SillyDog701

[J-M]

New security issue, rated as Extremely critical (i.e. 5/5) was published recently affecting to Linux versions of Firefox.

Details at http://secunia.com/advisories/16869/ :

The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).

This vulnerability can only be exploited on Unix / Linux based environments.

Version 1.0.6 is confirmed as affected.

Another security company Symantec says Mozilla Suite 1.7.11 is affected too:
http://www.securityfocus.com/bid/14888/info

This will affect to 1.0.7 release timeline. However, Bugzilla entry related to this says it's fixed:
https://bugzilla.mozilla.org/show_bug.cgi?id=307185

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.10) Gecko/20050717 (No IDN) Firefox/1.0.6

[J-M]

This was fixed now in a new 1.0.7 release:

From
http://secunia.com/advisories/16869/

Solution Status: Vendor Patch

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.10) Gecko/20050717 (No IDN) Firefox/1.0.6

[J-M]

New Mozilla Suite 1.7.12 version release fixes this vulnerability.

To confirm:
From http://secunia.com/advisories/16846/

Solution Status: Vendor Patch
....
Solution:
Update to version 1.7.12.
http://www.mozilla.org/products/mozilla1.x/

More information at:
http://www.mozilla.org/releases/mozilla ... new-issues

Edit: added quoting/J-M

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.10) Gecko/20050717 (No IDN) Firefox/1.0.6

[J-M]

Mozilla Thunderbird installed to Linux is affected too.

From
http://secunia.com/advisories/16901/

The vulnerability is caused due to the shell script used to launch Thunderbird is parsing shell commands that are enclosed within backticks in the URL provided via the command line.
.....
The vulnerability has been confirmed in version 1.0.6 on Fedora Core 4. Other versions and platforms may also be affected.

Secunia's solution (workaround) is:
Do not use Thunderbird as the default mail reader.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.10) Gecko/20050717 (No IDN) Firefox/1.0.6

[Antony]

Secunia's solution (workaround) is:
Do not use Thunderbird as the default mail reader.

hmm, interesting solution.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5

[J-M]

Mozilla Foundation has more instructions:

Do not click on links in spam or other mail from people you don't know. Do not use the affected programs as the default handler for URLs. Upgrade to the fixed versions.

Source:
http://www.mozilla.org/security/announc ... 05-59.html

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.10) Gecko/20050717 (No IDN) Firefox/1.0.6

[J-M]

This was fixed in new Thunderbird 1.0.7, let's wait confirmation at http://www.mozilla.org/projects/securit ... rbird1.0.7 page in the near future.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.10) Gecko/20050717 (No IDN) Firefox/1.0.6

[J-M]

Admins, is it possible to add a short description like 'Affects to Suite and Thunderbird' too to this thread?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.10) Gecko/20050717 (No IDN) Firefox/1.0.6