July 09, 2004

Mozilla Flaw Lets Links Run Arbitrary Programs

eWeek is rnning a story on a Mozilla hole (yes they do happen). This is very similar to the problem with Safari a couple of months ago. Good to see that there is already a fix available already (unlike Safari which took weeks to get a proper patch for the hole), before the release of any malicious code to take advantage of it (again like the Safari problem).

I think that this shows the problem with the number of features turned on by default in all software products, leading to unexpected and potentially dangerous results. It is good Mozilla is changing to turning everything off by default other than the core services http: and https:, this kind of whitelisting trusted protocols is good as it means that only people that really know what they are doing and need the esoteric stuff will turn it on these being the people that can handle any added risk this creates to getting infected by malware.