Mozilla has issued a fix against a security flaw in its Application Suite, Firefox and Thunderbird products that could allow malicious Web sites to use the Windows "shell:" URI handler in an attack.
The Mountain View, Calif.-based provider of open source Web and e-mail applications said the problem was posted on Full Disclosure, a public security mailing list, on Wednesday. "On the same day, the Mozilla security team confirmed the report… and developed the fix," the advisory said. "We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users."
Secunia calls the vulnerability "moderately critical" in its advisory. The Copenhagen, Denmark-based security firm said the problem is that Mozilla fails to restrict access to the "shell:" URI handler, allowing Web sites to invoke "various programs associated with specific extensions." It is not possible to pass parameters to these programs, only filenames, thus limiting the impact of launching applications, the advisory said.
However, it added, "if this issue is combined with an error or a vulnerability in an associated program, it may be possible to execute arbitrary code. Reportedly, this may be possible via a buffer overflow in 'WINDOWSSystem32grpconv.exe,' which by default is associated with the '.grp' extension."
But "only unicode characters can be used, causing exploitation to be more difficult. The error in the associated program does not necessarily need to be classified as a vulnerability, as certain programs aren't designed or meant to be launched in a hostile environment, such as through a Web site and a browser."
The vulnerability affects the Microsoft Windows XP Home Edition and Professional operating systems. The following software is also affected:
- Mozilla 0.x
- Mozilla 1.0
- Mozilla 1.1
- Mozilla 1.2
- Mozilla 1.3
- Mozilla 1.4
- Mozilla 1.5
- Mozilla 1.6
- Mozilla Firefox 0.x
- Mozilla Thunderbird 0.x
The Secunia advisory noted that the "shell:" URI handler is inherently insecure and should only be accessed from a few trusted sites, or not from a browser at all. Multiple exploits in Microsoft's Internet Explorer also use the "shell:" functionality.
Multiple flaws in Internet Explorer have been widely documented, and many in the information security community have advocated ditching the browser in favor of alternatives like Mozilla.
Mozilla described its fix as a configuration change that resolves the problem by explicitly disabling the use of the "shell:" handler. "The fix is available in two forms. The first is a small download which will make this configuration adjustment for the user. The second fix is to install the newest full release of each of these products," Mozilla said in its advisory. "Future versions of Mozilla Firefox will include automatic update notifications, which will make it even easier for users to be alerted to security fixes."