The Mozilla Foundation has issued a patch for a security vulnerability discovered Thursday in the organization’s open source Mozilla Application Suite, Firefox browser and Thunderbird e-mail client. The security flaw, known as the “shell exploit,” could allow attackers to run programs on Windows XP.
Users of other operating systems, including Mac OS X, Linux and other Unix variants, would not be affected by the flaw.
The shell exploit can be used to send a file extension into an operating system, and Windows XP will run whichever helper application is related to the extension. With this ability, an attacker could gain access to a system or freeze a computer remotely.
According to the Mozilla Foundation, the vulnerability was posted on Thursday to Full Disclosure, a public security mailing list. The same day, the foundation’s security team confirmed the report and developed a fix.
On Friday, the team released a configuration change that resolves the problem by explicitly disabling the use of the shell external protocol handler. Instructions on administering the patches can be found on the foundation’s site.
The organization has noted that it will continue efforts to release secure products and respond quickly when security vulnerabilities are identified in its software.
It has also announced that future versions of Mozilla Firefox will include automatic update notifications, which will make it easier for users to be alerted to security fixes.
Not So Flawless
News of the Mozilla flaw comes after recent reports of an OS X vulnerability and an announcement by the Debian Project of a flaw in the Linux kernel.
Microsoft also has been dealing with a spate of security flaws in its Internet Explorer browser in the past few weeks, prompting a software update in early July.
When Microsoft was experiencing problems, some in the security community, including the SANS Internet Security Center, advised users to consider alternatives like Mozilla and Opera. Now that it has been shown that alternative browsers can be just as flawed as the larger players, the whole issue seems to have highlighted the difficulties of keeping browsers secure.
“Previously, what seemed to be a safe haven turned out not to be,” said Laura DiDio, Yankee Group analyst, in a LinuxInsider interview. “It shows that if you don’t have safeguards in place, you’re going to see a problem. This isn’t just a Microsoft issue anymore.”
Part of the problem, DiDio noted, is the inordinate amount of code that is involved with browsers. She compared the situation to a facial. Although a person might think his or her skin is clear and blemish free, once it goes under a magnifying glass, every flaw is highlighted.
“Software is an inexact science,” she said. “The general rule of thumb is that for every hundred lines of code, you have a minimum of three errors. Mozilla has a few million lines of code. It’s going to have errors.”
“Exposing flaws is important for user trust,” said Thomas Kristensen, CTO of Danish security services company Secunia, a firm that has discovered IE holes in the past. “People have to be able to know a browser is behaving the way it should,” he told LinuxInsider. “That’s why it’s important for browser developers to announce these flaws.”
DiDio noted that as Linux grows up, users can expect to see more browser vulnerabilities brought to light. She said that although most attackers have been focused on Windows, that does not mean Linux users will be safe for long.
“I think the message here is: Get ready for more flaws,” she said. “It’s a fact of life that no matter what system you’re using, you shouldn’t feel secure without having good practices in place.”
These reason for the hole was an error in the Windows XP code which was suppose to have been patched in Service Pack 1 but obviously wasn’t. The tone of your article and your choice of "expert" comments (Ms. Didio a Microsoft shill) leaves much in the fact checking to be desired. Please update the story and make it correct. Thank you for you time and may God bless.
Thomas F. Williams
Strongtower Solutions, Inc.
Just a quick note.
First, the "flaw" was not a Mozilla flaw per say, it was rather a Mozilla handler that allowed a Microsoft security flaw to be exploited.
Then you kinda fail to note that it took Mozilla 1 day to plug the hole, how long did it take Microsoft to plug the latest hole again? Oh yeah…it’s not really fixed yet…I forgot.