On mySimon: Issey Miyake Automatic Watch for Men
BNET Business Network:
BNET
TechRepublic
ZDNet
183 TalkBacks

By Robert Lemos
Posted on ZDNet News: Jul 9, 2004 4:40:00 AM

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their Web browsers have a security flaw that could allow attackers to run existing programs on the Windows XP operating system.

The flaw, known as the "shell" exploit, was publicized Wednesday on a security mailing list, along with a link to a fix for the problem. Updated versions of the affected software programs, which include the Mozilla, Firefox and Thunderbird browsers, have been released.

Developers said the flaw affects only Windows users, not computers running the Macintosh and Linux operating systems. Like recent Internet Explorer vulnerabilities, this flaw only allows the attacker the ability to run an existing program and requires that security problems in other applications be exploited to gain further access.

The flaw can be used to pass a file extension to the operating system. Windows XP will then run the helper application corresponding to that file extension. The main threat comes from the ability of an attacker to pass parameters to exploit vulnerabilities in a specific helper application, which could give an outsider access to the system. A shell problem could also cause the computer to freeze.

The news comes as Microsoft has been dealing with a string of security flaws found in its Internet Explorer browser during the past several weeks. Some researchers had begun recommending that people worried about online security stop using the IE browser altogether.

Microsoft recommends that Web surfers using Internet Explorer keep abreast of the latest security warnings, and go to the company's Protect Your PC site.

Mozilla developers said that future versions of the Firefox Web browser would have automatic update notifications that would make it easier to notify users about security fixes.

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their Web browsers have a security flaw that could allow attackers to run existing programs on the Windows XP operating system.

The flaw, known as the "shell" exploit, was publicized Wednesday on a security mailing list, along with a link to a fix for the problem. Updated versions of the affected software programs, which include the Mozilla, Firefox and Thunderbird browsers, have been released.

Developers said the flaw affects only Windows users, not computers running the Macintosh and Linux operating systems. Like recent Internet Explorer vulnerabilities, this flaw only allows the attacker the ability to run an existing program and requires that security problems in other applications be exploited to gain further access.

The flaw can be used to pass a file extension to the operating system. Windows XP will then run the helper application corresponding to that file extension. The main threat comes from the ability of an attacker to pass parameters to exploit vulnerabilities in a specific helper application, which could give an outsider access to the system. A shell problem could also cause the computer to freeze.

The news comes as Microsoft has been dealing with a string of security flaws found in its Internet Explorer browser during the past several weeks. Some researchers had begun recommending that people worried about online security stop using the IE browser altogether.

Microsoft recommends that Web surfers using Internet Explorer keep abreast of the latest security warnings, and go to the company's Protect Your PC site.

Mozilla developers said that future versions of the Firefox Web browser would have automatic update notifications that would make it easier to notify users about security fixes.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 183 Talkback(s)
Happy browsing using IE, it still has the same hole, unpatched...
Try this url: http://www.mccanless.us/mozilla/mozilla_bugs.htm. I am sure you will be "AMUSED"...BTW, you are using a fully patched IE6, right?... (Read the rest)
Posted by: bugmenot00 Posted on: 07/25/04 You are currently: a Guest | | Terms of Use
OPEN SOURCE IS FULL OF HOLES  Enterprise Analyst. | 07/08/04
"Enterprise Analyst", we're going to miss you  Franklin_z | 07/08/04
how about a couple of facts?  ryusen | 07/08/04
Not quite..  d_jedi | 07/08/04
but do you have proof?  ryusen | 07/09/04
Actually, yes..  d_jedi | 07/09/04
but then  eLurker | 07/09/04
I'm He'd Like To Think He's Got Proof  nikoli | 07/09/04
from what i recall reading...  ryusen | 07/09/04
The real story of the Mozilla patch can be found here:  George Mitchell | 07/09/04
Thanks for...  wimbo_z | 07/09/04
AND IE flaw is still more serious than Mozilla flaw  George Mitchell | 07/09/04
Hey MS people  TWRX | 07/08/04
Hello Southern Pride!  OhMyGosh | 07/08/04
That's Souther, no 'n'  Spoon Jabber | 07/09/04
LOL! 'Eyes on the code' are what FOUND this, dude!  escoles@... | 07/09/04
Trolling Again... Just Ignore. 3 post in a row (NT)  el1jones | 07/09/04
The Troll Song  eulagree | 07/09/04
good article on flaming/trolling  eLurker | 07/09/04
Where's your brain?  poocow666 | 07/09/04
What I find funny is you  HouseOfZen | 07/09/04
And 1 Day for a patch! Try that Redmond...  msdead | 07/09/04
actually...  Dave P. | 07/09/04
Firefox is affected... so much for it  Enterprise Analyst. | 07/08/04
Already fixed  Seething Ganglia | 07/08/04
But it's the Windows version  UncleBubba | 07/08/04
i would think...  ryusen | 07/09/04
Security Minded Mozilla Users  msdead | 07/09/04
Not a problem with Firefox  poocow666 | 07/09/04
Quick Question for this brainiac...  BitTwiddler | 07/09/04
Launch un-authorized programs...  Enterprise Analyst. | 07/08/04
The problem only exists on the Windows port.  B.O.F.H. | 07/08/04
Why does it state MOZILLA in the title  Enterprise Analyst. | 07/08/04
Perhaps if you read the article you would have found the relavent text!  B.O.F.H. | 07/08/04
funny, but i can crash many windows machines without mozilla or firefox  Monkey_MCSE | 07/08/04
Are you done trolling?  d_jedi | 07/08/04
spoke too soon? (NT)  ryusen | 07/09/04
What's interesting is it only...  bjbrock | 07/08/04
Your powers of deduction are incredible!  d_jedi | 07/08/04
It seems IE was better to begin with  sys400 | 07/09/04
lmao  zijiang | 07/08/04
The timing is PERFECT  Enterprise Analyst. | 07/08/04
Who worked for the money?!?!?!  AbsolutelyNot | 07/08/04
worked for his money?  Dave P. | 07/09/04
ok, not laughing any more  zijiang | 07/08/04
stupid backslash  zijiang | 07/08/04
EXCELLENT ARTICLE ZDNET  Enterprise Analyst. | 07/08/04
Leave It To Enterprise ANAL[syst]  eulagree | 07/10/04
Firefox is full of BUGS!!!  Enterprise Analyst. | 07/08/04
(nt) And that's different from any other piece of software... how?  d_jedi | 07/08/04
And what are you full of?  AbsolutelyNot | 07/08/04
Message has been deleted.  Enterprise Analyst. | 07/09/04
Wow  Linux User 147560 | 07/09/04
Last time i checked, cows don't go mooow, they go moo  Monkey_MCSE | 07/09/04
Maybe he pokes cows with a stick. (NT)  Letophoro | 07/09/04
Message has been deleted.  Enterprise Analyst. | 07/09/04
Hey...Enterprise ANAL[fyst]  eulagree | 07/10/04
a whopping 5 MB  Monkey_MCSE | 07/08/04
Zero Mb actually...  Jomo_z | 07/09/04
jomo, now ya tell me  Monkey_MCSE | 07/09/04
RE: Ha Ha Ha  betelgeuse68 | 07/08/04
RE: ha ha ha  Enterprise Analyst. | 07/08/04
RE: ha ha ha  sys400 | 07/09/04
EXCELLENT ARTICLE EXPOSING MOZILLA  Enterprise Analyst. | 07/08/04
Only applicable to the Windows version  B.O.F.H. | 07/08/04
Are you trying to make your opinions real by posting 300 top level msgs?  escoles@... | 07/09/04
I know & the yelling at that!  eulagree | 07/10/04
Right...IE still has the same hole to this day, but with no fix  bugmenot00 | 07/25/04
Enterprise Analyst...I love it.  memuser | 07/08/04
Happy browsing using IE, it still has the same hole, unpatched...  bugmenot00 | 07/25/04
This is really a Windows security issue  paul351 | 07/08/04
odd how it doesnt effect all windows browsers then  zijiang | 07/08/04
It probably does.  escoles@... | 07/09/04
And you can test that theory here. . .  boomslang_z | 07/09/04
does not work in Opera.  ryusen | 07/09/04
Not all  Yagotta B. Kidding | 07/09/04
Oh yes!! Brilliant!! Mozilla's code has holes..  d_jedi | 07/08/04
It is a windows issue  nikoli | 07/09/04
where is the real hole?  ryusen | 07/09/04
Another would-be-expert...thanks!  rock06r | 07/10/04
Nothing's perfect  ObiWayneKenobi | 07/08/04
Responce to all of Enterprise Analyst.'s posts so far  zijiang | 07/08/04
I am sorry to  michael-t | 07/08/04
lol  zijiang | 07/08/04
Not quite..  d_jedi | 07/08/04
months?  ryusen | 07/09/04
Actually...  PA-ITGuy | 07/09/04
further info...  ryusen | 07/09/04
If I remember correctly  Arrg | 07/09/04
And as a further note. . .  boomslang_z | 07/09/04
The Enterprise ANAList strikes again... (NT)  Seething Ganglia | 07/08/04
IE has the same flaw, but *no* patch...  Jomo_z | 07/09/04
Mozilla flaws  michael-t | 07/08/04
just a comment or two  zijiang | 07/08/04
i don't think you exageration helps...  ryusen | 07/09/04
The article  michael-t | 07/09/04
Flaw fixed within 2 days! Keep that in Mind Mr. Enterprise Architect!  fac | 07/12/04
I believe  michael-t | 07/08/04
Wow! Enterprise Anal.ist got the first 3 posts . . He REALLY needs a life.  Plain Logic | 07/08/04
Maybe if he had a job...  B.O.F.H. | 07/08/04
I thought he did  UncleBubba | 07/09/04
This IS his job  bit_rot | 07/09/04
Everything to do with Windows...  bjbrock | 07/08/04
Much better story, actually has details  zijiang | 07/08/04
Re: Much better story, actually has details  d_jedi | 07/08/04
What a bunch of geeks!  UncleBubba | 07/08/04
Damn straight, Unca Bubba!!!  Yen_z | 07/09/04
Hey, a government analogy  UncleBubba | 07/09/04
Stop the nonsense.  Yen_z | 07/09/04
Idiot techie flame wars again!  jimk_z | 07/08/04
Wouldn't it be nice...  PA-ITGuy | 07/09/04
ZDNet Talkback is Pure Entertainment. . .  boomslang_z | 07/09/04
How to fix..  thetruth_z | 07/08/04
Only on Windows Hmm  pj-xmesh | 07/09/04
Well, thank goodness none of you use Windows anymore, right  FilledOut | 07/09/04
Oh how I wish that were true...  Michael Kelly | 07/09/04
Never have  TWRX | 07/09/04
The M$hills still don't get it- it's a Microsoft flaw!  Xunil_Sierutuf | 07/09/04
Message has been deleted.  Enterprise Analyst. | 07/09/04
Message has been deleted.  PA-ITGuy | 07/09/04
Message has been deleted.  TWRX | 07/09/04
Message has been deleted.  Monkey_MCSE | 07/09/04
Message has been deleted.  eulagree | 07/09/04
Message has been deleted.  eulagree | 07/09/04
Message has been deleted.  Monkey_MCSE | 07/09/04
See all the hate you just cascaded  FilledOut | 07/13/04
Found and fixed before exploited  Eggs Ackley_z | 07/09/04
Wow that was painless.  Arrg | 07/09/04
hmmm  eLurker | 07/09/04
Enterprise analyst  Expatriate US Geek | 07/09/04
Good point  el1jones | 07/09/04
My 2?  Michael Kelly | 07/09/04
come on...  NemesisNL | 07/11/04
MOZILLA IS A SECURITY NIGHTMARE  Enterprise Analyst. | 07/09/04
hmm  Michael Kelly | 07/09/04
ouch (NT) LOL  V Sanders | 07/09/04
I like Tech Diva's posts  Bill4 | 07/09/04
Yes  Linux User 147560 | 07/09/04
I Totally Agree...  eulagree | 07/10/04
USE INTERNET EXPLORER  Enterprise Analyst. | 07/09/04
Oh, sure....let's switch to a browser with no patch!  Jomo_z | 07/09/04
Required response: "Now who's the idiot?"  Xunil_Sierutuf | 07/09/04
Internet Explorer 6.0 Suffers from same exploit. . .  boomslang_z | 07/09/04
Let's see  Yagotta B. Kidding | 07/09/04
You're right.  trichos | 07/09/04
Funny Coincedence, IE5.01 SP2 tests OK. . .  boomslang_z | 07/09/04
Clarification on last post  boomslang_z | 07/09/04
I like Firefox  savagesteve13 | 07/09/04
IT vs IT  eulagree | 07/09/04
nice post, but some comments  PA-ITGuy | 07/09/04
So True  eulagree | 07/09/04
No offense taken  PA-ITGuy | 07/09/04
you make a few good points but...  ryusen | 07/09/04
I take issues with the sites you linked to.  toadlife | 07/09/04
Really? I didn't know that because...  eulagree | 07/09/04
It's GRC I have the issue  toadlife | 07/09/04
Re: Link  eulagree | 07/09/04
Much essence, but..  pj-xmesh | 07/10/04
only Windows users  RobertoSalazar | 07/09/04
Like I Said...  eulagree | 07/09/04
enterprise ANALyst  eLurker | 07/09/04
ROTFLMFAO Re: Enterprize Anal(yst)  eulagree | 07/09/04
Whatever the name  Linux User 147560 | 07/09/04
Bug #250180  Yagotta B. Kidding | 07/09/04
Open Sore  ratatat62 | 07/09/04
More Insecure IE5.01 SP1 passes. . .  boomslang_z | 07/11/04
The usual...  Rick_K | 07/12/04
The Troll Song "Trolling Again"  eulagree | 07/09/04
http://www.thecopiernetwork.com  ratatat62 | 07/09/04
Actually...No.  eulagree | 07/10/04
nahh  toadlife | 07/10/04
LOL, now that's funny.  Rick_K | 07/12/04
Seems like this is always the case...  BitTwiddler | 07/09/04
Too many morons  jasonp@... | 07/09/04
What's stopping you?  seosamh_z | 07/09/04
That's why I trademarked, "Windows, flawed by design."  Xunil_Sierutuf | 07/09/04
wow - i installed that patch and did not need to reboot  V Sanders | 07/09/04
Just proves  rkadowns | 07/09/04
The Hole story (Conspiracy Theory) Gatesissim  ratatat62 | 07/09/04
This Is One Heck Of An Article...  eulagree | 07/09/04
OMG- Pointless discussion here!  voska | 07/12/04
This is OLD news guys!!  DeepFreeze3 | 07/12/04
Firefox is totally secure. IE isn't, and will NEVER be.  DeepFreeze3 | 07/12/04

What do you think?

advertisement
Click Here
advertisement

White Papers, Webcasts, and Downloads