|
07-09-2004, 06:04 AM
|
#1 (permalink) |
|
Devoted
Donor
Location: New England
|
Security Hole in Firefox (& Mozilla & Thunderbird)
Well, there WAS a hole, it's already patched. Took 48 hours, evidently. It only affected Windows XP, and maybe 2000.
If you have 0.9 or 0.9.1, you can download this patch: ShellBlock. If you don't trust the patch, you can set the pref network.protocol-handler.external.shell in about:config to false to remove the exploit. Or you can download the Windows 0.9.2 version and install (identical to 0.9.1 except for the security patch). Full details here: What Mozilla users should know about the shell: protocol security issue Also, if you like Firefox, the developers are asking people to submit reviews to download.com. Please consider this. |
|
|
07-09-2004, 07:08 AM
|
#2 (permalink) |
|
Human
Administrator
Location: Chicago
|
Technically, it wasn't a security hole. And, more technically, it wasn't a problem with Mozilla, it's something caused by a problem Microsoft said it fixed in Windows with SP1. Full details below:
----------------------------------- http://software.newsforge.com/articl...&tid=78&tid=82 Title Commentary: Patched in 60 Seconds Date 2004.07.08 19:08 Author ValourX Today it was announced that a vulnerability in the Mozilla and Firefox Web browsers allows the execution of arbitrary code in Windows NT, 2000, and XP systems. It doesn't affect GNU/Linux, FreeBSD, Solaris or anything else -- just Windows. I'd imagine that Microsoft's head honchos will be mentioning this exploit whenever they want to <a href="http://www.internetnews.com/ent-news/article.php/3337401">attack open source software security</a> for years to come. Ironically OSS advocates might use the same story to attack Microsoft's security record. Why? Because a patch was released before the vulnerability was widely reported. The specific vulnerability in question affects the Mozilla suite (1.7.0 and earlier), Firefox browser (0.9.1 and earlier), and Thunderbird email client (0.7.1 and earlier). Here it is, barely a day since the bug was initally reported, and all these programs have updated versions available as well as a <a href="http://update.mozilla.org/extensions/moreinfo.php?id=154&vid=261&category=">binary patch</a> for those needing a quick fix (if you're currently using one of these programs in Windows, just <a href="http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.1/shellblock.xpi">click here</a> to download the patch right now). To many of us in the free software community this is somewhat disappointing, yet the speed of the patch's release is not at all unusual. <a href="http://lists.netsys.com/pipermail/full-disclosure/2004-July/023645.html">The initial notice</a> was posted to <a href="http://lists.netsys.com/mailman/listinfo/full-disclosure">Full Disclosure</a>, a mailing list that helps software be more secure by exposing security flaws as soon as possible, on July 7. A patch was issued the same day, with no known compromises to any systems. <a href="http://bugzilla.mozilla.org/show_bug.cgi?id=250180">Three bug reports</a> were issued on the topic the same day. The hole Specifically the vulnerability is a feature: it allows Windows programs to be run remotely through clicking on a link like <a href="http://www.mccanless.us/mozilla/mozilla_bugs.htm">one of these</a>. The links use the shell: command to run arbitrary Windows programs or, at its most destructive, a denial of service attack on an individual machine by opening up programs that don't exist. The kicker is that this isn't even a problem with Mozilla; it's a problem with Windows Explorer. Windows XP Service Pack 1 was supposed to have closed this hole, but apparently it is still functioning and leaving Windows systems open to remote attack. So the Mozilla team worked to patch a hole that had little to do with their project. Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows. He who patches first, patches best So we had a fix in less than 24 hours, and the exploit wasn't that bad to begin with. Let's compare this to Microsoft's handling of a recent Internet Explorer exploit that was taken advantage of by the <a href="http://netsecurity.about.com/od/antivirusandmalware/a/aa062804.htm">Scob trojan</a>, which sought to steal sensitive personal and financial information from its unknowing victims. The trojan attacked on June 25, and Microsoft had a patch released a quick and speedy seven days later, on July 2. So for seven days a serious hole remained in Internet Explorer, and even then <a href="http://netsecurity.about.com/gi/dynamic/offsite.htm?site=http://www.computerworld.com/securitytopics/security/holes/story/0%2C10801%2C94366%2C00.html%3Ff=x584">the vulnerability remained!</a> One day for the community to discover, discuss, and patch a Windows security flaw through Mozilla, one week for Microsoft to incorrectly patch a serious IE exploit. Now tell me, Mr. Ballmer, Mr. Gates: Which is the better development model?
__________________
Le temps détruit tout "Musicians are the carriers and communicators of spirit in the most immediate sense." - Kurt Elling Last edited by SecretMethod70; 07-09-2004 at 07:20 AM.. |
|
|
| Tags |
| firefox, hole, mozilla, security, thunderbird |
|
|
