What Mozilla users should know about the shell: protocol security issue

On July 7 a security vulnerability affecting browsers for the Windows operating system was reported to mozilla.org by Keith McCanless, and was subsequently posted to Full Disclosure, a public security mailing list. On the same day, the Mozilla security team confirmed the report of this security issue affecting the Mozilla Application Suite, Firefox, and Thunderbird and discussed and developed the fix at Bugzilla bug 250180. We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users.

On July 8th, the Mozilla team released a configuration change which resolves this problem by explicitly disabling the use of the shell: external protocol handler. The fix is available in two forms. The first is a small download which will make this configuration adjustment for the user. The second fix is to install the newest full release of each of these products. Instructions on administering these changes can be found below.

How to update

Mozilla, Firefox and Thunderbird users on Microsoft Windows operating systems should update in one of the following ways.

  • To install the security patch for Mozilla or Firefox, follow these instructions:
    1. Click Install Patch.
    2. In the Software Installation window, click the "Install Now" button.
    3. Exit and restart your Mozilla or Firefox browser.
  • To verify the fix in your Firefox or Mozilla application, be sure to restart the browser and then follow these steps:
    1. Type about:config into the address field and hit Enter.
    2. In the Filter toolbar, type shell.
    3. Look for the preference listing network.protocol-handler.external.shell.
    4. If you see the preference listed with the value of false then your application has been patched.
  • To install the security patch for Thunderbird, follow these instructions:
    1. Right-click the Patch and choose save link as.
    2. Save the file, shellblock.xpi, to your Desktop.
    3. In Thunderbird, go to the Tools menu and select the Extensions item.
    4. In the resulting Extensions window, click the "Install" button.
    5. Use Windows file picker to select the shellblock.xpi file from your Desktop and click OK to dismiss the file picker.
    6. Click OK on the Software Installation window.
    7. Exit and restart Thunderbird.
  • To download and install new Mozilla releases releases, follow the instructions below:
    1. Download Mozilla 1.7.1 to your Desktop and double-click the mozilla-win32-1.7.1-installer.exe icon.
    2. Follow the instructions in the Mozilla Install wizard.
    1. Download Firefox 0.9.2 and to your Desktop and double-click the FirefoxSetup-0.9.2.exe icon.
    2. Follow the instructions in the Firefox Install wizard.
    1. Download Thunderbird 0.7.2 to your Desktop and double-click the ThunderbirdSetup-0.7.2.exe icon.
    2. Follow the instructions in the Thunderbird Install wizard.

We value our users' safety and security and will continue to make all efforts to release secure products and respond quickly when security vulnerabilities are identified in our software. Future versions of Mozilla Firefox will include automatic update notifications, which will make it even easier for users to be alerted to security fixes. The Mozilla Security Team would like to thank Keith McCanless for the original bug report and test case, and apologize for incorrectly omitting mention of his report in the initial version of this document.