Software Engineering Institute

Versions of the Mozilla, Firefox, and Thunderbird programs for Microsoft Windows will handle URIs of the form shell: and invoke external programs for certain file types. As a result, external programs located on the system can be invoked if the user clicks on this type of link in an HTML web page, email, or other source. In the event that the program being invoked contains a separate vulnerability, an attacker may be able to leverage the use of the shell: handler as a means to exploit that vulnerability.

Since the ability to invoke programs with the shell: moniker is handled natively by the Windows operating system, any program that passes these URIs off to the operating system (Internet Explorer, Outlook, etc.) exposes a similar vulnerability. Non-Windows versions of the mozilla products listed above do not expose this vulnerability because they do not handle the shell: URIs.

A remote attacker may be able to invoke local programs on the vulnerable system. This could allow the attacker to exploit a separate vulnerability in the external program being invoked or execute malicious programs that were stored on the system by another means. The specific impact of such exploitation would be dependent on the nature of the vulnerability being exploited or the malicious program being invoked.

Apply a patch from the vendor

The Mozilla Project has published patches for this issue. Please see the Systems Affected section of this document for more information.

Workarounds

Disable the shell: protocol handler

Mozilla and Firefox users, particularly those who are unable to apply the patches supplied by the Mozilla Project, are encouraged to consider disabling the shell: protocol handler. This can be accomplished by adding the following line to the prefs.js file:

user_pref("network.protocol-handler.external.shell", false);

or by following these steps:

1. Open the browser, type about:config into the location bar, and hit enter.
2. Right click on any value inside the window and select New -> Boolean.
3. A dialog box titled "New boolean value" should appear. Enter "network.protocol-handler.external.shell" (without the quotation marks) and hit enter.
4. A dialog box titled "Enter boolean value" should appear. Enter "false" into this box and hit enter.