The problems with firefox continues, and again around the same issue, the way the browser handles links, in which way remote attackers can take over the system:
The bug is within mailto, nntp, news and snews protocol handlers.
The sooner they build NoScript into the main firefox functionality the better and to cater for those that love it and those that loath it, the ability to enable or disable it according to their needs.
There are some that rail against the fact that they have to continually allow sites permission are the people that are more likely to be able to take care of themselves.
But for the masses this could be a life saver and in the course of normal browsing doesn’t get in the way that much. Once you have allowed your regularly visited trusted sites it is even less obtrusive.
Right click on link…select open in new tab and just clicking on a link loads a link in the background
is working fine here Bob latest NS and FF. Have you had a look at about:config settings?
Thanks Peter
I have the browser set to open links in a new tab.
Now it takes 2 steps. Right click and select open in a new tab.
If I just left click on a link (which is what I always did) I get a black screen and it then opens in the same window.
It should still work in the same way with NoScript, but you may have to allow about:blank in NoScript as the new tab is a blank page first before it loads the new page. So when you have a blank page displayed and check NoScript and you will see scripts are blocked, I think javascript is used to open links in a new tab.
I also use the center button/wheel of the mouse on a link and that opens it in a new tab.
But this sure is not the end of it. You will be surprised to find how many URL Handlers you have registered that could mean a potential sitting duck for this kind of remote exploit. To see what holes there will be in store for you, and to be able to find further leaks, here is a “Dump URL Handlers”(DUH!) script to find what is vulnerable on your system in relation to FF, according to me it is the tip of the iceberg, but we have been protected since July 22nd by No Script. If someone here does not install NoScript inside Firefox or Flock right away, he or she does not care about browser security, and if compromised has only him- or herself to blame.
Oh the link to the DUH! script: http://erik.cabetas.com/stuff/lameware/DUH.vbs
So what can we expect next, I did a minor exploration, in the pipeline are exploits for
URL Handlers vulnerable:
C:\Program Files\Adobe\Acrobat7.c\Reader\Acro Rd32.exe/ “%|”
CalToProtocol rundl32.exe msconf.dll, CallToProtocolHandler %|
FIREFOX.EXE - request pending -osint - url “%|”
URL:File Transfer Protocol “C:\Program Files\Internet Explorer\IEXLORE.EXE”%|
gopher URL: gopher protocol “C:\Program Files\Internet Explorer\iexplore.exe” nohome
HelpCenter Pluggable Protocol "C:\WINDOWS\PCHealth\HelpClr\Binairies\HelpCtrl.exe"From HCP -url "%| …
etc, etc. etc.
There is still something in the pipeline (literary) in the way of these URL-handling exploits, and they aren’t really that extremely intricate to build (|||“%” ;D), for those that do not use FF that much, you could remove the URL-handling protocols from your registry, and later when the tide has calmed out put them back on again, the way to do this is given in this link: http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspx