CVE-2022-34478
First published: Tue Jun 28 2022(Updated: )
The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.This bug only affects Firefox on Windows. Other operating systems are unaffected.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <102.0 | |
| Firefox ESR | <91.11 | |
| Thunderbird | <91.11 | |
| Microsoft Windows | ||
| Firefox ESR | <91.11 | 91.11 |
| Thunderbird | <102 | 102 |
| Thunderbird | <91.11 | 91.11 |
| Firefox | <102 | 102 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1773717
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-25/
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-26/
- https://www.mozilla.org/security/advisories/mfsa2022-24/
- https://www.mozilla.org/security/advisories/mfsa2022-25/
- https://www.mozilla.org/security/advisories/mfsa2022-26/
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2022-34478?
CVE-2022-34478 has been classified as a moderate severity vulnerability due to its potential to allow content exploitation in certain contexts.
How do I fix CVE-2022-34478?
To mitigate CVE-2022-34478, users should update their Mozilla Firefox or Thunderbird software to versions 91.11 or 102, respectively.
What applications are affected by CVE-2022-34478?
CVE-2022-34478 affects Mozilla Firefox ESR, Thunderbird, and regular Mozilla Firefox versions prior to 102.0.
Are there any known exploits for CVE-2022-34478?
As of now, there are no confirmed exploits for CVE-2022-34478 through Firefox, although other applications may be vulnerable.
What protocols are involved in CVE-2022-34478?
CVE-2022-34478 involves the ms-msdt, search, and search-ms protocols which can bypass browser security.
- agent/type
- agent/first-publish-date
- agent/severity
- agent/references
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/tags
- agent/softwarecombine
- vendor/mozilla
- canonical/firefox
- canonical/firefox esr
- canonical/thunderbird
- vendor/microsoft
- canonical/microsoft windows