How to fix the Mozilla 'shell protocol' bug

What is this?

This corrects a weakness in Mozilla Web Browser introduced by Windows 2000 and Windows XP. This affects users of Windows 2000 or Windows XP with Mozilla version 1.7 or less. Windows 95/98/Me/NT, Macintosh and GNU/Linux users are unaffected. Mozilla version 1.7.1 is unaffected on all platforms.

How to install

Make sure software installation in Mozilla is enabled. Click Edit -> Preferences -> Advanced -> Software Installation. Make sure there is a tick in the "Enable software installation" box.

Next, download and install shellblock.

You will be prompted to install, click "Install". The download size is 1 Kb (very small). Next, you must restart Mozilla for the change to take effect.

Testing

To verify effectiveness, in the Location bar type about:config and press Enter. Next, in the "Filter" box type shell. The screen should then look like this:

Shell

The presence of network.protocol-handler.external.shell with the value false means your copy of Mozilla has been fixed.

Cleaning up

It may be a good idea to turn off software installation in Mozilla when you've finished using it. Click Edit -> Preferences -> Advanced -> Software Installation. Untick the "Enable software installation" box. Click OK.

Further information

EWeek article Mozilla Flaw Lets Links Run Arbitrary Programs
Mozilla Organisation's official announcement
Test cases to check if you are vulnerable
Discussion at slashdot.org

Phil Jones
philjones1 *at* blueyonder.co.uk
9 July 2004