Vulnerability Note VU#927014
Mozilla fails to restrict access to the "shell:" URI handler
A vulnerability in the way Mozilla and its derived programs handle certain types of links could allow an attacker to run local programs on a vulnerable system.
Versions of the Mozilla, Firefox, and Thunderbird programs for Microsoft Windows will handle URIs of the form shell: and invoke external programs for certain file types. As a result, external programs located on the system can be invoked if the user clicks on this type of link in an HTML web page, email, or other source. In the event that the program being invoked contains a separate vulnerability, an attacker may be able to leverage the use of the shell: handler as a means to exploit that vulnerability.
Since the ability to invoke programs with the shell: moniker is handled natively by the Windows operating system, any program that passes these URIs off to the operating system (Internet Explorer, Outlook, etc.) exposes a similar vulnerability. Non-Windows versions of the mozilla products listed above do not expose this vulnerability because they do not handle the shell: URIs.
A remote attacker may be able to invoke local programs on the vulnerable system. This could allow the attacker to exploit a separate vulnerability in the external program being invoked or execute malicious programs that were stored on the system by another means. The specific impact of such exploitation would be dependent on the nature of the vulnerability being exploited or the malicious program being invoked.
Apply a patch from the vendor
or by following these steps:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Mozilla||Affected||-||03 Jun 2005|
CVSS Metrics (Learn More)
We believe Keith McCanless originally reported this issue to the Mozilla development team. Joshua Perrymon subsequently published an additional analysis in a public forum.
This document was written by Chad Dougherty with helpful input from Art Manion of the CERT/CC and both Don Krapf and Jared Blazowski at NCS.
- CVE IDs: CAN-2004-0648
- Date Public: 08 Jul 2004
- Date First Published: 09 Jul 2004
- Date Last Updated: 15 Jun 2005
- Severity Metric: 14.68
- Document Revision: 28
If you have feedback, comments, or additional information about this vulnerability, please send us email.