Closed Bug 1843758 (CVE-2023-4581) Opened 2 years ago Closed 2 years ago

.xll file extension = A malicious attack using abusing the XLL File starts with the delivery of a malicious file with the extension "XLL"

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
117 Branch
Tracking Flags:
Tracking Status
firefox-esr102 117+ verified
firefox-esr115 117+ verified
firefox115 --- wontfix
firefox116 --- wontfix
firefox117 + verified

People

(Reporter: Puf, Assigned: mak)

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+])

Attachments

(5 files, 2 obsolete files)

.xll Firefox Browser.mp4
104.85 KB, video/mp4
Details
Bug 1843758. r=gijs
48 bytes, text/x-phabricator-request
Details | Review
Bug 1843758.
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr115+
Details | Review
Bug 1843758.
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr102+
Details | Review
advisory.txt
255 bytes, text/plain
Details

Firefox Version: [116.0b5] + [117.0a1]
Operating System: [Windows 10] (64-bit)

.xll = An XLL file is an add-in used by Microsoft Excel

It is the Excel Add-In file, that provides a way to use third-party tools and functions within Microsoft Excel. The third-party code can be C/C++ .NET code inside the Excel environment. In fact, despite the Excel icon, the XLL file is a Dynamic Linked Library, a binary executable file.

Cisco Talos investigates another vector for introduction of malicious code to Microsoft Excel—malicious add-ins, specifically XLL files.

.xll Blocked In Outlook Attachment

This File is Already Blocklisted in Chrome & Edge Browsers

The researchers are saying this technique is Xll particularly dangerous because the victims only need one click to compromise their endpoints.

Ref : https://www.bleepingcomputer.com/news/microsoft/microsoft-365-to-block-downloaded-excel-xll-add-ins-to-boost-security/

This File is Already Blocklisted in Chrome & Edge Browsers

it's better to Add Popop Warning [ Executable files may contain viruses or other malicious code that could harm your computer]
To .xll file To Keep Safe System from malicious file/code

Flags: sec-bounty?

Step To Reproduce:

  1. Create .xll File.
  2. Download Using Firefox Browser
  3. Open File [No Warning] In Firefox Browser

file_types {

DLL files built for excel.

extension: "xll"
platform_settings {
platform: PLATFORM_TYPE_WINDOWS
danger_level: ALLOW_ON_USER_GESTURE
auto_open_hint: DISALLOW_AUTO_OPEN
}
}

Component: Security → File Handling
Flags: needinfo?(gijskruitbosch+bugs)

"xll" is in our safebrowsing download reputation checks, but of course that won't catch any kind of targeted or even low-volume malicious file.

Confirmed that this is not in our executable list, if we decide that we need to police this. Supposedly MS is going to add a warning prompt for these to protect people, but 1) people won't update their Excell very quickly, and 2) A similar warning for Word macros didn't full help solve that problem. Maybe we do need to worry about these, also.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → mak
Status: NEW → ASSIGNED

Clearing my needinfo given Marco has graciously agreed to pick this up (thank you!)

Flags: needinfo?(gijskruitbosch+bugs)
Attached file Bug 1843758. r=gijs

https://hg.mozilla.org/mozilla-central/rev/22830af36f25

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox117: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch
Attached file Bug 1843758. (obsolete) —
Attachment #9345794 - Attachment description: WIP: Bug 1843758. → Bug 1843758.

Uplift Approval Request

  • Needs manual QE test: yes
  • Fix verified in Nightly: no
  • Explanation of risk level: adding to a blocklist
  • Risk associated with taking this patch: low
  • String changes made/needed: none
  • Steps to reproduce for manual QE testing: Try downloading a xll file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening Excel
  • Code covered by automated testing: yes
  • User impact if declined: sec-moderate
  • Is Android affected?: no
Flags: qe-verify+
Attachment #9345794 - Flags: approval-mozilla-beta?
Attached file Bug 1843758.

Uplift Approval Request

  • User impact if declined: sec-moderate
  • Is Android affected?: no
  • Explanation of risk level: just adding to a blocklist
  • Fix verified in Nightly: no
  • Code covered by automated testing: yes
  • String changes made/needed: none
  • Risk associated with taking this patch: low
  • Steps to reproduce for manual QE testing: Try downloading a xll file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening Excel
  • Needs manual QE test: yes
Attachment #9345794 - Attachment is obsolete: true
Attachment #9345794 - Flags: approval-mozilla-beta?
Attached file Bug 1843758.

Uplift Approval Request

  • Fix verified in Nightly: no
  • Explanation of risk level: adding to a blocklist
  • String changes made/needed: none
  • Risk associated with taking this patch: low
  • Code covered by automated testing: yes
  • Steps to reproduce for manual QE testing: Try downloading a xll file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening Excel
  • Needs manual QE test: yes
  • User impact if declined: sec-moderate
  • Is Android affected?: no
Attached file Bug 1843758. (obsolete) —

Uplift Approval Request

  • User impact if declined: sec-moderate - Can ride along an RC or dot
  • Is Android affected?: no
  • String changes made/needed: none
  • Risk associated with taking this patch: low
  • Code covered by automated testing: yes
  • Steps to reproduce for manual QE testing: Try downloading a xll file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening Excel
  • Fix verified in Nightly: no
  • Explanation of risk level: adding to a blocklist
  • Needs manual QE test: yes

Since this bug didn't have a rating it should have requested sec-approval before landing. Please see the guidelines at the "Approval Process" link in the yellow "security bug banner" above.

Keywords: csectype-other, sec-moderate, sec-vector
Flags: sec-bounty? → sec-bounty+

(In reply to Daniel Veditz [:dveditz] from comment #18)

Since this bug didn't have a rating it should have requested sec-approval before landing.

I'm sorry about that, it was my fault. I had the other similar recent bug in mind and didn't pay attention to the lack of rating here.

Comment on attachment 9345805 [details]
Bug 1843758.

Approved for 115.2esr.

Attachment #9345805 - Flags: approval-mozilla-esr115+

Comment on attachment 9345966 [details]
Bug 1843758.

Approved for 102.15esr.

Attachment #9345966 - Flags: approval-mozilla-esr102+
QA Whiteboard: [post-critsmash-triage]
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][qa-triaged]

Reproduced the initial issue using an old Nightly build from 2023-07-16, verified that using latest Firefox Beta 117.0b3, latest Firefox 115esr and 102esr from treeherder on Windows 10 and Windows 11 that this is now fixed, we now display the notification after downloading and accessing a .xll file.

Is this fix only for Windows?
I am convinced that this is a Windows only fix but I had to check if this is also for Mac or Linux, I saw that Excel is also available for mac (no notification message for mac on the builds fixed here) but not sure if the format .xll is something for mac and if a malicious .xll on mac can do the same thing as on Windows so I had to ask.

status-firefox117: fixedverified
status-firefox-esr102: fixedverified
status-firefox-esr115: fixedverified
Flags: needinfo?(mak)

It is technically possible to develop an .xll file for Excel on Linux (And I suspect Unix in general), but it requires specially crafted code for excel to load it. It's also a lot less likely for users on that platform to have Excel installed. So the impact would be not significant.
Also executable files definition on Unix systems is different, as it doesn't just depend on the file extension.
So I don't think it's worth spending time on those verifications on Unix.

Flags: needinfo?(mak)

(In reply to Marco Bonardo [:mak] from comment #25)

It is technically possible to develop an .xll file for Excel on Linux (And I suspect Unix in general), but it requires specially crafted code for excel to load it. It's also a lot less likely for users on that platform to have Excel installed. So the impact would be not significant.
Also executable files definition on Unix systems is different, as it doesn't just depend on the file extension.
So I don't think it's worth spending time on those verifications on Unix.

Thanks Marco for the info, based on the above I am going to close this as VERIFIED FIXED.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Attachment #9345969 - Attachment is obsolete: true
Attachment #9345969 - Flags: approval-mozilla-release-
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+]
Group: core-security-release
Alias: CVE-2023-4581
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: