2102167 – (CVE-2022-34478) CVE-2022-34478 Mozilla: Microsoft protocols can be attacked if a user accepts a prompt

Bug 2102167 (CVE-2022-34478) - CVE-2022-34478 Mozilla: Microsoft protocols can be attacked if a user accepts a prompt

Summary: CVE-2022-34478 Mozilla: Microsoft protocols can be attacked if a user accepts...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2022-34478
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2098598
TreeView+	depends on / blocked

Reported:	2022-06-29 12:20 UTC by Mauro Matteo Cascella
Modified:	2022-07-28 12:13 UTC (History)
CC List:	5 users (show)
Fixed In Version:	firefox 91.11, thunderbird 91.11, thunderbird 102
Clone Of:
Environment:
Last Closed:	2022-06-29 12:35:07 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2022-06-29 12:20:33 UTC

The `ms-msdt`, `search`, and `search-ms` protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.

*This bug only affects Firefox on Windows. Other operating systems are unaffected.*

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-25/#CVE-2022-34478

Note You need to log in before you can comment on or make changes to this bug.