Joshua Perrymon has reported a vulnerability in Mozilla, Mozilla Firefox, and Mozilla Thunderbird, allowing malicious websites to use Windows "shell:" functionality.
The problem is that Mozilla fails to restrict access to the "shell:" URI handler. This allows websites to invoke various programs associated with specific extensions. It is not possible to pass parameters to these programs, only filenames, thus limiting the impact of launching applications.
However, if this issue is combined with an error or a vulnerability in an associated program, it may be possible to execute arbitrary code. Reportedly, this may be possible via a buffer overflow in "WINDOWS\System32\grpconv.exe", which by default is associated with the ".grp" extension. However, only unicode characters can be used, causing exploitation to be more difficult.
The error in the associated program does not necessarily need to be classified as a vulnerability, as certain programs aren't designed or meant to be launched in a hostile environment - such as through a website and a browser.
The vulnerability affects Mozilla, Mozilla Firefox, Mozilla Thunderbird, and Netscape 7 on the Microsoft Windows XP platform due to the way the "shell:" URI handler is used and implemented on Windows XP.
Reportedly all Gecko based browsers are affected by this issue.
The shell: URI handler is inherently insecure and should only be accessed from a few trusted sites - or not from a browser at all. Multiple exploits in Internet Explorer also utilise "shell:" functionality.
Solution: This has been fixed in the following versions:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to email@example.com
Subject: Mozilla Fails to Restrict Access to "shell:"
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.