Vulnerability CVE-2018-12368: Information

Description

Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

Severity: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-12368
Published: Oct. 18, 2018
Modified: Oct. 3, 2019

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
firefoxsisyphus61.0-alt1127.0-alt1ALT-PU-2018-1985-1209471Fixed
firefoxp1061.0-alt1118.0.2-alt0.p10.1ALT-PU-2018-1985-1209471Fixed
firefoxp961.0-alt1105.0.1-alt0.c9.1ALT-PU-2018-1985-1209471Fixed
firefoxp861.0.1-alt0.M80P.168.0.1-alt0.M80P.1ALT-PU-2018-2036-1209591Fixed
firefoxc10f161.0-alt1112.0.2-alt0.p10.1ALT-PU-2018-1985-1209471Fixed
firefoxc9f261.0-alt1105.0.1-alt0.c9.1ALT-PU-2018-1985-1209471Fixed
firefoxc760.6.1-alt0.M70C.160.8.0-alt0.M70C.1ALT-PU-2019-1726-1218597Fixed
firefoxp1161.0-alt1126.0.1-alt1ALT-PU-2018-1985-1209471Fixed
firefox-esrsisyphus60.1.0-alt1115.11.0-alt1ALT-PU-2018-1952-1209186Fixed
firefox-esrp1060.1.0-alt1115.11.0-alt1ALT-PU-2018-1952-1209186Fixed
firefox-esrp960.1.0-alt1102.11.0-alt0.c9.1ALT-PU-2018-1952-1209186Fixed
firefox-esrp860.1.0-alt0.M80P.168.4.1-alt0.M80P.1ALT-PU-2018-1966-1207865Fixed
firefox-esrc10f160.1.0-alt1115.9.1-alt0.c10.1ALT-PU-2018-1952-1209186Fixed
firefox-esrc9f260.1.0-alt1102.12.0-alt0.c9.1ALT-PU-2018-1952-1209186Fixed
firefox-esrp1160.1.0-alt1115.11.0-alt1ALT-PU-2018-1952-1209186Fixed
thunderbirdsisyphus52.9.0-alt1115.9.0-alt1ALT-PU-2018-1978-1209483Fixed
thunderbirdp1052.9.0-alt1115.9.0-alt1ALT-PU-2018-1978-1209483Fixed
thunderbirdp952.9.0-alt1102.11.0-alt0.c9.1ALT-PU-2018-1978-1209483Fixed
thunderbirdp852.9.0-alt0.M80P.160.8.0-alt0.M80P.1ALT-PU-2018-1988-1209501Fixed
thunderbirdc10f152.9.0-alt1115.9.0-alt0.c10.1ALT-PU-2018-1978-1209483Fixed
thunderbirdc9f252.9.0-alt1102.11.0-alt0.c9.1ALT-PU-2018-1978-1209483Fixed
thunderbirdc760.8.0-alt0.M70C.160.8.0-alt0.M70C.1ALT-PU-2019-2345-1234994Fixed
thunderbirdp1152.9.0-alt1115.9.0-alt1ALT-PU-2018-1978-1209483Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.mozilla.org/security/advisories/mfsa2018-19/
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-18/
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-17/
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-16/
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-15/
  • Vendor Advisory
https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
  • Exploit
  • Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1468217
  • Issue Tracking
  • Permissions Required
  • Vendor Advisory
1041193
  • Third Party Advisory
  • VDB Entry
104560
  • Third Party Advisory
  • VDB Entry
GLSA-201810-01
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
      cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
      cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
      cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top