Closed Bug 1847180 (CVE-2023-5727) Opened 1 year ago Closed 11 months ago

Handle .msix .msixbundle .appx .appxbundle as potentially dangerous

Categories

(Firefox :: File Handling, defect, P2)

defect

Tracking

()

VERIFIED FIXED
119 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 119+ verified
firefox117 --- wontfix
firefox118 --- wontfix
firefox119 + verified

People

(Reporter: mak, Assigned: mak)

References

Details

(Keywords: sec-moderate, sec-vector, Whiteboard: [adv-main119+][adv-ESR115.4+])

Attachments

(3 files, 1 obsolete file)

Chromium has just added these to the list of files for Safe Browsing checks:
https://chromium-review.googlesource.com/c/chromium/src/+/4726241
https://chromium-review.googlesource.com/c/chromium/src/+/4734838

msix is better described here:
https://learn.microsoft.com/en-us/windows/msix/overview#inside-an-msix-package

A couple articles about how these have been abused in the past:
https://www.securityweek.com/microsoft-disables-msix-protocol-due-abuse-malware/
https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
It seems the most common approach is making the user believe they are installing a trustable software, and abusing sideloading.

We should at least enable ApplicationRepution for these.
It's unclear whether it's necessary to show the executable warning, since these are expected to be installers and the apps should ideally run in a protected environment.

It seems the most common approach is making the user believe they are installing a trustable software, and abusing sideloading.

Those are two different things. We don't need to worry about the sideloading because that's not going through the browser -- some executable is already running on the user's machine and doing that. But we do need to treat downloads like we treat users downloading .exe installers: check their application reputation, and warn that they're executables.

It's unclear whether it's necessary to show the executable warning, since these are expected to be installers and the apps should ideally run in a protected environment.

It's true the executable warning might not help much because in most cases the users expect them to be installers, it's just that they've been conned into thinking it's something they need and is safe. But this is also true for .exe files. We should treat them pretty much the same.

The severity field is not set for this bug.
:Gijs, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(gijskruitbosch+bugs)

Chromium also added .appxbundle and .msixbundle

Summary: Handle .msix .appx as potentially dangerous → Handle .msix .msixbundle .appx .appxbundle as potentially dangerous
Assignee: nobody → mak
Severity: -- → S3
Status: NEW → ASSIGNED
Priority: -- → P2
Flags: needinfo?(gijskruitbosch+bugs)
Backout by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9c83867334bd
Backed out changeset de3502ab8cb5 for causing gtest failures at AllExtensionsInTestList. CLOSED TREE

Backed out for causing gtest failures at AllExtensionsInTestList:
https://hg.mozilla.org/integration/autoland/rev/9c83867334bddff4c457217aac58016de038edd1

Push with failures
Failure log

TEST-UNEXPECTED-FAIL | TestExecutableLists.AllExtensionsInTestList | Value of: _IsInList(ext, kTestFileExtensions, mozilla::ArrayLength(kTestFileExtensions))

Flags: needinfo?(mak)

Oh I forgot to add to the test file.

Flags: needinfo?(mak)
Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch

The patch landed in nightly and beta is affected.
:mak, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox118 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(mak)
Attachment #9353852 - Flags: approval-mozilla-esr115?
Attachment #9353853 - Flags: approval-mozilla-esr115?

Uplift Approval Request

  • Fix verified in Nightly: no
  • Explanation of risk level: Adding file extension to a list
  • Needs manual QE test: yes
  • User impact if declined: sec-moderate
  • Steps to reproduce for manual QE testing: Try downloading a file with one of these extensions. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening a Windows wizard to install something
  • Is Android affected?: yes
  • Risk associated with taking this patch: Low
  • Code covered by automated testing: yes
  • String changes made/needed: no
Flags: qe-verify+
Attachment #9353852 - Attachment is obsolete: true
Flags: needinfo?(mak)
Attachment #9353852 - Flags: approval-mozilla-esr115?

Since we're in RC I'm not asking for beta uplift, I don't think it's super critical to have it in 118, but please let me know if you disagree.

QA Whiteboard: [qa-triaged]

I was able to reproduce the initial behavior on Firefox 118.0a1 (2023-08-04) on Windows 11.

The prompt is now present when trying to open any of .msix .msixbundle .appx .appxbundle files after they are downloaded on Firefox 119.0a1 (2023-09-21) on the same system.

Flags: qe-verify+

Comment on attachment 9353853 [details]
Bug 1847180. r=dimi

Approved for 115.4esr

Attachment #9353853 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

Verified that the prompt is present when trying to open any of .msix .msixbundle .appx .appxbundle as well on Firefox esr115.4.0 on Windows 11.

Status: RESOLVED → VERIFIED
Whiteboard: [adv-main119+]
Whiteboard: [adv-main119+] → [adv-main119+][adv-ESR115.4+]
Attached file advisory.txt
Alias: CVE-2023-5727

The executable file warning was not presented when downloading .msix, .msixbundle, .appx, and .appxbundle files, which can run commands on a user's computer.

Has Microsoft commented about this via some internal channel with them? I'm still interested to hear more about it, because it sounds like a Windows sec issue because the whole point of msix is sandboxing.

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: