Moz/Firefox on Windows security patch

I

Ionizer

Reg Mouatt said:
Am having a problem downloading the patch. The details of the failure
to download are given as "Firefox could not check for updates for the
following components (either the update server(s) did not respond or
the update service(s) were not found)". In the dialogue box was the
message 'DOM Inspector'.

Just follow the instructions on that page and, as it says in Step 1, Click
"Install Patch" If it appears to have no effect, open Tools|Options >
Advanced, and be sure you have a check mark next to "Allow web sites to
install software." (After the patch is installed you may want to remove
that check mark again.)

Hope that helps,
Ian.
 
N

Nick FitzGerald


Note that this affects Gecko-based Windows products _in general_, not
just those listed on that page. "Non-Mozilla" apps based on or that
incorporate the Gecko HTML rendering engine are also affected, for
example more recent versions of Netscape Navigator...

The same basic "patch" (what a glorified term for a minor change to
the product's default configuration!) should apply to all such
products, or you can find their equivalent of Mozilla's "all.js" file,
open it in Notepad or another text-only editor and add the line:

pref("network.protocol-handler.external.shell", false);

Please don't just take my word for this... The "vulnerability" can
easily be tested in any Gecko-based product by arranging for whatever
HTML content it renders to include the URL "shell:cookies" and cliking
that link or otherwise causing the app to follow that link -- if
vulnerable a Windows Explorer window will open displaying the contents
of one or other of the cookies folders on the test machine. Once the
"patch" is applied you will instead get some kind of error dialog or
other indication that the link was not successfully followed. As for
the configuration fix, it should be pretty obvious from perusing the
diff of the "official patch" at:

http://bugzilla.mozilla.org/attachment.cgi?id=152534&action=view

which is linked from the official Bugzilla entry for this issue:

http://bugzilla.mozilla.org/show_bug.cgi?id=250180
 
C

charles

Please don't just take my word for this... The "vulnerability" can
easily be tested in any Gecko-based product by arranging for whatever
HTML content it renders to include the URL "shell:cookies" and cliking
that link or otherwise causing the app to follow that link -- if
vulnerable a Windows Explorer window will open displaying the contents
of one or other of the cookies folders on the test machine. Once the

Well here's a surprise; maybe I should rename this thread to something
relevant to Forte Agent. I will at least crosspost this msg anyway to
the a.u.o-r.f-a and a.u.o-r.f-a.m groups.

I find Forte Agent 1.93/32.576 is also susceptible to this exploit.
Clicking on "shell:cookies" in Forte Agent will open an Explorer window
with IE's cookies in it.

The exploit is enabled by the setting in Agent's config file urltype.dat
for Type:Shell. Setting it to Enable:0 seems to fix it. I never modified
the setting for this type of link previously, never noticed it in any
documentation and can't find an interface to it within the Agent
program.

I would imagine all the above holds for other versions of Agent.

Here is the relevant section in urltype.dat (after fix) -

Type: Shell
Name:
Enable: 0
UseHttp: 0
RemovePrefix: 0
Mode: 0
App: %SystemRoot%\Explorer.exe /idlist,%I,%L
UseDde: 1
DdeMethod: 0
DdeApp: Folders
DdeTopic: AppProperties
DdeMsg: [ViewFolder("%l", %I, %S)]
 
C

charles

The exploit is enabled by the setting in Agent's config file urltype.dat
for Type:Shell. Setting it to Enable:0 seems to fix it. I never modified
the setting for this type of link previously, never noticed it in any
documentation and can't find an interface to it within the Agent
program.

<snip>

Always hit the send button too fast. Of course the setting is accessible
from Options/General Preferences/URL Types.
 
J

jo

charles said:
I find Forte Agent 1.93/32.576 is also susceptible to this exploit.
Clicking on "shell:cookies" in Forte Agent will open an Explorer window
with IE's cookies in it.

Not here, it doesn't.
 
N

Nick Spalding

charles wrote said:
Please don't just take my word for this... The "vulnerability" can
easily be tested in any Gecko-based product by arranging for whatever
HTML content it renders to include the URL "shell:cookies" and cliking
that link or otherwise causing the app to follow that link -- if
vulnerable a Windows Explorer window will open displaying the contents
of one or other of the cookies folders on the test machine. Once the

Well here's a surprise; maybe I should rename this thread to something
relevant to Forte Agent. I will at least crosspost this msg anyway to
the a.u.o-r.f-a and a.u.o-r.f-a.m groups.

I find Forte Agent 1.93/32.576 is also susceptible to this exploit.
Clicking on "shell:cookies" in Forte Agent will open an Explorer window
with IE's cookies in it.

The exploit is enabled by the setting in Agent's config file urltype.dat
for Type:Shell. Setting it to Enable:0 seems to fix it. I never modified
the setting for this type of link previously, never noticed it in any
documentation and can't find an interface to it within the Agent
program.

I would imagine all the above holds for other versions of Agent.

Here is the relevant section in urltype.dat (after fix) -

Type: Shell
Name:
Enable: 0
UseHttp: 0
RemovePrefix: 0
Mode: 0
App: %SystemRoot%\Explorer.exe /idlist,%I,%L
UseDde: 1
DdeMethod: 0
DdeApp: Folders
DdeTopic: AppProperties
DdeMsg: [ViewFolder("%l", %I, %S)]
You mean if you take the trouble to create such an exploit it works?
What a surprise!

Agent as shipped doesn't contain any URLTypes entry for shell:.
 
C

charles

You mean if you take the trouble to create such an exploit it works?
What a surprise!

Agent as shipped doesn't contain any URLTypes entry for shell:.

Well, I've had Agent on this machine a long while through a number of
updates and, as I said initially, I never modified the setting for this
type of link, nor in fact did I realize the type existed to begin with.
How it inserted itself into urltype.dat is a mystery.

The entry does not exist in the latest install which I just ran to see.
 
N

null

I find Forte Agent 1.93/32.576 is also susceptible to this exploit.
Clicking on "shell:cookies" in Forte Agent will open an Explorer window
with IE's cookies in it.

Free Agent has no such clickable option that I can find.
The exploit is enabled by the setting in Agent's config file urltype.dat
for Type:Shell.

Free Agent has no such Type listed.


Art
http://www.epix.net/~artnpeg
 
B

Bart Bailey

Free Agent has no such clickable option that I can find.


Free Agent has no such Type listed.
I think it's under [Options] [General Preferences] [URL Types]
and you have to create the vulnerability deliberately, although I
haven't figured it out, nor am looking too hard. I suppose a talented
enough individual could manage to render almost any browser dangerous.
 
N

Nick Spalding

charles wrote said:
Well, I've had Agent on this machine a long while through a number of
updates and, as I said initially, I never modified the setting for this
type of link, nor in fact did I realize the type existed to begin with.
How it inserted itself into urltype.dat is a mystery.

Gremlins no doubt.
The entry does not exist in the latest install which I just ran to see.

Not in 1.93/32.576 either, nor in 1.5/16.451 - I don't have any of the
ones in between.
 
R

Randall Bart

'Twas Tue, 13 Jul 2004 11:00:03 +0100 when all
alt.usenet.offline-reader.forte-agent stood in awe as Nick Spalding
Gremlins no doubt.

My computer is infested with the same gremlins. When I click
shell:desktop, I get an Explorer window. I started with Free Agent then
upgraded to Agent 1.7. Free Agent didn't do URLs, so I guess Agent 1.7
set up the shell: protocol. It's set to "Use Windows Registry Setting".
--
RB |\ © Randall Bart
aa |/ (e-mail address removed) (e-mail address removed)
nr |\ Please reply without spam I LOVE YOU 1-917-715-0831
dt ||\ Wasteland: http://chernobyl.brainthru.com
a |/ How ugly is that flag: http://flaggrades.brainthru.com
l |\ DOT-HS-808-065 The Church Of The Unauthorized Truth:
l |/ MS^7=6/28/107 http://yg.cotut.com mailto:[email protected]
 
K

Kevin D. Quitt

My serial number is well below 3,000 (ignoring the 1 and a bunch of
zeroes), and I have the URLType entry for shell:.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Alternate browser updates 4
Patch for Mozilla - Problem downloading. 2
K-Meleon 0.8.2 + Wechselbalg 3
For the nervous 15
More MS bugs 29
File change detection utility for Win 9X/ME 65
NAV too 2
New Bagle variant 3

Top