http://www.eweek.com/article2/0,1759,1621463,00.asp"Updated: The Mozilla Foundation has confirmed findings that its Mozilla and
Firefox browsers are vulnerable to attacks using the "shell:" scheme, which
execute arbitrary code under Windows without the user having to click a link.
The Mozilla Foundation has confirmed the problem and issued a fix, which is
available here. "
"An old discussion in the Mozilla bug report database considers the possibility
of addressing this problem, but the developers decided against it since the
program has a facility for letting the user disallow specific external protocols
and schemes, including shell:. It is not disabled by default, though.
The developers considered changing from scheme blacklisting to whitelisting, in
which case all schemes and protocols would be disallowed unless explicitly
allowed. Mozilla Foundation spokesmen said a future version of the browsers will
change to whitelisting, but the interim fix just disables the shell protocol.
Several other schemes, such as vbscript, are already disabled by default. "
http://ftp.mozilla.org/pub/mozilla.org/moz...1-installer.exehttp://ftp.mozilla.org/pub/mozilla.org/fir...Setup-0.9.2.exeProblem, but fixed. Linux and Mac OS users will not have this issue.
--
Richard Jobity, Tunapuna, Trinidad and Tobago | ph: (868) 620-5550
-----------------------------------------------------------------
http://www.ttlug.org |
http://www.weakblog.com |
http://www.jobity.commail @ richjob@jobity.com | icq: 5183191 | aim: richjob | ym: richjob
-----------------------------------------------------------------
Trusted computing gives companies more control over your machine than
you have.
-------------------------------------------------
This mail sent through IMP:
http://horde.org/imp/
