Since I have found C.T.H. my experience has been enhanced and very enjoyable. I am learning and find myself more enclined to be taking than receiving. Hopefully this will change and I will be able to help more .Inthe mean time I have other skills and I will try to read the anything else board and maybe help in other ways. Keep the quality up, and the humour - mickb 
Mozilla Fixes Firefox Protocol Handling
Posted by: Tweaker
Date added: 22:03, 31st July 2007 GMT
Source: Beta News
This morning, Firefox 2.0 users were automatically notified of the availability of version 2.0.0.6, with the promise that this time around, a critical vulnerability concerning how the browser tries to parse malformed resource identifiers, is fixed for good.
In its security advisory this morning, Mozilla credited Windows security expert Jesper Johansson for articulating the original problem, which has hopefully led to this final solution.
"Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling," the advisory reads, "which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the specific receiving program, though at the very least we know Firefox (and Thunderbird) 2.0.0.4 and older could be used to run arbitrary script."
While Mozilla's admission was arguably gracious and sincere, there's a rational debate in the developer community over whether the real problem was caused by either major brand of Web browser -- Firefox or Internet Explorer -- or rather by the underlying Windows operating system which passes on the malformed argument in the first place.
Yesterday, the US-CERT bureau of the Dept. of Homeland Security indicated that Microsoft's handling of the ShellExecute() API function, which was changed in systems where IE7 is installed, may be the true culprit. The implication there is that a danger may continue to exist so long as that critical function can pass non-standard parameters to programs it's trying to launch, such as Web browsers.
The advisory then credits VeriSign security consultants Billy Rios and Nate McFeders for discovering that, when Firefox received a ShellExecute() call to the mailto:// URI identifier that included an officially disallowed null (%00) parameter, rather than launch the default mail client, Firefox would launch whatever application was responsible for the filename extension at the end of the URI.
Starting with version 2.0.0.6, Firefox will no longer launch external protocol handler applications without first asking the user. In the event that the site placing the external launch call isn't trusted, it won't launch any programs at all.
The exception is for the mailto:// protocol, where Firefox will launch the preferred mail client without asking the user. The advisory gives users a workaround, which involves editing the program's about:config page, for having Firefox ask the user before launching the mail client
Tools: Post a comment | Link to this news item | Send to a friend | Submit News
Error: You are not logged in.
In order to leave comments to news articles you must be a Cyber Tech Help Member.
Registration is completely free! 
Register to become a member
Along with access to leave comments to news articles you will be able to ask any computing questions you might have on the Cyber Tech Help Forums.
