10 days from report to patch for new Firefox exploit

Looks like the protocol handler problems just won't die. On July 20th, Jesper Johansson reported that Firefox 2.0.0.5 didn't quite get all the bugs out of passing strings to external programs registered as protocol handlers. 10 days later, Mozilla has released a patch in version 2.0.0.6. The first version of the patch was actually coded on July 21st, finalized on the 23rd, tested and reviewed, and released to auto-updates on the 30th. You can see all the gory details in bug 389106 .

Ironically, FF appears to have been doing the same thing that IE was doing, which Window Snyder called a "critical vulnerability in IE" on the 18th. Snyder gave Microsoft a hard time because they were not planning a fix, but on the 23rd he she had to eat crow, saying:

We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we’re investigating it now.

(By the way, the problem is still unpatched in Internet Explorer - see comments in the IE blog.)

I'll bet most people never heard of protocol handlers before July so don't be surprised if more issues are discovered around this mostly-forgotten feature now that people are looking at it (like this one). If not carefully implemented, protocol handlers can be a potential attack vector on any browser and OS, not just FF and IE on Windows. Sigh.