Thursday, July 08, 2004
Security hole in Firefox or Mozilla on Windows XP
I'd been meaning to write a column about how you need to be alert no matter what software you're running. Events beat me to it.
Remember "Firefox", the high-quality web browser I recommended? There's a security problem, if you're running on Windows. The problem allows a web site to start any program that's already on your computer. Could be worse, but you definitely need to install the fix, which is already out. If you copy and paste the address http://update.mozilla.org/extensions/moreinfo.php?id=154 into your browser you get to the right place without having to trust me. Click on the words "Install Now" next to the picture of a folder. You'll see a dialog box asking for permission to install "shellblock.xpi". It's safe to say "install": the mozilla.org people are good guys, they're in control of their web site, and technical people have checked that the fix does the right thing. (You should almost always say "cancel" to dialogs like that unless it's something you need from someone you have a reason to trust).
Then close and restart Firefox. You have to do that for the patch to "take".
So how did this happen, and why does it only happen on Windows? That's the amusing part. When the Firefox web browser sees something it doesn't understand in the first part of a Web address, it passes the buck to the computer's operating system. If you're running Windows, Windows goes off and Does Stuff that you wouldn't expect. Engineers have been arguing furiously about whose fault the problem is. Meantime everyone agrees users should just install the fix.
|
Remember "Firefox", the high-quality web browser I recommended? There's a security problem, if you're running on Windows. The problem allows a web site to start any program that's already on your computer. Could be worse, but you definitely need to install the fix, which is already out. If you copy and paste the address http://update.mozilla.org/extensions/moreinfo.php?id=154 into your browser you get to the right place without having to trust me. Click on the words "Install Now" next to the picture of a folder. You'll see a dialog box asking for permission to install "shellblock.xpi". It's safe to say "install": the mozilla.org people are good guys, they're in control of their web site, and technical people have checked that the fix does the right thing. (You should almost always say "cancel" to dialogs like that unless it's something you need from someone you have a reason to trust).
Then close and restart Firefox. You have to do that for the patch to "take".
So how did this happen, and why does it only happen on Windows? That's the amusing part. When the Firefox web browser sees something it doesn't understand in the first part of a Web address, it passes the buck to the computer's operating system. If you're running Windows, Windows goes off and Does Stuff that you wouldn't expect. Engineers have been arguing furiously about whose fault the problem is. Meantime everyone agrees users should just install the fix.
# posted by Frederick @ 8:13 PM Email to a friend:
Haloscan: they provide trackback