search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Mozilla fails to restrict access to the "shell:" URI handler

Vulnerability Note VU#927014

Original Release Date: 2004-07-09 | Last Revised: 2005-06-15


A vulnerability in the way Mozilla and its derived programs handle certain types of links could allow an attacker to run local programs on a vulnerable system.


Versions of the Mozilla, Firefox, and Thunderbird programs for Microsoft Windows will handle URIs of the form shell: and invoke external programs for certain file types. As a result, external programs located on the system can be invoked if the user clicks on this type of link in an HTML web page, email, or other source. In the event that the program being invoked contains a separate vulnerability, an attacker may be able to leverage the use of the shell: handler as a means to exploit that vulnerability.

Since the ability to invoke programs with the shell: moniker is handled natively by the Windows operating system, any program that passes these URIs off to the operating system (Internet Explorer, Outlook, etc.) exposes a similar vulnerability. Non-Windows versions of the mozilla products listed above do not expose this vulnerability because they do not handle the shell: URIs.


A remote attacker may be able to invoke local programs on the vulnerable system. This could allow the attacker to exploit a separate vulnerability in the external program being invoked or execute malicious programs that were stored on the system by another means. The specific impact of such exploitation would be dependent on the nature of the vulnerability being exploited or the malicious program being invoked.


Apply a patch from the vendor

The Mozilla Project has published patches for this issue. Please see the Systems Affected section of this document for more information.


Disable the shell: protocol handler

Mozilla and Firefox users, particularly those who are unable to apply the patches supplied by the Mozilla Project, are encouraged to consider disabling the shell: protocol handler. This can be accomplished by adding the following line to the prefs.js file:

user_pref("", false);

or by following these steps:

    1. Open the browser, type about:config into the location bar, and hit enter.
    2. Right click on any value inside the window and select New -> Boolean.
    3. A dialog box titled "New boolean value" should appear. Enter "" (without the quotation marks) and hit enter.
    4. A dialog box titled "Enter boolean value" should appear. Enter "false" into this box and hit enter.

    Vendor Information


    Mozilla Affected

    Updated:  June 03, 2005



    Vendor Statement

    We have not received a statement from the vendor.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.


    The Mozilla Project has published a security advisory in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to. Other Mozilla-based browsers may also be affected.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    CVSS Metrics

    Group Score Vector



    We believe Keith McCanless originally reported this issue to the Mozilla development team. Joshua Perrymon subsequently published an additional analysis in a public forum.

    This document was written by Chad Dougherty with helpful input from Art Manion of the CERT/CC and both Don Krapf and Jared Blazowski at NCS.

    Other Information

    CVE IDs: CVE-2004-0648
    Severity Metric: 14.68
    Date Public: 2004-07-08
    Date First Published: 2004-07-09
    Date Last Updated: 2005-06-15 17:15 UTC
    Document Revision: 28

    Sponsored by CISA.