Just Another Blog: Windows security fix in Mozilla products

Saturday, July 10, 2004

Windows security fix in Mozilla products

Mozilla 1.7.1, Firefox 0.9.2 and Thunderbird 0.7.2 for Windows are out as security fix releases.

There is only one change: shell protocol handler is now disabled. This vulnerability is only found in Windows 2000/XP, where websites/users can access local files and launch local applications with shell:. For example, shell:windows would open C:\WINNT. This works in both IE and unpatched Mozilla products. Opera doesn't support this.

Browsers should never allowed webpages to access local directories and files, not to mention launching local applications, by any means. By using this vulnerability, DOS is possible by requesting non-existence directory repeatedly.

If you don't want to reinstall your Mozilla product, you can choose to install the ShellBlock extension which will also disable the shell protocol handler.

By the way, do you know that this vulnerability was discovered and fixed within 1 day? :-P

0 Comments:

Note that troll and spam comments will be deleted without any notification.

Post a Comment

<< Home

About Me

Name: minghong

Location: Hong Kong, Hong Kong

An ordinary Hong Kong young man, graduated in computer science at City University of Hong Kong in 2005, who likes surfing, blogging and watching anime/manga. An evangelist of web standards, non-toy Databases, Mozilla, Google, Gmail, and Blogger.

Just Another Blog

Saturday, July 10, 2004

Windows security fix in Mozilla products

0 Comments:

About Me

Previous Posts