PATCH Firefox \ Mozilla \ Thunderbird NOW

[Ice Czar]

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their Web browsers have a security flaw that could allow attackers to run existing programs on the Windows XP operating system.

The flaw, known as the "shell" exploit, was publicized Wednesday on a security mailing list, along with a link to a fix for the problem. Updated versions of the affected software programs, which include the Mozilla, Firefox and Thunderbird browsers, have been released.

If your still using IE hopefully your aware of all the patches that need to be applied as well
and those that still need to be developed.

What Mozilla users should know about the shell: protocol security issue
On July 7 (yesterday) a security vulnerability affecting browsers for the Windows operating system was reported to mozilla.org by Keith McCanless, and was subsequently posted to Full Disclosure, a public security mailing list. On the same day, the Mozilla security team confirmed the report of this security issue affecting the Mozilla Application Suite, Firefox, and Thunderbird and discussed and developed the fix at Bugzilla bug 250180. We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users.

Today, the Mozilla team released a configuration change which resolves this problem by explicitly disabling the use of the shell: external protocol handler. The fix is available in two forms. The first is a small download which will make this configuration adjustment for the user. The second fix is to install the newest full release of each of these products. Instructions on administering these changes can be found below.

How to update
Mozilla, Firefox and Thunderbird users on Microsoft Windows operating systems should update in one of the following ways.

To install the security patch for Mozilla or Firefox, follow these instructions:
Click Install Patch.
In the Software Installation window, click the "Install Now" button.
Exit and restart your Mozilla or Firefox browser.

To verify the fix in your Firefox or Mozilla application, be sure to restart the browser and then follow these steps:
Type about:config into the address field and hit Enter.
In the Filter toolbar, type shell.
Look for the preference listing network.protocol-handler.external.shell.
If you see the preference listed with the value of false then your application has been patched.

To install the security patch for Thunderbird, follow these instructions:
Right-click the Patch and choose save link as.
Save the file, shellblock.xpi, to your Desktop.
In Thunderbird, go to the Tools menu and select the Extensions item.
In the resulting Extensions window, click the "Install" button.
Use Windows file picker to select the shellblock.xpi file from your Desktop and click OK to dismiss the file picker.
Click OK on the Software Installation window.
Exit and restart Thunderbird.

To download and install new Mozilla releases releases, follow the instructions below:
1 Download Mozilla 1.7.1 to your Desktop and double-click the mozilla-win32-1.7.1-installer.exe icon.
2 Follow the instructions in the Mozilla Install wizard.

1 Download Firefox 0.9.2 and to your Desktop and double-click the FirefoxSetup-0.9.2.exe icon.
2 Follow the instructions in the Firefox Install wizard.

1 Download Thunderbird 0.7.2 to your Desktop and double-click the ThunderbirdSetup-0.7.2.exe icon.
2 Follow the instructions in the Thunderbird Install wizard.

We value our users' safety and security and will continue to make all efforts to release secure products and respond quickly when security vulnerabilities are identified in our software. Future versions of Mozilla Firefox will include automatic update notifications, which will make it even easier for users to be alerted to security fixes. The Mozilla Security Team would like to thank Keith McCanless for the original bug report and test case, and apologize for incorrectly omitting mention of his report in the initial version of this document.


--------------------------------------------------------------------------------

 

[M11]

Thats good advice. Its been one whole day since the exploit was announced, people will start taking advantage of it. Lucky I'm already updated.

 

[ScretHate]

Windows and windows apps are getting so insecure it's scary.

 

[XanTHraX]

Windows and windows apps are getting so insecure it's scary.

Hopefully wide spread adoption of SP2 will hopefully make a big change. Its not too often Firefox or Thunderbird have security issues, but there dealt with nice a fast.

 

[M11]

Hopefully wide spread adoption of SP2 will hopefully make a big change. Its not too often Firefox or Thunderbird have security issues, but there dealt with nice a fast.

A non-executable stack will eliminate so much evil in malware. Combined with intelligent policies for programs accessing the internet, and a lot of these "auto-piloted" worms and spyware will dry up. Ah, the good old days where the user had to acquire and execute the program.

 

[XOR != OR]

A non-executable stack will eliminate so much evil in malware. Combined with intelligent policies for programs accessing the internet, and a lot of these "auto-piloted" worms and spyware will dry up. Ah, the good old days where the user had to acquire and execute the program.

What, you mean, like through email?

I've got server logs FULL of this crap. The good ol'days are still with us, my friend.

 

[M11]

What, you mean, like through email?

I've got server logs FULL of this crap. The good ol'days are still with us, my friend.

the worms on autopilot are what piss me off, especially those that spread in a blasteresque manner. I'll take standalone exes anyday.

 

[apHytHiaTe]

My Firefox says "false" in the right place, but it still says it is 0.9.1. Thunderbird said the update file was unsigned and i never saw a file picker.

 

[RancidWAnnaRIot]

Thanks for the heads up... just updated.. i would have probably never heard about it...

 

[odoe]

unstuck

If you haven't patched by now, well, I don't know what to tell you.

 

[Ice Czar]

I don't know what to tell you.

same thing we always say

"Oh we had that stickied for a few weeks last month
where were you?"