CVE-2018-5174

MEDIUM

Description

In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won't prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen. Note: this issue only affects Windows 10 users running the April 2018 update or later. It does not affect other Windows users or other operating systems. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.

References

http://www.securityfocus.com/bid/104136

http://www.securitytracker.com/id/1040896

https://bugzilla.mozilla.org/show_bug.cgi?id=1447080

https://www.mozilla.org/security/advisories/mfsa2018-11/

https://www.mozilla.org/security/advisories/mfsa2018-12/

https://www.mozilla.org/security/advisories/mfsa2018-13/

Details

Source: MITRE

Published: 2018-06-11

Updated: 2019-10-03

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (13 total)

IDNameProductFamilySeverity
130450SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:2872-1)NessusSuSE Local Security Checks
critical
123171openSUSE Security Update : Mozilla Thunderbird (openSUSE-2019-364)NessusSuSE Local Security Checks
high
118254SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2018:1334-2)NessusSuSE Local Security Checks
high
700337Mozilla Firefox ESR < 52.8 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
109946Mozilla Thunderbird < 52.8 Multiple Vulnerabilities (EFAIL)NessusWindows
high
109939SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2018:1334-1)NessusSuSE Local Security Checks
high
109935openSUSE Security Update : Mozilla Thunderbird (openSUSE-2018-486)NessusSuSE Local Security Checks
high
109887SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2018:1319-1)NessusSuSE Local Security Checks
high
109869Mozilla Firefox < 60 Multiple Critical VulnerabilitiesNessusWindows
critical
109868Mozilla Firefox ESR < 52.8 Multiple Critical VulnerabilitiesNessusWindows
high
109867Mozilla Firefox < 60 Multiple Critical Vulnerabilities (macOS)NessusMacOS X Local Security Checks
critical
109866Mozilla Firefox ESR < 52.8 Multiple Critical Vulnerabilities (macOS)NessusMacOS X Local Security Checks
high
109661FreeBSD : mozilla -- multiple vulnerabilities (5aefc41e-d304-4ec8-8c82-824f84f08244)NessusFreeBSD Local Security Checks
critical