Reported July 9, 2004, by Mozilla Security Group
VERSIONS AFFECTED
|
DESCRIPTION
Windows versions of Mozilla products use the shell: scheme to pass Uniform
Resource Identifiers (URIs) to the OS for handling. The effects of the
vulnerability depend on the version of Windows, but on Windows XP it's possible
to launch executables in known locations or the default handlers for file
extensions. An attacker could combine this effect with a known buffer overrun
in any of the affected Mozilla programs to create a remote execution exploit.
VENDOR RESPONSE
The Mozilla Foundation has
released the security
bulletin "What Mozilla users should know about the shell: protocol
security issue," which addresses this vulnerability, and recommends that
affected users immediately apply the appropriate patch listed in the bulletin
or upgrade to the latest software release.
CREDIT
Discovered by Keith McCanless.