Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mozilla thunderbird |
||
mozilla firefox |
||
mozilla firefox_esr |
Version 52.9 now does PGP and S/MIME right, adds another dozen bug-splats
Thunderbird has pushed code with fixes for a dozen security vulnerabilities – including the EFAIL encryption mess that emerged in May. The EFAIL-specific fixes address two errors in Thunderbird's handling of encrypted messages: CVE-2018-12372, in which an attacker can build S/MIME and PGP decryption oracles in HTML messages; and CVE-2018-12373, in which S/MIME plaintext can be leaked if a message is forwarded. EFAIL was announced with a much-criticised process. The discoverers emphasised the i...