The makers of the open-source Mozilla Internet browser family have confirmed what was previously rumour: Mozilla, Firefox, and Thunderbird browsers were vulnerable to bug attacks using a "shell:" scheme that launches "arbitrary" code by way of Windows without you having to touch a single link.
The Mozilla Foundation, however, rushed a patch out as quickly as possible once it did confirm the flaw.
"On July 7, a security vulnerability affecting browsers for the Windows operating system was posted to Full Disclosure, a public security mailing list," Mozilla said in a statement. "On the same day, the Mozilla security team confirmed the report of this security issue affecting the Mozilla Application Suite, Firefox, and Thunderbird and discussed and developed the fix at Bugzilla bug 250180. We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users.
"[On July 8], the Mozilla team released a configuration change which resolves this problem by explicitly disabling the use of the shell: external protocol handler," the foundation continued. "The fix is available in two forms. The first is a small download which will make this configuration adjustment for the user. The second fix is to install the newest full release of each of these products."
EWeek.com reported that the Mozilla flaw could have provoked a massive denial-of-service attack because the bug led to certain links in the browser to cause Mozilla to open "large numbers of windows… consum(ing) 100 percent of GPU capacity."
The Mozilla confirmation and patch arrived over a week after the U.S. Computer Emergency Response Team surprised observers by actively and publicly recommending Internet surfers avoid Microsoft's Internet Explorer as a security hazard, and try alternative browsers including the Mozilla family and Opera.
