Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Firefox update 2.0.0.6 released

July 31st 2007 in Uncategorized

Firefox have released version 2.0.0.6 to address to fix two security issues:


Unescaped URIs passed to external programs:
http://www.mozilla.org/security/announce/2007/mfsa2007-27.html


Privilege escalation through chrome-loaded about:blank windows:
http://www.mozilla.org/security/announce/2007/mfsa2007-26.html


A related security advisory has been released which says:


“…it is still possible to launch a filetype handler based on extension rather than the registered protocol handler. A way to exploit a common handler with a single unexpected URI as an argument may yet be found. Since this handling is a property of the Windows Shell API this variant appears to affect other internet-enabled applications that pass these URIs to the Windows Shell.


Workaround


By default Firefox will ask before launching external protocol handlers, and these prompts should be denied from sites that are not trustworthy, especially if the requested URL contains spaces and double-quote (“) characters. An exception is made for mail-related protocols in Firefox, they do not prompt by default. If the default mail handler is Thunderbird 2.0.0.5 or later there will not be a problem, but if another program or older version of Thunderbird is the default handler then mail URIs can be made to prompt as well. (Similarly, in Thunderbird browser protocols like http: and ftp: do not prompt but instead launch the default browser.)”


It is important to note that the External Protocol Request dialogue box mentioned in the security advisory has a “Remember my choice for all links of this type” check box.  If that option has been selected in the past, you will not see a prompt, making the advice that “these prompts should be denied from sites that are not trustworthy” a bit beside the point.  Then there is the problem with how do we decide if a site is trustworthy? Some big names have been hacked in recent times, and it has pretty much got to the stage where *any* site is a potential risk.


If you want to check your prompt settings, you will need to examine about:config.


This blog has an entry about hardening Mozilla Firefox’s protocol handler settings that you may find useful:
http://www.ush.it/2007/07/25/clientside-security-hardening-mozilla-firefox/


Download Firefox 2.0.0.6
http://www.getfirefox.com/


Release notes:
http://en-us.www.mozilla.com/en-US/firefox/2.0.0.6/releasenotes/


Comments are closed.

It’s all Brian’s fault – here I am, after taking the weekend off, escaping to my holiday unit to read Harry Potter, trying to catch up on the millions of emails that arrived during my 24 hour absence (and the 3 million spam hiding said million important emails), when I spot that Brian wants me to do […]

Previous Entry

When you use IE6 or IE7 to connect to a Microsoft Virtual Server (VS) 2005 Administration Web site and click Switch Virtual Server to connect to another Virtual Server that does not have constrained delegation enabled you receive an error message that resembles the following:
Could not connect to the Virtual Server on <computer>. Access […]

Next Entry

Archives