# Update your Mozilla! (including T-bird and Firefox)



## jgvernonco (Sep 13, 2003)

TITLE:
Mozilla Fails to Restrict Access to "shell:"

SECUNIA ADVISORY ID:
SA12027

VERIFY ADVISORY:
http://secunia.com/advisories/12027/

CRITICAL:
Moderately critical

IMPACT:
Security Bypass

WHERE:
From remote

OPERATING SYSTEM:
Microsoft Windows XP Home Edition
http://secunia.com/product/16/
Microsoft Windows XP Professional
http://secunia.com/product/22/

SOFTWARE:
Mozilla 0.x
http://secunia.com/product/772/
Mozilla 1.0
http://secunia.com/product/97/
Mozilla 1.1
http://secunia.com/product/98/
Mozilla 1.2
http://secunia.com/product/3100/
Mozilla 1.3
http://secunia.com/product/1480/
Mozilla 1.4
http://secunia.com/product/1481/
Mozilla 1.5
http://secunia.com/product/2478/
Mozilla 1.6
http://secunia.com/product/3101/
Mozilla Firefox 0.x
http://secunia.com/product/3256/
Mozilla Thunderbird 0.x
http://secunia.com/product/2637/

DESCRIPTION:
Joshua Perrymon has reported a vulnerability in Mozilla, Mozilla
Firefox, and Mozilla Thunderbird, allowing malicious websites to use
Windows "shell:" functionality.

The problem is that Mozilla fails to restrict access to the "shell:"
URI handler. This allows websites to invoke various programs
associated with specific extensions. It is not possible to pass
parameters to these programs, only filenames, thus limiting the
impact of launching applications.

However, if this issue is combined with an error or a vulnerability
in an associated program, it may be possible to execute arbitrary
code. Reportedly, this may be possible via a buffer overflow in
"WINDOWS\System32\grpconv.exe", which by default is associated with
the ".grp" extension. However, only unicode characters can be used,
causing exploitation to be more difficult.

The error in the associated program does not necessarily need to be
classified as a vulnerability, as certain programs aren't designed or
meant to be launched in a hostile environment - such as through a
website and a browser.

The vulnerability affects Mozilla, Mozilla Firefox, and Mozilla
Thunderbird on the Microsoft Windows XP platform due to the way the
"shell:" URI handler is used and implemented on Windows XP.

The shell: URI handler is inherently insecure and should only be
accessed from a few trusted sites - or not from a browser at all.
Multiple exploits in Internet Explorer also utilise "shell:"
functionality.

SOLUTION:
This has been fixed in the following versions:

Mozilla 1.7.1
http://ftp.mozilla.org/pub/mozilla....ozilla1.7.1/mozilla-win32-1.7.1-installer.exe

Mozilla Firefox 0.9.2
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/0.9.2/FirefoxSetup-0.9.2.exe

Mozilla Thunderbird 0.7.2
http://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/0.7.2/ThunderbirdSetup-0.7.2.exe

PROVIDED AND/OR DISCOVERED BY:
Discovered by:
Joshua Perrymon

Additional research by:
Andreas Sandblad

ORIGINAL ADVISORY:
http://www.mozilla.org/security/shell.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.


----------

