
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                        'shell:' Protocol Security Issue
                     [Mozilla Security Advisory of 7/8/04]

July 12, 2004 17:00 GMT                                           Number O-175
______________________________________________________________________________
PROBLEM:       A vulnerability exists in the way Mozilla programs handle URI’s 
               of the form ‘shell:’ in the Windows operating system. The 
               Mozilla suite includes Mozilla, a web browser application 
               suite, Firefox, a web browser, and Thunderbird, an email and 
               newsgroup client. Note that versions of this software running 
               on other operating systems do not expose this vulnerability 
               since they do not handle the shell: URIs. 
PLATFORM:      Mozilla versions prior to 1.7.1, 
               Firefox versions prior to 0.9.2, and 
               Thunderbird versions prior to 0.7.2 
               (all running on Windows 2000 or Windows XP only) 
DAMAGE:        The Mozilla programs fail to restrict access to the Windows 
               ‘shell:’ URI handler. There are no known exploits but there is 
               potential for exploiting this vulnerability. An attacker may 
               execute certain file types on the local system, or possibly 
               cause a buffer overflow which may lead to execution of 
               arbitrary code. 
SOLUTION:      Apply security updates. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. A remote attacker may be able to execute 
ASSESSMENT:    code on the local system. Mozilla, Firefox and Thunderbird are 
               becoming more widely used. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-175.shtml 
 ORIGINAL BULLETIN:  http://www.mozilla.org/security/shell.html 
 ADDITIONAL LINK:    US-CERT Vulnerability Note VU#927014
                     http://www.kb.cert.org/vuls/id/927014
______________________________________________________________________________
[***** Start Mozilla Security Advisory of 7/8/04 *****]

What Mozilla users should know about the shell: protocol security issue

On July 7 a security vulnerability affecting browsers for the Windows operating 
system was reported to mozilla.org by Keith McCanless, and was subsequently 
posted to Full Disclosure, a public security mailing list. On the same day, 
the Mozilla security team confirmed the report of this security issue affecting 
the Mozilla Application Suite, Firefox, and Thunderbird and discussed and 
developed the fix at Bugzilla bug 250180. We have confirmed that the bug 
affects only users of Microsoft's Windows operating system. The issue does 
not affect Linux or Macintosh users.

On July 8th, the Mozilla team released a configuration change which resolves 
this problem by explicitly disabling the use of the shell: external protocol 
handler. The fix is available in two forms. The first is a small download 
which will make this configuration adjustment for the user. The second fix 
is to install the newest full release of each of these products. Instructions 
on administering these changes can be found below.

How to update

Mozilla, Firefox and Thunderbird users on Microsoft Windows operating systems 
should update in one of the following ways.

    * To install the security patch for Mozilla or Firefox, follow these 
      instructions:
         1. Click Install Patch.
         2. In the Software Installation window, click the "Install Now" button.
         3. Exit and restart your Mozilla or Firefox browser.

    * To verify the fix in your Firefox or Mozilla application, be sure to 
      restart the browser and then follow these steps:
         1. Type about:config into the address field and hit Enter.
         2. In the Filter toolbar, type shell.
         3. Look for the preference listing network.protocol-handler.
            external.shell.
         4. If you see the preference listed with the value of false then 
            your application has been patched.

    * To install the security patch for Thunderbird, follow these instructions:
         1. Right-click the Patch and choose save link as.
         2. Save the file, shellblock.xpi, to your Desktop.
         3. In Thunderbird, go to the Tools menu and select the Extensions item.
         4. In the resulting Extensions window, click the "Install" button.
         5. Use Windows file picker to select the shellblock.xpi file from your 
            Desktop and click OK to dismiss the file picker.
         6. Click OK on the Software Installation window.
         7. Exit and restart Thunderbird.

    * To download and install new Mozilla releases releases, follow the 
      instructions below:
         1. Download Mozilla 1.7.1 to your Desktop and double-click the 
            mozilla-win32-1.7.1-installer.exe icon.
         2. Follow the instructions in the Mozilla Install wizard.

         1. Download Firefox 0.9.2 and to your Desktop and double-click the 
            FirefoxSetup-0.9.2.exe icon.
         2. Follow the instructions in the Firefox Install wizard.

         1. Download Thunderbird 0.7.2 to your Desktop and double-click the 
            ThunderbirdSetup-0.7.2.exe icon.
         2. Follow the instructions in the Thunderbird Install wizard.

We value our users' safety and security and will continue to make all efforts 
to release secure products and respond quickly when security vulnerabilities 
are identified in our software. Future versions of Mozilla Firefox will include 
automatic update notifications, which will make it even easier for users to 
be alerted to security fixes. The Mozilla Security Team would like to thank 
Keith McCanless for the original bug report and test case, and apologize for 
incorrectly omitting mention of his report in the initial version of this 
document.

[***** End Mozilla Security Advisory of 7/8/04 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Mozilla Organization for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-165: Red Hat Updated libpng Packages Fix Security Issue
O-166: Sun StorEdge Enterprise Storage Manager (ESM) 2.1 Vulnerability
O-167: SGI - System Call SGI_IOPROBE Vulnerability
O-168: Squid - NTLM Authentication Buffer Overflow Vulnerability
O-169: Apache Buffer Overflow Vulnerability
O-170: HP-UX Netscape Vulnerabilities
O-171: Hewlett Packard OpenSSL Potential Vulnerabilities
O-172: Sun Solaris 9 Patches
O-173: Debian Webmin Vulnerabilities
O-174: Ethereal Multiple Problems in 0.10.4