[...] Firefox 3 integrates elegantly with your antivirus software. When you download a file, your computer’s antivirus program automatically checks it to protect you against viruses and other malware, which could otherwise attack your computer. [available in Windows only] [...]

Literary this are great security features to protect your PC from being harm by malicious viruses.

What happen when the Anti-Virus software is disabled?

Guide on How to disabled Firefox 3 Download Manager Anti-Virus scan

The following three simple steps will guide you on How to disabled this might be features annoyances using Firefox about:config editor.

1. Open firefox and type in about:config in the address bar.

   

2. Type in browser.download.manager.scanWhenDone in the filters box.

   

3. Select and double click the “browser.download.manager.scanWhenDone” row and it will toggle the value (make sure the value is “false”). Then restart Firefox .

   

The book of Mozilla (11:9)

Mammon slept. And the beast reborn spread over the earth and its numbers
grew legion. And they proclaimed the times and sacrificed crops unto the fire, with the cunning of foxes. And they built a new world in their own image as promised by the sacred words, and spoke of the beast with their children. Mammon awoke, and lo! it was naught but a follower. from The Book of Mozilla, 11:9

Firefox URI about:mozilla

Firefox Robot (gort klaatu barada nikto)

“Klaatu” is the name of the humanoid alien protagonist in the film “The Day the Earth Stood Still (1951)”

Firefox URI about:robots

Welcome Humans!

We have come to visit you in peace and with goodwill!

Robots may not injure a human being or, through inaction, allow a human being to come to harm.

Robots have seen things you people wouldn’t believe.

Robots are Your Plastic Pal Who’s Fun To Be With.

Robots have shiny metal posteriors which should not be bitten.

Influence

1. “We have come to visit you in peace and with goodwill!” from the movie “The Day the Earth Stood Still“

2. “Robots may not injure a human being or, through inaction, allow a human being to come to harm.” from Isaac Asimov’ “Three Laws of Robotics“

3. “Robots have seen things you people wouldn’t believe.” from the ending of the movie “Blade Runner“

4. “Robots are Your Plastic Pal Who’s Fun To Be With.” from Douglas Adams’ The Hitchhiker’s Guide to the Galaxy.

5. “Robots have shiny metal posteriors which should not be bitten.” a reference to Bender from Futurama .

Sources

*\Mozilla Firefox\chrome\en-us.jar:locale\browser\aboutRobots.dtd

<!-- These strings are used in the about:robots page, which ties in with the
     robots theme used in the Firefox 3 Beta 2/3 first run pages...
         https://www.mozilla.com/en-US/firefox/3.0b2/firstrun/
         https://www.mozilla.com/en-US/firefox/3.0b3/firstrun/
     They're just meant to be fun and whimsical, with references to some geeky
     but well-known robots in movies and books. Be creative with translations! -->

<!-- Nonsense line from the movie "The Day The Earth Stood Still". No translation needed. -->
<!ENTITY robots.pagetitle  "Gort! Klaatu barada nikto!">
<!-- Movie: Logan's Run... Box (cybog): "Welcome Humans! I am ready for you." -->
<!ENTITY robots.errorTitleText "Welcome Humans!">
<!-- Movie: The Day The Earth Stood Still. Spoken by Klaatu. -->
<!ENTITY robots.errorShortDescText "We have come to visit you in peace and with goodwill!">
<!-- Various books by Isaac Asimov. http://en.wikipedia.org/wiki/Three_Laws_of_Robotics -->
<!ENTITY robots.errorLongDesc1 "Robots may not injure a human being or, through inaction, allow a human being to come to harm.">
<!-- Movie: Blade Runner. Batty: "I've seen things you people wouldn't believe..." -->
<!ENTITY robots.errorLongDesc2 "Robots have seen things you people wouldn't believe.">
<!-- Book: Hitchiker's Guide To The Galaxy. What the Sirius Cybernetics Corporation calls robots. -->
<!ENTITY robots.errorLongDesc3 "Robots are Your Plastic Pal Who's Fun To Be With.">
<!-- TV: Futurama. Bender's first line is "Bite my shiny metal ass." -->
<!ENTITY robots.errorLongDesc4 "Robots have shiny metal posteriors which should not be bitten.">
<!-- TV: Battlestar Galactica (2004 series). From the opening text. -->
<!ENTITY robots.errorTrailerDescText "And they have a plan.">
<!-- TV: Battlestar Galactica (2004 series). Common expletive referring to Cylons. -->
<!ENTITY robots.imgtitle "Frakkin' Toasters">
<!-- Book: Hitchiker's Guide To The Galaxy. Arthur presses a button and it warns him. -->
<!ENTITY robots.dontpress "Please do not press this button again.">

Might be Interest

• Klaatu barada nikto

Known Vulnerabilities List by MFSA

• MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
• MFSA 2007-35 XPCNativeWrapper pollution using Script object
• MFSA 2007-34 Possible file stealing through sftp protocol
• MFSA 2007-33 XUL pages can hide the window titlebar
• MFSA 2007-32 File input focus stealing vulnerability
• MFSA 2007-31 Browser digest authentication request splitting
• MFSA 2007-30 onUnload Tailgating
• MFSA 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)

URI Protocol Abuse

Last month Billy Rios, Nate McFeter and Raghav “the Pope” Dube discovered the exploit on remote command execution in Firefox with the URI handler protocol

Excerpt from Billy Ross’s

Once again, these URI payloads can be passed by the mailto, nntp, news, and snews URIs, allowing us to pass the payload without any user interaction. So, it seems that although the conditions which allowed for remote command execution in Firefox 2.0.0.5 have been addressed with a security patch, the underlying file type handling issues which are truly the heart of the issue have NOT been addressed.

You can read more on this issue at Billy Ross’s blog - Firefox File Handling Woes .

What the hell is XPCNativeWraper pollution?

Bugzilla title can be damn confusing. MFSA 2007-35 - “XPCNativeWrapper pollution using Script object” - Its the same vulnerability from previous update on Firefox 2.0.0.5 . ATM Mozilla has closed (I removed the link 404) all informations regarding this issue (it turns out all the past references return 404 :( ). So i had to digg down further on ISS X-force and CVE to get more info regarding this exploit.

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an unspecified error related to the handling of XPCNativeWrapper. An attacker could exploit this vulnerability to execute arbitrary code on the affected system or cause a denial of service, if the attacker could persuade a victim to visit a malicious Web page or open a malicious HTML email.

I think this is the most important issue for the new release. Because every search on Mozilla turn out 404 and private. I hope somebody can explained this further.

Pref setup to prevent malicious URI exploit

I found this snippet code from one of regular commenter at Billy Ross’s blogs. You might need to head on Mozilla prefs guide before applying the below hacks.

Firefox Preferences settings (pref.js)

This settings will throw a Firefox confirmation box before opening external third party applications (ie. thunderbird, outlook). So you can prevent any programs from being launched without permission. example: mailto links (ie: billgates@microsoft.com).

user_pref(”network.protocol-handler.warn-external.mailto”, true);
user_pref(”network.protocol-handler.warn-external.news”, true);
user_pref(”network.protocol-handler.warn-external.nntp”, true);
user_pref(”network.protocol-handler.warn-external.snews”, true);

Simon says, Both is Guilty

It seem like Mozilla’s Firefox is just as guilty like Microsoft’s for passing dangerous data to third party applications. Firefox should have its own registered URL handler & DDE instead of relying on Microsoft’s.

Same with Apple (quicktime pwn firefox).

Related links

• Download Firefox 2.0.0.8
• Remote Command Exec (FireFox 2.0.0.5 et al)
• Escape URIs when passing them to external protocol handlers

The vulnerability reported by Petko D. Petkov at gnucitizen.org , who also reported on two other QuickTime vulnerabilities last year.

Workaround: Disabling JavaScript in the browser does not protect against this attack; in vulnerable versions scripts passed through the -chrome option would be executed regardless of the JavaScript setting for web content, much as interpreters for languages such as Perl and Python execute scripts passed on the command line. The NoScript add-on, however, has provided protection against this class of attack since the cross-browser vulnerabilities described by MFSA 2007-23 were discovered. ~ Mozilla Foundation Security Advisory 2007-28

Download

Firefox 2.0.0.7 is now available for Windows, Mac, and Linux for free download from http://getfirefox.com.

References

• QuickTime pwns Firefox
• Mozilla Foundation Security Advisory 2007-28
• About the security content of QuickTime 7.1.5