borfast Posted July 9, 2004 Posted July 9, 2004 Time for another update, guys! And this comes just in time, after another discussion about this kind of problems. http://software.newsforge.com/article.pl?sid=04/07/08/2327246&mode=nested&tid=78&tid=82 http://slashdot.org/articles/04/07/08/2159244.shtml?tid=126&tid=128&tid=154&tid=172&tid=95 And a link to the problem related page on mozilla.org: http://mozilla.org/security/shell.html So as you can see, this is one of the big differences between open source software and MS software: while MS takes weeks and sometimes months to solve problems with their software, open source software has them solved in less than a day! And there's more: The kicker is that this isn't even a problem with Mozilla; it's a problem with Windows Explorer. Windows XP Service Pack 1 was supposed to have closed this hole, but apparently it is still functioning and leaving Windows systems open to remote attack. So the Mozilla team worked to patch a hole that had little to do with their project. Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows. This is the kind of thing that made me drop MS software. Quote
youneverknow Posted July 9, 2004 Posted July 9, 2004 Thanks Raul...I have applied the patch...Amazing that the patch was availlable within 24 hours as apposed to M$ taking over a week to release their patches...Again, thanks for the heads up on this... youneverknow Quote
TCH-Don Posted July 9, 2004 Posted July 9, 2004 Yes, Thanks Raul! updating was never so easy The idea of patching your software to fix a windows problem is remarkable. Thumbs Up Quote
borfast Posted July 9, 2004 Author Posted July 9, 2004 No problem Don, note that this patch "fixes" Mozilla, not Windows. Windows will still be vulnerable after applying the patch, because everything the patch does is block the functionality out of mozilla. If MS fixes Windows Explorer (which seems to be where the real problem is), perhaps the Mozilla developers will make the functionality available once again. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.