All SeaMonkey users are urged to upgrade, including users of the now unsupported SeaMonkey 1.0.x (last updated when SeaMonkey 1.0.9 was released simultaneously with SeaMonkey 1.1.2 in May). The SeaMonkey team is also urging users of the Mozilla Application Suite, Netscape 7, Netscape 6 and Netscape Communicator 4.x to upgrade to SeaMonkey 1.1.4. "All those older software packages suffer from a large and steadily increasing number of security vulnerabilities because they are no longer being maintained," KaiRo explains. "SeaMonkey 1.1.4 is a modern, drop-in replacement, providing the same familiar suite functionality with additional features and fully up to date security fixes." The SeaMonkey project is a community-driven continuation of the Mozilla Application Suite, which formed the basis of Netscape 6 and 7 and shares similarities with Netscape Communicator 4.x.

SeaMonkey 1.1.4 can be downloaded from www.seamonkey-project.org. More details can be found in the SeaMonkey 1.1.4 Release Notes.

The latest version of Thunderbird can be downloaded from the Thunderbird product page and will be offered to existing Thunderbird 2 users via the software update system. More general information about Thunderbird 2.0.0.6 can be found in the Thunderbird 2.0.0.6 Release Notes. An update to the Thunderbird 1.5 line is expected shortly.

Viewers can watch the webcast at air.mozilla.com, which will require the Adobe Flash Player 9 plugin (the video will be available to download in a variety of formats after the live broadcast). A discussion will take place alongside the show in the #airmozilla channel on irc.mozilla.org. During the webcast, viewers will be able to send questions for the guests to the airmozilla user on either the AIM, Yahoo! Messenger or Google Talk networks. Questions can also be emailed to airmozilla@mozilla.com before or during the show.

Spread Firefox has a post with more details about Wednesday's Air Mozilla.

The more serious flaw involves Firefox not percent-encoding spaces and double quotes in URLs passed to helper applications, which can allow malicious webpages to open programs with potentially dangerous command line parameters. The other vulnerability is a privilege elevation bug involving extensions, which was accidentally introduced in Firefox 2.0.0.5.

The URL protocol handling flaw is a similar class of exploit to the firefoxurl:// URL vulnerability, which was fixed with the release of Firefox 2.0.0.5. In the original firefoxurl:// exploit, an attacker could use Microsoft Internet Explorer to launch Firefox with malicious command line parameters. In the flaw fixed in Firefox 2.0.0.6, Firefox is used as the attack vector to start other applications with dangerous arguments. The exploit could be extended to execute any program in a known location, possibly passing dangerous command line parameters.

Whether or not it's Firefox's responsibility to ensure that data passed to external applications is (relatively) safe is a matter for debate. When the original firefoxurl:// URL vulnerability was discovered, Microsoft claimed that IE was not at fault. However, as Mozilla maintained at the time that the blame lay with IE, it would have been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that "defense in depth is the best way to protect people" (although that weblog post says that only Windows is affected, discussion in bug 389106 indicates that Linux and Mac OS X may also be vulnerable).

Firefox prompts the user before launching most helper applications and shows the command line parameters, so users of vulnerable versions would receive some warning of an attack (though only the savvy are likely be knowledgeable enough to distinguish between safe and malicious command lines). However, some protocols related to email and newsgroups (specifically, mailto, news, nntp and snews) do not prompt the user before launching an external application, so vulnerable mail and newsgroups applications could be exploited with minimal user intervention (Thunderbird 2.0.0.4 and earlier is one such application, due to its variant of the firefoxurl:// problem).

More details about Firefox 2.0.0.6 can be found in the Firefox 2.0.0.6 Release Notes. The new version can be downloaded from the Firefox 2.0.0.6 product page. Existing Firefox 2 users with the software update feature enabled (it's on by default) will be prompted to upgrade. Equivalent releases of Thunderbird (both 2 and 1.5) and SeaMonkey are expected soon.

While the Mozilla Foundation supports a number of projects, its taxable subsidiary the Mozilla Corporation is responsible for only Firefox and Thunderbird. However, it has become increasingly clear that Firefox is the priority. The resources allocated to Firefox dwarf those allocated to Thunderbird and recent projects such as the initiative to improve Mozilla support exclude Thunderbird.

Mitchell outlines three possible options for a new organisational structure for Thunderbird. One is to create a entirely new non-profit, which would offer maximum independence for Thunderbird but is organisationally complex. A second option is to create a new subsidiary of the Mozilla Foundation for Thunderbird, which would keep the Mozilla Foundation involved but may mean that Thunderbird continues to be neglected in favour of Firefox. A final option is to recast Thunderbird as community project, similar to SeaMonkey, and set up a small independent services and consulting company to continue development. However, there are concerns over how the Thunderbird product, project and company would interact.

On his new weblog, lead Thunderbird developer Scott MacGregor has posted his thoughts on the finding a new home for Thunderbird. He states that he favours the third option. Scott explains that this means that Thunderbird would continue to use Mozilla Foundation infrastructure, such as the CVS repository and Bugzilla, and the new company would perform a similar role for Thunderbird as the Mozilla Corporation does for Firefox, developing, releasing and supporting the application.

Observers of the Mozilla community may have seen Thunderbird's new home coming. In April, former Firefox lead developer Ben Goodger wrote a weblog post discussing autonomy for non-Firefox projects. He suggested renaming the Mozilla Corporation to the Firefox Corporation and pointed to a newsgroup message in which Mozilla Corporation CTO Brendan Eich declared "Thunderbird will have to fly free". Ten days later, Mitchell Baker wrote a weblog post on the Mozilla Foundation's focus on Firefox, stating that the Foundation's resources would be used to "assist other Mozilla participants and projects, but not equally with Firefox and not at significant cost to Firefox".

Update: In the text above, the sentence "While the Mozilla Foundation supports a number of projects, its taxable subsidiary the Mozilla Corporation is responsible for only Firefox and Thunderbird" was potentially misleading. The Corporation provides significant support to projects other than Firefox and Thunderbird in terms of hardware, services and personnel.

It would be more accurate to say that Firefox and Thunderbird are Mozilla products, which means that they get released, distributed and supported as end-user applications by the Corporation. Other applications, such as SeaMonkey and Camino, are Mozilla projects, which are made into products by volunteers or other organisations, if at all.

Thanks to Asa Dotzler for the clarification in comment 26 and comment 30 on this article.

"As more articles are drafted, there are more ways you can contribute, such as reviewing the accuracy of information, reviewing compliance with the best practices page, proofreading, marking up articles with tikiwiki code, and even creating screenshots.

"Get started now by following the instructions on our Get Started Now page, and thank you to everyone who contributes."

The SeaMonkey team strongly urges users of the old Mozilla Suite and Netscape 4, 6 or 7 to upgrade to SeaMonkey 1.1.3, as those software packages suffer from an increasing number of security vulnerabilities and are no longer being maintained.

SeaMonkey 1.1.3 is available for download from the SeaMonkey Project Website.

Thunderbird 2.0.0.5 can be downloaded from the Thunderbird product page. The Mozilla Thunderbird 2.0.0.5 Release Notes contain more general information about the upgrade.

Firefox 2.0.0.5 includes a fix for the firefoxurl:// security exploit, which allows an attacker to use Microsoft Internet Explorer to trick Firefox into executing malicious code. Whether Firefox or IE is responsible for the flaw has been a matter of debate over the past week. The Mozilla Foundation security advisory about the firefoxurl:// issue maintains that it's a problem in IE and notes that other applications could be exploited in the same way. Others have argued that it's Firefox's responsibility to vet incoming data (something 2.0.0.5 now does).

Firefox 2.0.0.5 can be downloaded from the Firefox product page. The Firefox 2.0.0.5 Release Notes contain more general information about the upgrade. A similar update for Mozilla Thunderbird is expected shortly.

The Thunderbird 2.0.0.4 section of the Mozilla Foundation Security Advisories page includes details about the security flaws fixed in this release while The Rumbling Edge has a complete Thunderbird 2.0.0.4 changelog. More general details can be found in the Thunderbird 2.0.0.4 Release Notes.

This is the first minor update to Thunderbird 2 since the launch of Thunderbird 2.0.0.0 in April; the version number was selected to match that of the latest Mozilla Firefox release.

The older Thunderbird 1.5 will continue to be supported until Thursday 18th October this year. Thunderbird 1.5.0.12 was released last month with the same security fixes as 2.0.0.4.

While Thunderbird 2.0.0.4 can be downloaded from the Thunderbird product page, most existing Thunderbird 2 users will have received it via the software update mechanism built in to the program.

Security researcher Thor Larholm has published a description of how the security flaw works, including a proof-of-concept (though some have reported that they cannot get this to work). When installed on Windows, Firefox registers a URL protocol handler to handle firefoxurl:// URLs (this works much like a http:// or ftp:// URL protocol handler). If an IE user visits a webpage that tries to call a firefoxurl:// URL (for example, using an iframe), IE will launch Firefox with no further prompting, passing it the URL. Neither IE nor Firefox escape or sanitise the URL, which allows an attacker to inject additional parameters into the command line used to invoke Firefox. Used in combination with the -chrome parameter, the attacker can make Firefox execute dangerous JavaScript code.

There's some debate as to where the blame lies — is it IE for passing untrusted data to another application or Firefox for not validating input properly? SecurityFocus refers to the problem as a Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability, placing the blame with Redmond, while Secunia calls it a Firefox "firefoxurl" URI Handler Registration Vulnerability, pointing the finger at Mozilla. News.com quotes Oliver Friedrichs of Symantec's Security Response Center, who says, "It's a little bit of both."

On the official Mozilla Security Blog, the Mozilla Corporation's Window Synder (who used to work for Microsoft) says that a fix will be included in the forthcoming Firefox 2.0.0.5. That said, she seems to suggest that she considers this to be mostly a problem with IE, noting that Apple fixed a similar issue with Safari recently. However, according to the ZDNet Zero Day security weblog, Microsoft claims the firefoxurl:// bug "is not a vulnerability in a Microsoft product".

On his weblog, Jesper Johansson (who also used to work for Microsoft), says the firefoxurl:// flaw is a Mozilla problem. He also provides instructions for unregistering the URL protocol handlers.

Thanks to roseman for some of the links used in this report.

Asa Dotzler, who will be hosting the segment, has posted some details about the relaunch of Air Mozilla. According to his post, Mitchell will talk about the state of the Mozilla project and answer questions from the audience. Asa hopes that Air Mozilla will become a regular feature, growing to feature "not just interviews, but screencasts with tips and tricks, news segments, and other community generated content."

Viewers can watch the webcast at air.mozilla.com, which will require the Adobe Flash Player 9 plugin (available for Windows, Linux and Mac OS X). A discussion will take place alongside the broadcast in the #airmozilla channel on irc.mozilla.org. During the show, viewers will be able to ask Mitchell questions by sending a message to the airmozilla user on either the AIM, Yahoo! Messenger or Google Talk networks. Questions can also be emailed to airmozilla@mozilla.com before or during the webcast.

Paul Kim has said that he is unhappy that the live Air Mozilla webcast will require the proprietary Flash Player. He has promised that the video will be made available in several formats after broadcast, including a recording encoded with the open Theora codec.

The first Air Mozilla webcast marked the launch of Mozilla Firefox 1.0 in late 2004.