StarDestroyer.Net BBS

Get your fill of sci-fi, science, and mockery of stupid ideas
http://stardestroyer.dyndns-home.com/

Firefox/Mozilla Security Warning

http://stardestroyer.dyndns-home.com/viewtopic.php?f=24&t=48852

Page 1 of 1

Firefox/Mozilla Security Warning

Posted: 2004-07-08 10:27pm
by phongn
Note: this affects Windows users only. A patch is available here; new installers (Firefox 0.9.2 and Mozilla 1.7.1) are also available.
eWeek wrote:The reports indicate that links in a Web page using the "shell:" scheme can execute arbitrary programs on the user's system. The attacker would have to know the location in the file system of the program, but there are known programs in Windows with buffer overflows.

This means the attacker could create a link in a Web page that could execute arbitrary code under Windows. Through the use of an appropriate META tag, the attack could load without the user having to click a link explicitly.

In the definition of a URI (Uniform Resource Identifier), the technical name for a Web address, "shell:" is not a protocol like http but a scheme. Some schemes map directly to protocol handlers in the browser itself or externally, such as those that handle audio and video media.

Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle. In this case, the location passed to the shell is a program name that the shell executes.

Posted: 2004-07-08 10:29pm
by The Kernel
Is .92 supposed to fix this?

Posted: 2004-07-08 10:30pm
by phongn
The Kernel wrote:Is .92 supposed to fix this?
Yes, I also linked to the patch.

Posted: 2004-07-08 10:50pm
by Pu-239
Whoa... had me scared. It takes hours for me to download anything over dialup (and my queue of stuff to download is over 600 megs- more debian package updates (which increases at a rate of about 30MB/day, since Debian assumes users have broadband and only puts up entire packages- even if only 1 character or file has changed- as someone who packages files I contribute to this...) and ground control) Ugh.

Patches are always good- better than full downloads. There should be a mozilla/firefox feature for updating W/O visiting a URL though, since eventually unpatched installations will get hacked, since you have a bunch of users thinking Firefox is a cureall and never patch the software.


Fortunately the vulnerability doesn't affect me, hehe... but bashing windows is getting old, and this isn't MS's fault.

Anyway, direct link to patch for lazy users [deliberately left link uncleaned]: http://update.mozilla.org/extensions/in ... 54&vid=261

Posted: 2004-07-08 11:04pm
by Plekhanov
The linked patch only mentions XP anyone have any idea if we also need to patch on W2K and 98 systems?

Posted: 2004-07-08 11:59pm
by phongn
Plekhanov wrote:The linked patch only mentions XP anyone have any idea if we also need to patch on W2K and 98 systems?
I would suggest doing so.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited