Originally posted by: L1FE
Not sure why this is in the hot deals section...BUT I find it odd how people are bashing on firefox for being insecure when it's a flaw inherent in Windows...as in a feature of Windows that firefox uses is the main security risk...:rolls eyes:
Exactly. What I guess most people don't understand about this "exploit", is how applications and OSes are built, and what layers are responsible for what. In Windows', there is an OS-wide list of "protocol handlers", maintained in the registry. This is what allows, for example, you to browse a web page in Mozilla Firefox, and click on a "mailto:" link, and launch your favorite mail client to send an e-mail (ie. your OS-registered "mailto:" protocol-handler helper app). It could be Outlook Express (default installation), or anything else. It doesn't have to be Mozilla Thunderbird, they don't lock you into using their suite of apps exclusively, as MS tries to do to users.
Blocking all external protocol handlers by default, would have basically broken Mozilla as a browser, because it would have made it too difficult for the majority of end-users to use protocol-handler helper apps, and requiring a seperate Mozilla-specific method of registering external protocol-handler helper apps would have been unfeasable - other e-mail clients and whatnot wouldn't have bothered with it, what with Mozilla's miniscure market share (at the time).
Basically, if the protocol-handler is "external", meaning not handled internally to the browser, Mozilla does what every other Windows-compliant browser does - it runs the appropriate protocol-handler specified in the registry. Apparently, Windows has this default "shell:" protocol-handler that essentially gives wide-open access to a number of things. This is similar, in a way, to the "URL:" "location:" "ms-its:" "hcp:" and a number of other protocol-handler issues/exploits that IE has had to deal with for some time now.
One thing to be thankful about Mozilla's dev team though, is that they do put a lot of work into patching over a lot of Windows' own security issues within their application, to provide for the best end-user experience. Apparently they missed this one, or it was not well-known to them. But when they were made aware of it, they released a patch and an updated release,
immediately. So don't listen to the trolls, that claim that Mozilla was lazy in fixing this, because IMO they were very quick to release a patch, much quicker than MS is. (Heck, MS still doesn't have a full set of patches, for the recent "scob" thing, do they?)
I just find it really funny, also, the number of IE users that don't understand the specifics of this issue, and point fingers and go "See! Mozilla has these awful exploits/holes too! Open-source sucks!", and at the same time use IE with ActiveX enabled...
(Every ActiveX CLSID specification is effectively equivalent to an external protocol-handler, even worse, most of them run as in-process COM objects, not in a seperate process address space, so they could do even more damage.)
Edit: Ok, perhaps I was slightly wrong here. Specifically, the "shell:" external protocol-handler exploit indeed was a new thing. However, after reading quite a few Mozilla BugZilla threads, it's clear that the possibility for such a thing happening, was known back in early 2002, except that no fully-agreed-upon solution was arrived at, so in fact, nothing was really done about it. Consensus-by-committee never works, it seems.
Here are some more links, if anyone is interested in the technical specifics and background on this issue:
http://bugzilla.mozilla.org/show_bug.cgi?id=163308
http://bugzilla.mozilla.org/show_bug.cgi?id=163767
http://bugzilla.mozilla.org/show_bug.cgi?id=167473
http://bugzilla.mozilla.org/show_bug.cgi?id=250180
http://bugzilla.mozilla.org/show_bug.cgi?id=163648
http://bugzilla.mozilla.org/show_bug.cgi?id=167475
Other interesting individual comments that I came across in my travels:
(Note that these are all from 2002)
Good comment from Georgi Guninski on external protocol-handler support, and why it is a Bad Thing if enabled by default.
http://bugzilla.mozilla.org/show_bug.cgi?id=163648#c20
Another comment, suggesting a user dialog to prompt for running an external protocol-handler. (This I personally tend to agree with, and am disappointed that Mozilla or Firefox hasn't implemented this yet.)
http://bugzilla.mozilla.org/show_bug.cgi?id=163648#c22
Another excellent comment by George, pointing out that overall security is only as good as the strength of the weakest link, and unless external procotol-handlers are controlled, then that "weakest link" is an arbitrary quantity.
http://bugzilla.mozilla.org/show_bug.cgi?id=163648#c30
Another post from George - "I vote for an empty whitelist. The fact that this bug is open shows that there is a bug with vbscript and mozilla. If the next IE install a protocol msbar: , should mozilla release a new version to blacklist it? If a worm takes an advantage of IE's bugs and owns mozilla users, what shall mozilla.org tell - "it is not our fault, just our blacklist is a bit incomplete" ?"
http://bugzilla.mozilla.org/show_bug.cgi?id=163648#c36