{"vuid":"VU#927014","idnumber":"927014","name":"Mozilla fails to restrict access to the \"shell:\" URI handler","keywords":["Mozilla","Firefox","Thunderbird","arbitrary program execution","shell:"],"overview":"A vulnerability in the way Mozilla and its derived programs handle certain types of links could allow an attacker to run local programs on a vulnerable system.","clean_desc":"Versions of the Mozilla, Firefox, and Thunderbird programs for Microsoft Windows will handle URIs of the form shell:  and invoke external programs for certain file types. As a result, external programs located on the system can be invoked if the user clicks on this type of link in an HTML web page, email, or other source. In the event that the program being invoked contains a separate vulnerability, an attacker may be able to leverage the use of the shell: handler as a means to exploit that vulnerability. Since the ability to invoke programs with the shell: moniker is handled natively by the Windows operating system, any program that passes these URIs off to the operating system (Internet Explorer, Outlook, etc.) exposes a similar vulnerability. Non-Windows versions of the mozilla products listed above do not expose this vulnerability because they do not handle the shell: URIs.","impact":"A remote attacker may be able to invoke local programs on the vulnerable system. This could allow the attacker to exploit a separate vulnerability in the external program being invoked or execute malicious programs that were stored on the system by another means. The specific impact of such exploitation would be dependent on the nature of the vulnerability being exploited or the malicious program being invoked.","resolution":"Apply a patch from the vendor The Mozilla Project has published patches for this issue. Please see the Systems Affected section of this document for more information.","workarounds":"Workarounds Disable the shell: protocol handler Mozilla and Firefox users, particularly those who are unable to apply the patches supplied by the Mozilla Project, are encouraged to consider disabling the shell: protocol handler. This can be accomplished by adding the following line to the prefs.js file: user_pref(\"network.protocol-handler.external.shell\", false); or by following these steps: Open the browser, type about:config into the location bar, and hit enter. Right click on any value inside the window and select New -> Boolean. A dialog box titled \"New boolean value\" should appear. Enter \"network.protocol-handler.external.shell\" (without the quotation marks) and hit enter. A dialog box titled \"Enter boolean value\" should appear. Enter \"false\" into this box and hit enter.","sysaffected":"","thanks":"We believe Keith McCanless originally reported this issue to the Mozilla development team. Joshua Perrymon subsequently published an additional analysis in a public forum.","author":"This document was written by Chad Dougherty with helpful input from Art Manion of the CERT/CC and both Don Krapf and Jared Blazowski at NCS.","public":["http://www.mozilla.org/security/shell.html","http://secunia.com/advisories/12027/","http://www.securityfocus.com/bid/10681","http://www.osvdb.org/displayvuln.php?osvdb_id=7595","http://xforce.iss.net/xforce/xfdb/17035","http://www.securitytracker.com/alerts/2004/Jul/1010669.html"],"cveids":["CVE-2004-0648"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-07-09T12:37:25Z","publicdate":"2004-07-08T00:00:00Z","datefirstpublished":"2004-07-09T19:38:27Z","dateupdated":"2005-06-15T17:15:35Z","revision":28,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"9","cam_population":"15","cam_impact":"10","cam_easeofexploitation":"9","cam_attackeraccessrequired":"20","cam_scorecurrent":"14.68125","cam_scorecurrentwidelyknown":"14.68125","cam_scorecurrentwidelyknownexploited":"24.80625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":14.68125,"vulnote":null}