Just Another Blog

Are you thinking what I'm thinking?

Saturday, July 10, 2004

Windows security fix in Mozilla products

Mozilla 1.7.1, Firefox 0.9.2 and Thunderbird 0.7.2 for Windows are out as security fix releases.

There is only one change: shell protocol handler is now disabled. This vulnerability is only found in Windows 2000/XP, where websites/users can access local files and launch local applications with shell:. For example, shell:windows would open C:\WINNT. This works in both IE and unpatched Mozilla products. Opera doesn't support this.

Browsers should never allowed webpages to access local directories and files, not to mention launching local applications, by any means. By using this vulnerability, DOS is possible by requesting non-existence directory repeatedly.

If you don't want to reinstall your Mozilla product, you can choose to install the ShellBlock extension which will also disable the shell protocol handler.

By the way, do you know that this vulnerability was discovered and fixed within 1 day? :-P


Note that troll and spam comments will be deleted without any notification.

Post a Comment

<< Home