Mozilla Patches Vulnerability

moghrabi

House Member
May 25, 2004
4,508
4
38
Canada
By Jim Wagner
July 12, 2004

Developers at the Mozilla Foundation quickly patched a hole in its Web browser that could allow crackers to take over users' PCs.
The 572-byte patch disables the browser's use of the ''shell:'' external protocol handler. The handler determines what application to execute when it runs across a specific file extension. One example of this is when a user clicks on an e-mail address link on a Web page and the user's default e-mail client launches.

The vulnerability only affects machines running Mozilla, Firefox and Thunderbird on the Windows operating system; Linux and Macintosh users aren't affected. Users also can download the latest versions of the affected applications to eliminate the flaw (Mozilla 1.7.1, Firefox 0.9.2 and Thunderbird 0.7.2).

A user first reported the vulnerability last Wednesday on a public security mailing list called Full-Disclosure. By the end of the day, Mozilla developers confirmed the report, releasing a patch the next day. Industry experts say this turnaround time is one of open source's greatest strengths.

Mozilla, which became an open source project after AOL essentially handed over the reins to its Netscape browser, is developed and updated through the efforts of volunteers throughout the world. The Mozilla Foundation is able to accomplish what many proprietary software companies can't, with a software team numbering in the thousands that can root out potential vulnerabilities.

Take, for example, Internet Explorer and Opera, Web browsers that have been hard-hit recently with software vulnerabilities. Opera was hit with breaches last November, May and June. IE has been beset with so many new bugs that have not been fixed quickly enough that the U.S. Computer Emergency Readiness Team (US-CERT) warned Web users not to use the browser.

Yankee Group Analyst Patrick Mahoney said that, in the grand software scheme of things, Microsoft's IE is well down there on the list of priorities at the company.

''Mozilla is working very hard at being a robust browser, and I think one of the reasons is because it's their sole purpose,'' he said. ''Internet Explorer for Microsoft is an embedded, almost given, part of their operating system. I don't think they've been as responsive, because, as we all know, it's not part of their primary product line.

That doesn't mean that Microsoft isn't looking into the vulnerabilities, Mahoney said, but the slow patch releases are one of the reasons Mozilla is getting so much attention lately. He said that for the time being, casual Web surfers will stick with IE. Microsoft plans to release significant security enhancements for IE in Windows XP Service Pack 2, due out later this year.

This article was first published on internetnews.com.