I think what we can take away from this is that it was perhaps bad judgement on the part of the Mozilla foundation on not pro-actively fixing or avoiding this problem.
However, the response time following the development of an exploit is admirable, regardless of this oversight. I still think, as a Firefox user, that I'm still in safer hands than when I was using IE.
PHP Code:$s = new signature();
$s->sarcasm()->intellect()->font('Courier New')->display();
I really don't see how anyone can call this exploit a "bug in Mozilla". It's a feature in Windows that really shouldn't be there, and Mozilla have now released a patch to hide the fundamental Windows insecurity.
Basically, if a URL starts with "http:", then the web browser should display it. A web browser may also attempt to display other URLs - e.g. ones beginning with "ftp:", but there's no law that says they have to. If a web browser doesn't know what to do with a particular URL, then it asks the operating system if IT know what to do with the URL. This exploit is just Mozilla passing URLs starting with "shell:" to Windows - which is what the web browser should do. The fact that Windows is so fundamentally insecure that this facility can be exploited, and Microsoft won't do anything about it so that Mozilla have to, is no reflection on the Mozilla foundation at all.
The truth is that, while Firefox may be more secure than IE, Windows (pre XP SP2 at least) is so flawed that the Firefox/Windows combo is still damned dodgy.
Taken from our front page:
More good news on the security front. InfoWorld reports:
It looks like other programs are doing the same as Mozilla was, and just passing the "shell:" URI to the OS to deal with.Popular Microsoft Corp. products may be vulnerable to a security vulnerability that is similar to one patched for the Mozilla Web browsers last week.
Microsoft's MSN Messenger and Word word processing application both support a feature that could give remote users access to functions that could be used launch applications on Windows computers, according to an alert from Secunia, which tracks software vulnerabilities.
Check out the full article here.
PHP Code:$s = new signature();
$s->sarcasm()->intellect()->font('Courier New')->display();
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote