CVE-2018-12368
First published: Tue Jun 26 2018(Updated: )
Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems Note: this issue only affects Windows operating systems. Other operating systems are unaffected.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Thunderbird | <60 | 60 |
| Mozilla Firefox ESR | <52.9 | 52.9 |
| Mozilla Thunderbird | <52.9 | 52.9 |
| Mozilla Firefox ESR | <60.1 | 60.1 |
| Mozilla Firefox | <61 | 61 |
| Mozilla Firefox | <61.0 | |
| Mozilla Firefox ESR | <52.9 | |
| Mozilla Firefox ESR | >=53.0<60.1.0 | |
| Mozilla Thunderbird | <52.9 | |
| Microsoft Windows 10 | ||
| All of | ||
| Any of | ||
| Mozilla Firefox | <61.0 | |
| Mozilla Firefox | >=53.0<60.1.0 | |
| Mozilla Firefox ESR | <52.9 | |
| Mozilla Thunderbird | <52.9 | |
| Microsoft Windows 10 | ||
| <60 | 60 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1468217
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-16/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/
- http://www.securityfocus.com/bid/104560
- http://www.securitytracker.com/id/1041193
- https://security.gentoo.org/glsa/201810-01
- https://www.mozilla.org/security/advisories/mfsa2018-15/
- https://www.mozilla.org/security/advisories/mfsa2018-16/
- https://www.mozilla.org/security/advisories/mfsa2018-17/
- https://www.mozilla.org/security/advisories/mfsa2018-18/
- https://www.mozilla.org/security/advisories/mfsa2018-19/
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- collector/mozilla-advisory
- agent/type
- agent/first-publish-date
- source/Mozilla
- agent/software-canonical-lookup
- agent/severity
- agent/description
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- agent/event
- agent/trending
- vendor/mozilla
- canonical/mozilla thunderbird
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- version/mozilla firefox esr/53.0
- vendor/microsoft
- canonical/microsoft windows 10
- version/mozilla firefox/53.0