mozilla.org announced on July 8 a patch for security vulneralility for Windows operating systems involving the shell: protocol. http://mozilla.org/security/shell.html

In K-Meleon go to about:config. Add a new BOOLIAN preference network.protocol-handler.external.shell and set the value at false. You may have to restart K-Meleon.

To test whether it is working go to http://www.mccanless.us/mozilla/mozilla_bugs.htm
If the patch is working, one link will show. If not, there will be four links.

"mozilla.org announced on July 8 a patch for security vulneralility for Windows operating systems involving the shell: protocol."

We dont have this vulneralility.
Even if 4 links are showing, klicking on them gives an error "shell is not a registered protocol".
We need a fix for this
http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

Thx rsacks,
i asume those that those that tend to do that via user js can do that by:
user_pref("network.protocol-handler.external.shell", false);
if not please correct me. greeting & best weekend!

rascks:

Works very well - thanks.

Nick

Thanks rsacks. It worked like a charm!

The exploit mentioned by mark v did not affect my K-mel at all. Perhaps it was blocked by my *other* security meansures, but the injection did NOT take place.

http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

The vulnerability is really here with K-Meleon 0.82

Is there a way to treat it ??

Curious, when trying to navigate on this site, McAfee give me an alert when I click on this link (at the right of the page) ]http://secunia.com/advisories/11793/

A troyan seems to be found: ExploitMhtRedir

@alain, marcs exploit works e. g. with FastSJonnys xp slimmed with xp lite.
exploit works with marcs tweaked dos based win.

does not work with my ME (98lite tweaked plus the 5 little shut off programs from spin right site used to deactivate some processes) - with only an old zone alarm installed. I think that is all i did. (i think, i still have the programs backed on old cd, shall i look up the names? - maybe it does work for You as well ?)

@bellgamin, maybe You can add info about Your system, in case You remember?

a la prochaine & greetings too all

> @alain, marcs exploit works e. g. with FastSJonnys xp slimmed with xp lite.
> exploit works with marcs tweaked dos based win.

Guenter, I don't understand what you said. Am I too tired this morning ??

My test this morning was made under w2k SP4

I have K-Meleon defined by default, and IE 5.5 isn't uninstalled (I'm at work)

Do you want to say it's a Windows bug and the only way to don't have this vulnerability is to xplite or 98lite the computer ???

@alain,
sorry about my English & my French is worse after not using 30 years.
Tired? it is soon weekend, i hope You do not have to work on weekend!
my weekend has begun after i returned from shift at 6 in the morning.

it seems that some people under DOS based windows are not affected. For example (guenter=me) - If You had a DOS based windows i would have looked the programs up for You! (for the tweaks i did).

because there are ->
three reasons possible:
1.) my system configuration? (done with tweak programs)
2.) my k-meleon settings?
3.) exploit does not work because my browser is damaged?

At least two of the Germans in forum pointed out:
Marcs spoofing bug is not listed on ct (German premier site!),
The ct have a section about Mozilla/gecko bugs
and how to make the Gecko settings secure.

unlikely that Norbert or me have overlooked something.

Maybe Bellgamin has NT based system?
I always hope for a solution ; ) often enough in vain.

using the little tool programs is much easier than cross checking k-m settings? They deactivate Outlook some com objects...
Maybe it could have helped?

w2k SP4: -> i do not know much about Your Windows version except that it is good and hard to configure..

best weekend to You!

My KM installation is vulnerable to both.
Using WinXP and KM 20040520 test build w/ 0.8.2 embed.jar.

if too many have insecure browsers & we find no other way!

then we must get a new 1.7 or 1.8 from someone.
the issue is not present in those according to secunia.com.
or did i missunderstood docu there.

someone must make new k-m from sources - it does not have to be faultless can have buggs like all improvised software!

just from the issues that are supposed to be secure!
anyone give it a try that knows how too!

my opinion

@guenter - as you requested...

I'm running WinME behind a router + software firewall + antivirus + antitrojan + RegRun.

thx bellgamin,
so it is only us two running similar systems not affected, right?
that does not help others. - I hoped You had xp or so and we could find a way.
If the bug is real all others need a new built or so.greetings from Hannover

Hi.

I was reading about adding the line:

network.protocol-handler.external.shell

But when I type in about:config in the URL:

I don't know how to proceed.

Cannot find anthing where it says 'Add a new BOOLIAN preference'

nor under under the Edit/preferences/config or Edit/preferences/settings.

Can anyone give a step by step on how to do this.

I don't understand much of what is talked about in the other threads.

Will adding:

network.protocol-handler.external.shell

fix the mozilla security problem?

kewe

After you type about:config you get the configuration screen. Now just right click somewhere in the lower part. From the popup window pick New, Boolean. Now copy/paste the line network.protocol-handler.external.shell
hit OK, then type false as value hit OK again. That's it.

If this actually fixes the security problem I don't know.
I hope so ;-)

Kurt

Once in 'about:config' page, right mouse click over the left hand column - you can the select 'new -> boolian' value from the menu presented:

add 'network.protocol-handler.external.shell' as the preference name and 'false' as the value.

Close page and restart KM.

Nick

I repeat:

or place into user.js:

user_pref("network.protocol-handler.external.shell", false);

this should also do!

& Yes -either like that in about:config - or try to use what i wrote at top into user js - it will normally do the same - i have meanwhile checked what mozilla.people have in their pach - not much more than the line i suggested.

I have tried everything to beat the cross frames hack in KM - can't do. This will have to be a code fix.

Nick

Since the *cross frames hack* evidently does not work against K-mel running under WinME, does that mean that it's more of a flaw in Windows XP, rather than being a flaw in K-Mel?

Further, if the flaw exists in K-mel running under XP, wouldn't it also exist in Firefox & other browsers using the Gecko engine? If so, then shouldn't the fix be made to Gecko, & not just to K-mel?

I am only asking -- I have NO idea what I'm talking about. Duhhh )

rsacks---well done!!

Works here on my XP Pro box................

hi bellgamin either that,
or us two have other k-m settings - being clever but not knowing how ; )

bellgamin:

Yes..

The frames thing Moz based I believe. Why it works on one system and not another I dunno.

Basically we can all say - BLOODY MICROSOFT.

Nick

Just a thought, perhaps someone would / could place this security patch/vulnerability information on the K-Meleon homepage . . . http://kmeleon.sourceforge.net/ in the "Latest News" section.

That way, folks visiting the web site (and not just this forum) will still have information about the patch. Also, would be best if the 'dates' in the Latest News section are consistent, in format (MM-DD-YYYY or whatever).

SlideRule

Great suggestion SlideRule!

The cross frame injection security issue - Mozilla does have this user_pref (from the Mozilla docs):

browser.frame.validate_origin
Validate origin of frames before allowing display?

But alas it is not enabled in KM.

Also, if you are paranoid, you can change:

browser.frames.enabled

to false. That fixes it

Nick

I ran the frame explotation on Win98 and yep KM does have a problem it.

seems not to work with does based wins - only nt based windows threatened?

Isn't Win98 a DOS based system? KM failed the test.

Yes- You are otally right -> 98 is a dos based Grapical User Interface or something.

We still have no nt based reported fit?
I also wonder why we have different results with dos based systems.
regards

In my opinion, the frame injection is more of a Gecko problem than a Windows one.