 steelgazePremium
join:2002-02-01
San Francisco, CA
 ·SONIC.NET
·AT&T DSL Service
4 edits | Firefox Security Update A recent bug has been found in Firefox 0.x versions that could be potentially exploited; it allows pages to run executables on windows via a link. Any version prior to 07/08/2004 (today) is affected. This only affects Windows Operation Systems(Some sites say it only affects WinXP, while some sites list WinXP and Win2k. It does not however seem to affect the older Win9X systems). People using Firefox or other Mozilla software under Macintosh or Linux Operation Systems are not affected.
UPDATE: I forgot to mention that affected programs also include Mozilla Suite and Mozilla Thunderbird. There will be new releases, Mozilla Suite 1.7.1, Mozilla Firefox 0.9.2, and Mozilla Thunderbird 0.7.2 that will contain the security fix. I expect new release to come out either later tonight or tomorrow. When they are released, expect the site to be slow as many people will be (trying) getting the new version(s).
If you applied the patch or manually upgraded, there is no need to re-download Firefox 0.9.2. The only thing changed in the upgrade was to address this security issue.
New sample page to see if you are effected by this bug.
WARNING: Please read what the page in its entirety. Clicking on a link it provides may cause your system to become unstable.
http://www.mccanless.us/mozilla/mozilla_bugs.htm
If you do not want to risk crashing your computer and don't know if you are effected, you can check the about:config page or just apply the patch. Re-applying it will not harm your system.
Besides from downloading the extension, you can fix it by:
1. Typing about:config in the address bar.
2. Find "network.protocol-handler.external.shell"
2a. If the value "network.protocol-handler.external.shell" isn't listed (List is alphabetically ordered by default), you can manually add it by right clicking (in the about:config window), New -> Boolean. Put in the name as stated, and set the value to false.
3. Change the value by double clicking, and changing the value to false.
4. Save what you were doing (of anything) in Firefox, and restart it.
NOTE FOR MANUAL UPDATE: Please keep in mind that if you use more the one profile, you will need to do the manual update for EACH profile. Otherwise, using the XPI fix will do it for all the profiles already created, and new ones you make after.
Links:
http://www.mozillazine.org/talkback.html?article=4960
Link to the fixed nightly build(Todays (07/08/2004 nightly's are OUT!)
http://seclists.org/lists/fulldisclosure/2004/Jul/0335.html
Mozilla Recommends installing XPI patch
Firefox 0.9.2
Mozilla Suite 1.7.1
Thunderbird 0.7.2
Final Updated version(s) are out. The only difference these version (compared to the release version prior) is that they include the security update. If you already installed the patch to fix this issue, you do not need to download the new version.
Ok, I forgot to add a link to the extension that fixes this for the lazies  .
»ftp.mozilla.org/pub/mozilla.org/···lock.xpi
»update.mozilla.org/extensions/mo···t=_blank (Mirror for XPI patch)
Please keep in mind that you might not get an install confirmation dialog when using the above linked XPI file (I didn't). The extension WILL properly install, and can be checked by going to the "about:config" page, and verifying the "network.protocol-handler.external.shell" is set to FALSE. Also this XPI will not add a new entry in the Extension Manager list.
Always remember to restart Firefox when using either fix to make sure the settings are saved, and take effect.
If you wish to upgrade your version of Firefox and don't know how to with a zip build, (or even the installer exe) I recommend reviewing this link before continuing. It offers easy to follow instructions to backup your settings and bookmarks in case if anything goes wrong. That way you still have a backup of all your (precious) bookmarks, and etc.
Final Note: Please note that the Mozilla Support forums have been in a very laggy condition for the past couple of weeks. They are in the process of upgrading there hardware to help fix this problem, but can (as always) use donations. Donation link
EDIT(s): More info, small fixes. Adding more info from below posts so people don't need to look for solutions and such
--
The first anime convention in San Francisco. www.jtaf.com |
|
| Thanks for the notification,but i can't find the .shell... |
|
|
|
 CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13 | reply to steelgaze
Also see
»www.mozillazine.org/talkback.htm···cle=4960
It is fixed in FF 0.9.2
»forums.mozillazine.org/viewtopic.php?t=96103
but you can either fix it in your current builds by entering it manually or using .xpi from
»ftp.mozilla.org/pub/mozilla.org/···lock.xpi
Cudni
--
Would you Adam and Eve it?
Help yourself so God can help you..it does exactly what it says on the sig |
|
 martiColor outside the linesPremium,MVM
join:2001-12-14
Houston, TX
kudos:5 | reply to BQuick
I don't have that entry either. |
|
 MRK8Premium
join:2001-01-11
San Antonio, TX
1 edit | reply to BQuick
said by BQuick:
Thanks for the notification,but i can't find the .shell...
You have to create it if it's not already there:
1) highlite the line above where it should be inserted
2) right-click, select "copy name" (saves on typing)
3) right-click, select "New/Boolean"
4) in the name box, paste the name you just copied, delete the letters after the last period and type in "shell"
4) click OK
5) enter "false" for the value entry, and click OK
It should now show the new entry.
(I believe Firefox needs to be closed and re-run for it to take affect.)
edit:corrected mistake |
|
| reply to steelgaze
Done.Thanks a lot. |
|
 BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 | reply to steelgaze
Talk about response time! They had a manual fix, and a quick patch out extremely quick.
Thanks for bringing this to our attention. |
|
 antiseriousThe Future ain't what it used to bePremium
join:2001-12-12
Scranton, PA | reply to steelgaze
... from what I just read, it seems to only affect XP ...
... which, I guess, is most of y'all ...
--
... "It's always been my hope that God has a sense of humor" ... Andy Sipowicz ... |
|
 dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to MRK8
said by MRK8:
I believe Firefox needs to be closed and re-run for it to take affect.
Yes, you have to close and restart Firefox for it to take affect.
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
TabletPremium
join:2003-01-15
Czech | reply to steelgaze
Is it somehow possible in Firefox to disable all protocol handlers except for http, https, ftp and mailto? That might be a good prevention for similar future vulnerabilities. |
|
SUMwarePremium
join:2002-05-21
kudos:2 | reply to steelgaze
Using the linked .xpi fixed it instantly. Thanks for the information, steelgaze.
1) Firefox problem discovered.
2) Firefox problem acknowledged.
3) Firefox problem resolved.
Still waiting for the other guys to fix theirs??? |
|
 antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 | reply to steelgaze
Mozilla users.... »update.mozilla.org/extensions/mo···p?id=154 |
|
 keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB | reply to SUMware
Re: Firefox Security Update quote:
Still waiting for the other guys to fix theirs???
So you think FF is all fixed?
I think there are still many more vulnerabilities to be announced. |
|
SUMwarePremium
join:2002-05-21
kudos:2 | reply to antdude
Re: Mozilla users.... Thanks antdude:
ShellBlock is a security fix update for Bug 250180. It disables the shell protocol from being able to be called. The shell protocol is a Windows XP feature that allows applications to call windows explorer using the protocol to run the file specified on the local machine. This update is for users of Mozilla 1.x, Mozilla Firefox, and Mozilla Thunderbird on Microsoft Windows XP only. |
|
TabletPremium
join:2003-01-15
Czech | reply to keith2468
Re: Firefox Security Update said by keith2468:
quote:
Still waiting for the other guys to fix theirs???
So you think FF is all fixed?
I think there are still many more vulnerabilities to be announced.
At least it is much much safer than IE now. That is a good enough reason for me to use it now And I am one of those optimist who think that Mozilla will at least fix any future vulnerabilities fast, which is not quite the case with IE so far. |
|
SUMwarePremium
join:2002-05-21
kudos:2 | reply to keith2468
Keith, you're probably correct. We know that nothing's completely secure nor invulnerable. But I'm confident that if problems are found they will be corrected rapidly and without denial. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4
1 edit | reply to steelgaze
Typical of Firefox. The patch freezes. I cannot get it to install. 
The patch installed instantly on Mozilla 1.6. The ONLY reason I use Firefox mostly instead of Mozilla is because Text Zoom extension doesn't work in Mozilla.
Edited to add this update:
I see at Mozillazine that lots are saying they don't know if it installed or not because it doesn't show up in extensions manager and it doesn't give any cofirmation of installing. On my Firefox, the status bar said "stopped", not "done" so I thought it didn't install. I rebooted and tried again and got the same results. So, just now I checked manually by going to about:config and looking for the status of the shell ext. and it says "false" so I guess it DID install. Would have been nice to gotten the confirmation popup that I got in Mozilla 1.6 or a listing in the Firefox extension manager.
--
"Everything can be taken from a man or woman
but one thing: the last of the human freedoms
- to choose one's attitude in any given set of
circumstances, to choose one's destiny."
Victor Frankl - Man's Search for Meaning
|
|
BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 | reply to keith2468
Every browser has exploits, its just a matter of time, and severity depending on the technology involved. |
|
 DaHenPremium
join:2002-11-08
Brockton, MA
 ·Comcast
·Verizon Online DSL
| reply to steelgaze
I switched to FireFox last week and like it muchly.
The instructions provided by steelgaze & MRK were helpful and easy to follow.
Thanks for info. 
DaHen |
|
 mers2Premium,MVM
join:2004-03-20
USA
kudos:8 | reply to BlitzenZeus
said by BlitzenZeus:
Every browser has exploits, its just a matter of time, and severity depending on the technology involved.
What truly matters is how fast the exploits are acknowledged and effectively patched. I'd say Mozilla has been better at this than Microsoft. |
|
