Firefox 0.9.2, Thunderbird 0.7.2, Mozilla 1.7.1 Coming Soon

Firefox 0.9.2, Thunderbird 0.7.2, Mozilla 1.7.1 Coming Soon
http://www.mozillazine.org/talkback.html?article=4960

Branches have been created for three of mozilla.org's latest 
releases, in order to fix an external windows protocol handler bug. 
The fix involves disabling the shell: protocol handler, which was 
found to enable pages to run executables on Windows via a link. 
Builds should officially be available shortly, and there will also 
be an XPI offered to disable the pref. Alternatively, you can set 
the pref "network.protocol-handler.external.shell" in about:config 
to 'false' to also remove the exploit.

More information about the exploit can be found in this post on the 
Full Disclosure mailing list. 
(http://seclists.org/lists/fulldisclosure/2004/Jul/0335.html)

UPDATE! The XPI to disable the pref is now available. 
(http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/experimental/shellblock/shellblock.xpi)

-- 
Kayode Okeyode
http://www.kayodeok.co.uk/weblog/
http://www.kayodeok.btinternet.co.uk/favorites/webdesign.htm
0
kayodeok
7/8/2004 8:29:00 PM
grc.security 16608 articles. 3 followers. Follow

10 Replies
1238 Views

Similar Articles

[PageSpeed] 49
Get it on Google Play
Get it on Apple App Store

kayodeok wrote:

> Firefox 0.9.2, Thunderbird 0.7.2, Mozilla 1.7.1 Coming Soon
> http://www.mozillazine.org/talkback.html?article=4960
> 
> Branches have been created for three of mozilla.org's latest releases, 
> in order to fix an external windows protocol handler bug. The fix 
> involves disabling the shell: protocol handler, which was found to 
> enable pages to run executables on Windows via a link. Builds should 
> officially be available shortly, and there will also be an XPI offered 
> to disable the pref. Alternatively, you can set the pref 
> "network.protocol-handler.external.shell" in about:config to 'false' to 
> also remove the exploit.
> 
> More information about the exploit can be found in this post on the Full 
> Disclosure mailing list. 
> (http://seclists.org/lists/fulldisclosure/2004/Jul/0335.html)
> 
> UPDATE! The XPI to disable the pref is now available. 
> (http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/experimental/shellblock/shellblock.xpi) 


Using Mozilla 1.7 here. I discovered that there isn't any 
network.protocol-handler.external.shell pref in Mozilla 1.7. I think I 
could make one but I'm not sure this is a fix.

I downloaded the XPI and discovered I don't know how to install the XPI. 
Googling wasn't productive.

Might be a good idea to switch to 1.7.1.
0
Kerry
7/8/2004 9:53:00 PM
Kerry Noyes wrote:

  > I downloaded the XPI and discovered I don't know how to install the 
XPI.
> Googling wasn't productive.
> 
> Might be a good idea to switch to 1.7.1.

Don't download it, just click it. That's the easiest way to install it. 
Especially since it's so small.

If you really want to download, you have to then drag the xpi into a 
mozilla window and drop it.

Both of these methods should have the same effect.
0
Lisa
7/9/2004 12:06:00 AM
As they did here.

Regards

Lisa wrote:
> Kerry Noyes wrote:
> 
>  > I downloaded the XPI and discovered I don't know how to install the XPI.
> 
>> Googling wasn't productive.
>>
>> Might be a good idea to switch to 1.7.1.
> 
> 
> Don't download it, just click it. That's the easiest way to install it. 
> Especially since it's so small.
> 
> If you really want to download, you have to then drag the xpi into a 
> mozilla window and drop it.
> 
> Both of these methods should have the same effect.
0
Nothing
7/9/2004 12:25:00 AM
Lisa wrote:
> Kerry Noyes wrote:
> 
>  > I downloaded the XPI and discovered I don't know how to install the XPI.
> 
>> Googling wasn't productive.
>>
>> Might be a good idea to switch to 1.7.1.
> 
> 
> Don't download it, just click it. That's the easiest way to install it. 
> Especially since it's so small.
> 
> If you really want to download, you have to then drag the xpi into a 
> mozilla window and drop it.
> 
> Both of these methods should have the same effect.

I did click it. Nothing happened. I also downloaded it and dropped it 
onto Mozilla. Nada.
0
Kerry
7/9/2004 2:24:00 AM
Kerry Noyes wrote:

> I did click it. Nothing happened. I also downloaded it and dropped it 
> onto Mozilla. Nada.

Go into the about:config and make sure the pref "xpinstall.enabled" is 
set to true.
0
Lisa
7/9/2004 2:26:00 AM
Lisa wrote:

> Kerry Noyes wrote:
> 
>> I did click it. Nothing happened. I also downloaded it and dropped it 
>> onto Mozilla. Nada.
> 
> 
> Go into the about:config and make sure the pref "xpinstall.enabled" is 
> set to true.

Hey you're pretty cool! Hope you'll stick around news.grc for a while! 
I've been here about 5-6 years under various usernames and a few, some 
long, vacations...

I got the dialog and accepted it, then turned xpinstall.enabled back 
off. It seemed to work.

Thanks Lisa! :)
0
Kerry
7/9/2004 2:55:00 AM
"Kerry Noyes" <kerrynoyes@hotmail.comRMOVE> wrote in message
news:ccl1fo$gel$1@news.grc.com...
> Lisa wrote:
>
> > Kerry Noyes wrote:
> >
> >> I did click it. Nothing happened. I also downloaded it and dropped it
> >> onto Mozilla. Nada.
> >
> >
> > Go into the about:config and make sure the pref "xpinstall.enabled" is
> > set to true.
>
> Hey you're pretty cool! Hope you'll stick around news.grc for a while!
> I've been here about 5-6 years under various usernames and a few, some
> long, vacations...

Kerry,

Just an aside: have you been here at news.grc.com for 5 years?  I thought
Steve started news.grc.com less than 5 years ago.

http://grc.com/x/ne.dll?bh1akydu

"9/3/99 - The Idea for the Site Hits Me Like a Ton of Bricks
Walking back to my desk with a fresh cup of coffee I realized that a web
site could go a long way toward testing people's Internet security!
Everything on this site is an outgrowth of that first idea. "

(I like to keep up with the history of the news server, so any information
you can give me would be appreciated.)

-- 
Robert
GRC Newsgroups/Guidelines/No Regrets
http://news.grc.com/news.exe?cmd=article&group=grc.techtalk&item=102758
0
Robert
7/9/2004 1:08:00 PM
Robert Wycoff wrote:
> 
> Just an aside: have you been here at news.grc.com for 5 years?  I thought
> Steve started news.grc.com less than 5 years ago.

Well my memory, like most of us, is going first. I'm already forgetting 
what the second thing is to go.

I do know I took a leave from news.grc for a few years and rejoined 
about 6 months ago. I forgot what username I was using back then.

Anyway I was just indicating that I've been loitering for longer than it 
looks like. GRC helped me quite a bet when I was much more of a novice.
0
Kerry
7/9/2004 4:09:00 PM
"Robert  Wycoff" <rwycoff@127.0.0.1> wrote in
<news:ccm5cf$ebn$1@news.grc.com>:

> http://grc.com/x/ne.dll?bh1akydu
>
> "9/3/99 - The Idea for the Site Hits Me Like a Ton of Bricks
> Walking back to my desk with a fresh cup of coffee I realized that a web
> site could go a long way toward testing people's Internet security!
> Everything on this site is an outgrowth of that first idea. "

> (I like to keep up with the history of the news server, so any
> information you can give me would be appreciated.)

I was here near the beginning of news.grc.com, and ISTM that it was
in late 1999 or early 2000 that I found it.  It was after finding
the 'network bondage' pages on the website and installing some early
version of ZoneAlarm that I connected to the server to ask questions
about configuring ZA, and there were a fair number of people here to
answer such questions already.

I ran over to archive.org to see if I could pin it down, but I
couldn't quite.  Still, some interesting pages are archived there.

Another quote about the 3 Sept 1999 origin of the idea for ShieldsUP!:
<http://web.archive.org/web/20000510034005/grc.com/steve.htm>

   At the beginning of September, while hard at work on the new ASPI
   drivers, I stumbled over the fact that an INCREDIBLE NUMBER of
   Windows-based Internet-connected computers were completely
   insecure and that they were being actively targeted and scanned
   from across the Internet!

   While I was thinking about this I realized that when anyone came
   to my web site I could determine the IP address of their machine
   and immediately "reverse-probe" their connection to present them
   with a quick appraisal of their system's current Internet
   security! It was such a cool idea and it would help so many
   people, that I stopped work on the ASPI drivers on September 3rd
   and began developing the new "ShieldsUP!" zone of my web site.

Earliest archived page about the newsserver, 28 Nov 1999:
<http://web.archive.org/web/19991128125327/http://www.grc.com/su-discussion.htm>

SMG mentions the 7 July 2000 switch to a Microsoft newsserver:
<http://web.archive.org/web/20000815074424/grc.com/oo/discussion.htm>

Contains newsserver usage stats (posts/day &c.) as of Oct 2000:
<http://web.archive.org/web/20001003032150/http://grc.com/discussions.htm>

Early usage stats for ShieldsUP! (52 days after launch):
<http://web.archive.org/web/19991128142951/http://grc.com/x/ne.dll?bh1akydu>

-- 
�Q�
0
ISO
7/10/2004 12:55:00 AM
Robert Wycoff wrote:

> Kerry,
> 
> Just an aside: have you been here at news.grc.com for 5 years?  I thought
> Steve started news.grc.com less than 5 years ago.
> 
> http://grc.com/x/ne.dll?bh1akydu
> 
> "9/3/99 - The Idea for the Site Hits Me Like a Ton of Bricks
> Walking back to my desk with a fresh cup of coffee I realized that a web
> site could go a long way toward testing people's Internet security!
> Everything on this site is an outgrowth of that first idea. "
> 
> (I like to keep up with the history of the news server, so any information
> you can give me would be appreciated.)

I became frustrated with not knowing when I originally appeared at GRC 
so I began searching the posts in techtalk and security to see if I 
could find a familar "handle." I used to use handles in those days 
rather than my name. The earliest posts I can access are January 2001 so 
I don't think I can go all the way back. I spent about 45 minutes trying 
to find my posts and then just gave up. I don't know what name I was 
using... and without that it's pretty damn hard to find something relevant.

I guess I'll have to just STFU and settle for the best, most truthful, 
most accurate statement I can offer:

I used to hang around here quite some time back, then lost my interest 
in security for a while, regained it and came back a few or several 
months ago. It seems like a long time ago but my memory isn't what it 
used to be so I just don't know when I first came to news.grc.

I think it's likely that I used to frequent the GRC site before the news 
groups were started.

So with that I'll STFU on this subject and appologize for being too 
liberal with the facts. I erred in my post and retract what I said.

Have a nice day. See you in the future! :)
0
Kerry
7/10/2004 5:38:00 PM
Reply:

Similar Artilces:

Mozilla 1.7/1.8a2, Thunderbird 0.6/0.7, Firefox 0.9 and Impos/2 2.1
All recent builds (Mozilla 1.7/1.8a2, Thunderbird 0.6/0.7, Firefox 0.9) crash Impos/2 2.1 as soon they are started, or the other way round (Impos/2 started afterwards) 06-22-2004 22:38:55 SYS3175 PID 002d TID 0001 Slot 006e D:\IMPOS21\IMPOS.EXE c0000005 00069d94 P1=00000001 P2=0000000d P3=XXXXXXXX P4=XXXXXXXX EAX=00000001 EBX=1c865dec ECX=1c86866c EDX=00000004 ESI=1c865dec EDI=1c87ef80 DS=0053 DSACC=d0f3 DSLIM=7fffffff ES=0053 ESACC=d0f3 ESLIM=7fffffff FS=150b FSACC=00f3 FSLIM=00000030 GS=2b43 GSACC=10f3 GSLIM=00003fff CS:EIP=005b:00069d94 CSACC=d0df CSL...

Firefox 1.5.0.9, Firefox 2.0.0.1 and Thunderbird 1.5.0.9 Security & Stability Updates
As part of Mozilla Corporation�s ongoing stability and security update process, Firefox 1.5.0.9, Firefox 2.0.0.1 and Thunderbird 1.5.0.9 are now available for Windows, Mac, and Linux for free download from getfirefox.com (http://www.getfirefox.com) & getthunderbird.com (http://www.getthunderbird.com). We strongly recommend that all Firefox users upgrade to this latest release. This update is available immediately in 41 languages including Spanish, Japanese, Arabic, Hungarian and more. Note: Firefox 1.5.0.x will be maintained with security and stability updates until Apr...

Firefox 1.5.0.9, Firefox 2.0.0.1 and Thunderbird 1.5.0.9 Security & Stability Updates
As part of Mozilla Corporation�s ongoing stability and security update process, Firefox 1.5.0.9, Firefox 2.0.0.1 and Thunderbird 1.5.0.9 are now available for Windows, Mac, and Linux for free download from getfirefox.com (http://www.getfirefox.com) & getthunderbird.com (http://www.getthunderbird.com). We strongly recommend that all Firefox users upgrade to this latest release. This update is available immediately in 41 languages including Spanish, Japanese, Arabic, Hungarian and more. Note: Firefox 1.5.0.x will be maintained with security and stability updates until Apr...

Greek Mozilla 1.7.2, Firefox 0.9.3 and thunderbird 0.7.3
The Greek Mozilla 1.7.2, Firefox 0.9.3 and thunderbird 0.7.3 builds are available: Mozilla 1.7.2 Gnu-linux(gtk1.2: http://moz.os.cs.teiath.gr/files/mozellinux173gtk1-2installer.tar.gz Win32: http://moz.os.cs.teiath.gr/files/mozelwin172.exe Language pack: http://moz.os.cs.teiath.gr/files/langelgr173.xpi Thunderbird 0.7.3 Win32: http://moz.os.cs.teiath.gr/files/elthunderbird073.exe Gnu-linux: http://moz.os.cs.teiath.gr/files/elthunderbird073.tar.gz Firefox 0.9.3 Win32: http://moz.os.cs.teiath.gr/files/firefoxel093.exe Gnu-linux: http://moz.os.cs.teiath.gr/files/firefoxel1...

Hungarian Mozilla 1.7.2, Firefox 0.9.3, Thunderbird 0.7.3
Dear (new) MLP team! Could you please upload these to mozilla ftp? Mozilla 1.7.2 http://mozilla.fsf.hu/langpack/1.7.2/langhuhu.xpi http://mozilla.fsf.hu/installer/1.7.2/win/mozilla-win32-1.7.2-huHU-installer.exe Firefox 0.9.3 http://mozilla.fsf.hu/langpack/ff-0.9.3/firefox-0.9.3-huHU-langpack.xpi http://mozilla.fsf.hu/installer/firefox/0.9.3/FirefoxSetup-0.9.3-huHU.exe Thunderbird 0.7.3 http://mozilla.fsf.hu/langpack/tb-0.7.3/thunderbird-0.7.3-huHU-langpack.xpi http://mozilla.fsf.hu/installer/thunderbird/0.7.3/ThunderbirdSetup-0.7.3-huHU.exe Thanks, Andras ...

Korean Version of Mozilla 1.7.2, Firefox 0.9.3 and Thunderbird 0.7.3
Hi, The Korean l10n team releases Mozilla 1.7.2, Firefox 0.9.3 and Thunderbird 0.7.3 language packs and localized installers. Please update pages and upload the following files: Mozilla 1.7.2: http://www.mozilla.or.kr/archive/work/langkokr-1.7.xpi http://www.mozilla.or.kr/archive/work/mozilla-win32-1.7.2-koKR-installer.exe http://www.mozilla.or.kr/archive/work/mozilla-i686-pc-linux-gnu-1.7.2-koKR-installer.tar.gz http://www.mozilla.or.kr/archive/work/mozilla-mac-1.7.2-koKR.dmg.gz Firefox 0.9.3: http://www.mozilla.or.kr/archive/work/langkokr-0.9.xpi http://www.mozilla.or.kr...

Czech Version of Mozilla 1.7.2, Firefox 0.9.3 and Thunderbird 0.7.3
Hi, the CZilla team (Czech Mozilla Project) released Mozilla 1.7.2 language pack and localized installers, Firefox 0.9.3 and Thunderbird 0.7.3 windows installers. Somebody with enough karma please update both mlp pages (mlp_status.html, mlp_otherproj.html) to state CZilla team <info@czilla.cz> in Contributors field insted of names of two guys involved in project sooner, update info about latest contributed release and upload the following files: *Mozilla 1.7.2:* ftp://ftp.czilla.cz/mozilla.org/mozilla/1.7.2/lang/mozilla-1.7.2-cs.zip ftp://ftp.czilla.cz/mozilla.org/moz...

Russian Mozilla 1.7.2, Firefox 0.9.3 and thunderbird 0.7.3 builds
Dear (new) MPL staf (welcome) could you please upload these files: Mozilla 1.7.2 Win32: http://lakostis.elektrostal.ru/mozilla.ru/new/mozilla-1.7.2-win32-installer-ru-RU-0.1.exe Thunderbird 0.7.3 Win32: http://www.mozilla.ru/unghost/thunderbird/0.7.3/Thunderbird-0.7.3-win32-installer-ruRU.exe Firefox 0.9.3 Win32: http://www.mozilla.ru/unghost/firefox/0.9.3/MozillaFirefox-0.9.3-win32-installer-ruRU.exe -- Sincerely yours, Alexander L. Slovesnik a.k.a. Unghost ==>Web-page: http://mozilla.ru/unghost/ ==>Jabber ID: als@mozilla.ru ==>ICQ:205497659 R...

Mozilla 1.7.2 sv-SE, Firefox 0.9.3 sv-SE, Thunderbird 0.7.3 sv-SE release
Hi, The swedish l10n team releases Mozilla 1.7.2, Firefox 0.9.3 and Thunderbird 0.7.3 language packs and localized installers. Please update pages and upload the following files: Mozilla 1.7.2: http://www.mozilla.se/paket/mozilla-1.7.2-svSE.xpi http://www.mozilla.se/paket/mozilla-win32-1.7.2-svSE-installer.exe http://www.mozilla.se/paket/mozilla-i686-pc-linux-gnu-1.7.2-svSE-installer.tar.gz Firefox 0.9.3: http://www.mozilla.se/paket/firefox-0.9.3-svSE.xpi http://www.mozilla.se/paket/FirefoxSetup-0.9.3-svSE.exe http://www.mozilla.se/paket/firefox-0.9.3-i686-linux-gtk2+xft-svS...

Mozilla Thunderbird 1.0.1 Cancelled, Firefox and Thunderbird 1.0.2 Coming
Mozilla Thunderbird 1.0.1 Cancelled, Firefox and Thunderbird 1.0.2 Coming http://www.mozillazine.org/talkback.html?article=6247 ----------------------------------------------------------- Quote ----------------------------------------------------------- Asa Dotzler has announced that Mozilla Thunderbird 1.0.1 has been cancelled and Mozilla Firefox 1.0.2 and Thunderbird 1.0.2 releases are on the way. Asa explains, "We shipped the security update for Firefox 1.0 three weeks ago with the intention of shipping the Thunderbird and Mozilla Suite upates soon after. Well, just as we we...

Is it just me or has the Fandango site stopped working with FF (1.5.0.7, 1.5.0.9, 2.0) on eComStation 1.2 ?
Hi all, I've possibly messed up my Firefox installations, but other pages still seem to work OK. Has anyone else had problems recently with http://www.fandango.com ? The home page comes up, and then completely hangs my system, and even if I ctrl-alt-delete and kill Firefox with TOP, I just get a black screen and have to re-boot. It used to work fine. If it's just me, does anyone have any advice for what might be happening or how to go about figuring it out ? Thanks in advance, Karen Roberts On Sat, 3 Mar 2007 19:13:13 UTC, Karen Roberts <kvroberts@comcast.net>...

Downgrade from 7.0.1 or 7.0.2 to 7.0.0
What would be the issues involved, and what steps would be needed to downgrade from either 7.0.1 or 7.0.2 back down to 7.0.0? Am I stuck with offloading the databases to flat files, uninstalling, installing the mandated version, and then re-importing the flat files? Any advice for this Sybase newbie would be much appreciated. Thanks. No issues, easy steps... I often switch between point releases simply by copying/renaming subdirectories of C:\Program Files\Sybase. Each time I install a new upgrade or EBF I make a copy of the subdirectory; on *this* laptop it now looks like ...

Upgrade from Mozilla 1.7.13 to Thunderbird 1.5.0.8 or 2.0.0.22
Hi, Im trying to upgrade from Mozilla 1.7.1.3 to Thunderbird. During the Installation Thunderbird recognizes my old Mozilla Installation and asks which of the existing profiles to Import. I then specify the profile and the Import process starts. The Process finishes without error messages. When i the open Thunderbird, I will find that it Imported the Adressbook successfully, it as well shows the Top Level Folders (philipp.schlaeppi@swissonline.ch, Local Folders, news.swissonline.ch, news) are the same as in the original Mozilla Installation. Sadly though it doesn't have any ...

Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Name: R. Bijster Product: Firefox Summary: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 Comments: I want to report that Windowsbrowser V 6.0.2900_SP2, 12 seconds faster started then FireFoxbrowser. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 ...

Web resources about - Firefox 0.9.2, Thunderbird 0.7.2, Mozilla 1.7.1 Coming Soon - grc.security

Mozilla Thunderbird
Mozilla Thunderbird is created by a global non-profit dedicated to putting individuals in control and shaping the future of the web for the public ...

Thunderbirds Are Go - Wikipedia, the free encyclopedia
Thunderbirds Are Go is a 1966 British science-fiction film based on Thunderbirds , a 1960s television series starring marionette puppets and ...

Edit - Thunderbird - CrunchBase Product Profile
TechCrunch CrunchBase More TechCrunch Europe TechCrunch France TechCrunch Japan Register - Login or Advanced Search Home > Products > Thunderbird ...

F-16C Thunderbirds Formation - Flickr - Photo Sharing!
USAF Thunderbirds at the 2008 Battle Creek Air Show

Thunderbirds Are Go - Introducing The World - YouTube
The world of Thunderbirds Are Go, Tracy Island, miniature sets and craft have been lovingly made by none other than WETA Workshop - the model ...

Thunderbirds are go: First pictures of TV remake
The first images of the upcoming TV reboot of the iconic series Thunderbirds have been released, recasting the iconic puppets from the 1960s ...

Thunderbirds creator Gerry Anderson dies aged 83
... puppet TV shows Captain Scarlet, Stingray and Joe 90 died in his sleep, his son announces. Gerry Anderson, best known as the creator of Thunderbirds ...

Firebirds hold nerve to hold out Thunderbirds
It was another close shave but Queensland Firebirds coach Roselee Jencke was happy for her side to take a second straight win.

Thunderbirds are go, puppets are gone
Human Thunderbirds? What does this mean, writes James Cockington. - The Age Online

Southerners steal last-gasp draw against Thunderbirds
Southern Steel stole a 53-53 draw in the chaotic final seconds of their trans-Tasman netball league clash against Adelaide Thunderbirds.

Resources last updated: 12/21/2015 3:07:10 AM