Mozilla Patches Vulnerability

Developers at the Mozilla Foundation quickly patched a hole in its Web
browser that could allow crackers to take over users’ PCs.

The 572-byte patch disables the browser’s use of the “shell:” external
protocol handler. The handler determines what application to
execute when it runs across a specific file extension. One example of this
is when a user clicks on an e-mail address link on a Web page and the user’s default
e-mail client launches.

The vulnerability only affects machines running Mozilla,
Firefox and Thunderbird on the Windows operating system; Linux and
Macintosh users aren’t affected. Users can also download the latest
versions of the affected applications to eliminate the flaw
(Mozilla 1.7.1, Firefox 0.9.2 and Thunderbird 0.7.2).

A user first reported the vulnerability Wednesday on a public security mailing list
called Full-Disclosure. By the end of the day, Mozilla developers confirmed the report,
releasing a patch the next day. Industry experts say this turnaround time is one of
open source’s greatest strengths.

Mozilla, which became an open source
project after AOL essentially handed over the reins to
its Netscape browser, is developed and updated through the efforts of
volunteers throughout the world. The Mozilla Foundation is able to accomplish
what many proprietary software companies can’t, with a software team numbering in the thousands that can
root out potential vulnerabilities.

Take, for example, Internet Explorer and Opera, Web browsers that have been hard-hit recently with software
vulnerabilities. Opera was hit with breaches last
November,
May and
June.

IE has been beset with so many new bugs that have not been fixed quickly enough
that the U.S. Computer Emergency Readiness Team (US-CERT)
warned Web users not to use
the browser.

Yankee Group Analyst Patrick Mahoney said that, in the
grand software scheme of things, Microsoft’s IE is well down there on the
list of priorities at the company.

“Mozilla is working very hard at being a robust browser, and I think one of
the reasons is because it’s their sole purpose,” he said. “Internet
Explorer for Microsoft is an embedded, almost given, part of their operating
system. I don’t think they’ve been as responsive, because, as we all know,
it’s not part of their primary product line.”

That doesn’t mean that Microsoft isn’t looking into the vulnerabilities,
Mahoney said, but the slow patch releases are one of the reasons Mozilla is
getting so much attention lately. He said that for the time being, casual
Web surfers will stick with IE. Microsoft plans to release significant
security enhancements for IE in Windows XP Service Pack 2, due out later this year.