Vulnerability Note VU#927014

Mozilla fails to restrict access to the "shell:" URI handler

Original Release date: 09 Jul 2004 | Last revised: 15 Jun 2005


A vulnerability in the way Mozilla and its derived programs handle certain types of links could allow an attacker to run local programs on a vulnerable system.


Versions of the Mozilla, Firefox, and Thunderbird programs for Microsoft Windows will handle URIs of the form shell: and invoke external programs for certain file types. As a result, external programs located on the system can be invoked if the user clicks on this type of link in an HTML web page, email, or other source. In the event that the program being invoked contains a separate vulnerability, an attacker may be able to leverage the use of the shell: handler as a means to exploit that vulnerability.

Since the ability to invoke programs with the shell: moniker is handled natively by the Windows operating system, any program that passes these URIs off to the operating system (Internet Explorer, Outlook, etc.) exposes a similar vulnerability. Non-Windows versions of the mozilla products listed above do not expose this vulnerability because they do not handle the shell: URIs.


A remote attacker may be able to invoke local programs on the vulnerable system. This could allow the attacker to exploit a separate vulnerability in the external program being invoked or execute malicious programs that were stored on the system by another means. The specific impact of such exploitation would be dependent on the nature of the vulnerability being exploited or the malicious program being invoked.


Apply a patch from the vendor

The Mozilla Project has published patches for this issue. Please see the Systems Affected section of this document for more information.


Disable the shell: protocol handler

Mozilla and Firefox users, particularly those who are unable to apply the patches supplied by the Mozilla Project, are encouraged to consider disabling the shell: protocol handler. This can be accomplished by adding the following line to the prefs.js file:

    user_pref("", false);

or by following these steps:
  1. Open the browser, type about:config into the location bar, and hit enter.
  2. Right click on any value inside the window and select New -> Boolean.
  3. A dialog box titled "New boolean value" should appear. Enter "" (without the quotation marks) and hit enter.
  4. A dialog box titled "Enter boolean value" should appear. Enter "false" into this box and hit enter.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MozillaAffected-03 Jun 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



We believe Keith McCanless originally reported this issue to the Mozilla development team. Joshua Perrymon subsequently published an additional analysis in a public forum.

This document was written by Chad Dougherty with helpful input from Art Manion of the CERT/CC and both Don Krapf and Jared Blazowski at NCS.

Other Information

  • CVE IDs: CAN-2004-0648
  • Date Public: 08 Jul 2004
  • Date First Published: 09 Jul 2004
  • Date Last Updated: 15 Jun 2005
  • Severity Metric: 14.68
  • Document Revision: 28


If you have feedback, comments, or additional information about this vulnerability, please send us email.