Bug 1595033 (CVE-2018-12368)

Summary: CVE-2018-12368 Mozilla: No warning when opening executable SettingContent-ms files
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cschalle, gecko-bugs-nobody, jhorak, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-26 02:13:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1590698    

Description Doran Moppert 2018-06-26 01:52:48 UTC 
Windows 10 does not warn users before opening executable files with the `SettingContent-ms` extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited `downloads.open` permission to execute arbitrary code without user interaction on Windows 10 systems 

*Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12368
Comment 1 Doran Moppert 2018-06-26 01:52:52 UTC 
Acknowledgments:

Name: the Mozilla project
Upstream: Abdulrahman Alqabandi