You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.
shell:
protocol security issueOn July 7 a security vulnerability affecting browsers for the Windows operating system was reported to mozilla.org by Keith McCanless, and was subsequently posted to Full Disclosure, a public security mailing list. On the same day, the Mozilla security team confirmed the report of this security issue affecting the Mozilla Application Suite, Firefox, and Thunderbird and discussed and developed the fix at Bugzilla bug 250180. We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users.
On July 8th, the Mozilla team released a configuration change which resolves this
problem by explicitly disabling the use of the shell:
external
protocol handler. The fix is available in two forms. The first is a small
download which will make this configuration adjustment for the user. The second
fix is to install the newest full release of each of these products.
Instructions on administering these changes can be found below.
Mozilla, Firefox and Thunderbird users on Microsoft Windows operating systems should update in one of the following ways.
about:config
into the address field and hit Enter.
shell
.
network.protocol-handler.external.shell
.
false
then your application has been patched.
Tools
menu and select the Extensions
item.
We value our users' safety and security and will continue to make all efforts to release secure products and respond quickly when security vulnerabilities are identified in our software. Future versions of Mozilla Firefox will include automatic update notifications, which will make it even easier for users to be alerted to security fixes. The Mozilla Security Team would like to thank Keith McCanless for the original bug report and test case, and apologize for incorrectly omitting mention of his report in the initial version of this document.