CVE-2018-12368
First published: Tue Jun 26 2018(Updated: )
Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems Note: this issue only affects Windows operating systems. Other operating systems are unaffected.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Thunderbird | <60 | 60 |
| Thunderbird | <52.9 | 52.9 |
| All of | ||
| Any of | ||
| Firefox | <61.0 | |
| Firefox | >=53.0<60.1.0 | |
| Firefox ESR | <52.9 | |
| Thunderbird | <52.9 | |
| Microsoft Windows 10 | ||
| Firefox | <61.0 | |
| Firefox ESR | <52.9 | |
| Firefox ESR | >=53.0<60.1.0 | |
| Thunderbird | <52.9 | |
| Microsoft Windows 10 | ||
| Firefox | <61 | 61 |
| Firefox ESR | <60.1 | 60.1 |
| Firefox ESR | <52.9 | 52.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1468217
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-16/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/
- http://www.securityfocus.com/bid/104560
- http://www.securitytracker.com/id/1041193
- https://security.gentoo.org/glsa/201810-01
- https://www.mozilla.org/security/advisories/mfsa2018-15/
- https://www.mozilla.org/security/advisories/mfsa2018-16/
- https://www.mozilla.org/security/advisories/mfsa2018-17/
- https://www.mozilla.org/security/advisories/mfsa2018-18/
- https://www.mozilla.org/security/advisories/mfsa2018-19/
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2018-12368?
CVE-2018-12368 has been identified as a moderate severity vulnerability that may allow execution of unwanted files without user consent.
How do I fix CVE-2018-12368?
To fix CVE-2018-12368, ensure that you are using the latest versions of Mozilla Thunderbird or Firefox as updates have addressed this vulnerability.
Which software versions are affected by CVE-2018-12368?
CVE-2018-12368 affects Mozilla Firefox versions prior to 61.0 and Thunderbird versions prior to 60.
What are SettingContent-ms files related to CVE-2018-12368?
SettingContent-ms files are special file types in Windows that may execute potentially harmful actions if opened without user warnings.
How does CVE-2018-12368 impact Windows 10 users?
CVE-2018-12368 impacts Windows 10 users by allowing them to open executable files without receiving a warning, increasing the risk of executing malicious content.
- agent/type
- agent/first-publish-date
- agent/severity
- agent/description
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/mozilla-advisory
- agent/software-canonical-lookup-request
- source/Mozilla
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- vendor/mozilla
- canonical/thunderbird
- canonical/firefox
- version/firefox/53.0
- canonical/firefox esr
- vendor/microsoft
- canonical/microsoft windows 10
- version/firefox esr/53.0