IE vs. Mozilla on the Shell Hole—Whose Bug Is It?

Opinion: Mozilla exposed the scheme, opened the hole. Now it's a debate in security circles. But the only way this is a vulnerability in Windows is if it's a vulnerability for a shell to be able to run programs.

In the wake of last weeks revelation of a security hole in Mozilla that allows the execution of arbitrary programs on the client system a philosophical debate has emerged: Is this a bug in Mozilla or a bug in Windows?

I think the argument is that Windows should prevent the shell scheme from executing programs, but this isnt a job for Windows. This is a job for the browser. All Windows is doing in the case of what was just patched in Mozilla is taking an instruction to run a program and running it. If the browser didnt ask for it, it wouldnt happen.

Clearly the behavior of the browser is important here. Internet Explorer in Windows XP SP2 kills off the links completely, much as the patched Mozilla does (in fact, the patched Mozilla doesnt even underline them, making them appear as plain text).

But even IE in Windows XP SP1 behaves more reasonably. Its behavior is identical to that of a straight href of the program file. The user is asked if they want to save or open the file and are given a clear warning that the program could be hazardous.

How did Microsoft get Internet Explorer do this? It actually looks as if IE just stripped the shell: from the link and treated it like a regular href. This is an interesting thought, still the important point here is that Microsoft didnt just take a program name and tell Windows to execute it.

Ive seen some claim that the fact that SP2 is so merciless with shell: links is proof Microsoft knows there was a problem in Windows, that what was really fixed was the browser, not Windows. Remember, its the browsers behavior thats changed in SP2, disabling the links completely.

For example, I was able to make an SP2-like change in an SP1 system with a very small change to the registry. The change is quite analogous to the Mozilla fix from last week. In the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults I created a REG_DWORD value named shell and gave it the value 0. Thereafter, Internet Explorer on the system treated the shell: links as dead. No action at all was taken when anyone clicked on them. The user could right-click and select Open or Open in a New Window, but nothing will happen. On this same system, an unpatched copy of the Mozilla browser still loads the programs when the links are clicked.

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.

So, what does this experiment prove?

If there is a Windows facility for shell links and its that which is at fault, then Internet Explorer doesnt use the same one as Mozilla. It looks as though theres less here of Windows than some think. The parsing and passing off to the Windows shell with Explorer is entirely a browser affair.

In discussions with representatives of the Mozilla Foundation, they conceded this indeed was a bug and didnt try to foist the blame on to Microsoft. And thats because they know whats usually perfectly obvious: that browsers are supposed to look suspiciously at content and try to protect the user. Theres little to be gained by a defense that its Windows fault, not when you wrote the application to tell Windows to run whatever content comes up.

The fact is that any operating system allows programs to run other programs. The real difference here between Windows and other operating systems is the permissions of the user in whose context the browser is running. If the user has administrative rights, as is the case with far too many Windows users, then the browser can do whatever it wants. If the user is restricted, then so will be the capabilities of programs they run.

/zimages/2/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

For corporate Windows installations, this browser situation is an implementation issue, because its definitely possible to have users log in to Windows with restricted permissions. (One day I really must look into whether this can be done practically with a Windows XP Home system, but more importantly it just isnt done.) None of this changes the fact that the browser basically told the operating system to run a program. This is a natural thing for a program to do, IE, Mozilla or otherwise, if its safe to do. And if its not safe the browser shouldnt do it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page