Meryl's Notes Blog

Porter Glendinning shed more light on the Mozilla vulnerability and gave me permission to share:

The “bug” (I’ll explain why I put that in quotes in a moment) was reported back in 2002 and was only fixed recently when an actual exploit was discovered.

The reason that this isn’t such a cut-and-dried case (in reference to my previous post) is because it’s not a bug in Moz that caused this security hole. Moz is set to handle certain protocols internally — http:, https:, ftp:, and so on. When it encounters a protocol it doesn’t handle it passes the request on to the OS. In this case, Windows executes the shell: protocol in the command shell — I know, I can’t believe it either.

If an exploit had been found in RealPlayer involving the victim clicking an rtsp: link in the browser that would cause the player to execute arbitrary commands we wouldn’t call that a bug in the browser; it’d be a bug in RealPlayer. The shell: exploit is no different (with the exception that the protocol itself has little valid reason to exist).

So the options that are open to the Moz developers for fixing the more general problem are either to block all unhandled protocols, which would break many third-party apps, or to formulate some sort of white-/blacklist for protocols that are known to be good/bad. There are problems with both in the general case, but in the case of shell: I can’t imagine that anyone will complain about its blacklisting.