摘要:
The <code>ms-msdt</code>, <code>search</code>, and <code>search-ms</code> protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Thunderbird), so in this release Thunderbird has blocked these protocols from prompting the user to open them.<br>*This bug only affects Thunderbird on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.
安全等级: Low
公告ID: KylinSec-SA-2025-2309
发布日期: 2025年4月20日
关联CVE: CVE-2022-34478
当用户接受提示时,<code>ms-msdt</code>、<code>search</code>和<code>search-ms</code>协议会绕过浏览器直接将内容传递给Microsoft应用程序。这些应用程序存在已知漏洞且已被实际利用(尽管尚未发现通过Thunderbird利用的情况),因此在此次更新中,Thunderbird已阻止这些协议向用户弹出打开提示。
该漏洞仅影响Windows平台上的Thunderbird,其他操作系统不受影响。
受影响版本包括:
Firefox < 102
Firefox ESR < 91.11
Thunderbird < 102
Thunderbird < 91.11
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2022-34478 | KY3.4-5A | thunderbird | Unaffected |
| CVE-2022-34478 | V6 | thunderbird | Unaffected |
