Bug 2102167 (CVE-2022-34478) - CVE-2022-34478 Mozilla: Microsoft protocols can be attacked if a user accepts a prompt
Summary: CVE-2022-34478 Mozilla: Microsoft protocols can be attacked if a user accepts...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-34478
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2098598
TreeView+ depends on / blocked
 
Reported: 2022-06-29 12:20 UTC by Mauro Matteo Cascella
Modified: 2022-07-28 12:13 UTC (History)
5 users (show)

Fixed In Version: firefox 91.11, thunderbird 91.11, thunderbird 102
Doc Type: ---
Doc Text:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of the `ms-msdt`, `search`, and `search-ms` protocols delivering content to Microsoft applications and bypassing the browser when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release, Firefox has blocked these protocols from prompting the user to open them.
Clone Of:
Environment:
Last Closed: 2022-06-29 12:35:07 UTC
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2022-06-29 12:20:33 UTC
The `ms-msdt`, `search`, and `search-ms` protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.

*This bug only affects Firefox on Windows. Other operating systems are unaffected.*

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-25/#CVE-2022-34478


Note You need to log in before you can comment on or make changes to this bug.