In the security world, timelines are everything.

6 Sep 2005: Mozilla receives a bug report from Security Protocols’ researcher Tom Ferris.

8 Sep 2005: Although no fix is yet available, Security Protocols goes public with its warning that one simple line in a web page can allow remote black hats to sieze control of your computer. Sadly, the line attackers should embed is included in the report.

9 Sep 2005: Mozilla volunteers issue a patch, and… easier yet… instructions (see below). cnet, whose source was presumably Security Protocols, says the bug report was actually filed on Sunday, the 4th, instead of the 6th. Tom Ferris charges Mozilla’s “public statements on this matter of fact are incorrect and misleading,” and asks ominously,”What are you going to do about that?” No response from Mozilla.

Sep 13 2005: A petulant Security Protocols announces to the world (again) that the patch doesn’t fix the problem, and proceeds to show the world how to get around the patch (again). Mozilla responds that damage is now restricted to crashing your computer, not taking it over, and a complete fix is on its way.

So where’s the uproar? Like we said, timelines are everything. Before publishing, Security Protocols either gave Mozilla four days to fix the bug, or two. In a similar vein, Security Protocols is either breaking industry courtesy protocols by publishing before the fix is ready, or not.

As we don’t have subpoena power, we’ll leave that one for you.

How To Stop The Remote Takeover
The culprit is International Domain Name (IDN) processing. Your objective: Toggle network.enableIDN to false. Here’s how:

In the address bar, type:
about:config

When the filter bar shows up in the browser, type:
IDN

Click on the network.enableIDN parameter. If you’re using Firefox, click on till network.enableIDN value equals false. Mozilla users must shoulder more work, by typing the “false” in the popup.

There are no save buttons. Just type a destination in your address bar and surf.