products. Instructions on administering these changes can be found below.

We value our users' safety and security and will continue to make all efforts to release secure products and respond quickly when security vulnerabilities are identified in our software. Future versions of Mozilla Firefox will include automatic update notifications, which will make it even easier for users to be alerted to security fixes.

What I bolded sounds pretty promising if it can update itself even though getting updates now are already easy.

(6 replies) #16 Posted by Bryan000 on 09 Jul 2004 - 02:47: TAKE NOTE MICROSOFT. This is how swift fixes should be released.

#17 Posted by Ivand on 09 Jul 2004 - 03:22: No rebooting and 1 second download

This is how you fix a flaw. Kudos to the mozilla foundation

#18 Posted by nX07 on 09 Jul 2004 - 04:22: Agreed with #16 and #17.

Quick, no rebooting installs/patches are perfect and seemless. With this procedure, I wouldn't mind applying patches.

#19 Posted by qoa on 09 Jul 2004 - 04:45: Since everyone else does this anytime IE even loads slowly.

This browser isn't any better than any other.

(1 reply) #20 Posted by theLANDofSMEG on 09 Jul 2004 - 06:52: I would change it in about:config, but who can resist a new build

(2 replies) #21 Posted by mulligan2k on 09 Jul 2004 - 07:53: hmm as quick and simple as the download was, when i installed 9.2 all my themes and extensions from 9.0 wouldn't work. now im not blaming anybody for that but i quite like my cool theme and the extensions ive downloaded are really useful. i for one am back on 9.0, not as secure, but my extensions still work

#22 Posted by DOGglee on 09 Jul 2004 - 08:08: cool

(2 replies) #23 Posted by bush on 09 Jul 2004 - 08:25: first mozilla security bug. celebrate, celebrate, jupii :fiesta:
thanks for the fast update

(2 replies) #24 Posted by Yakkob on 09 Jul 2004 - 08:44: How do you install this extension?

Do you 'save-as' into the extension folder? I have done this and it isn't listed.
I have tried opening it with firefox..still no listing in my extensions.
And when I do the shell:.mp3 test it opens up my default mp3player....GAH!

So..what am I doing wrong?

please

(1 reply) #25 Posted by DrunkenMaster on 09 Jul 2004 - 14:18: I'm having major problems with their stupid installers. All it ever does is create a directory and time out. This is on a fresh install of Windows with no other firefox builds.

Is there a zip'd version I can get instead?

[1]

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Scroll to the Top