cbcvebase.
CVE-2022-34478
published 2022-12-22

CVE-2022-34478: The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications…

PriorityP277medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.78%
51.4th percentile
The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Thunderbird), so in this release Thunderbird has blocked these protocols from prompting the user to open them.*This bug only affects Thunderbird on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianfirefox
debianfirefox-esr
debianthunderbird
mozillafirefox< 102.0102.0
mozillafirefox
mozillafirefox>= unspecified < 102102
mozillafirefox_esr< 91.1191.11
mozillafirefox_esr>= unspecified < 91.1191.11
mozillathunderbird< 91.1191.11
mozillathunderbird>= unspecified < 102102
mozillathunderbird>= unspecified < 91.1191.11

Detection & IOCsextracted from sources · hover to see the quote

  • Block or alert on use of the ms-msdt: URI protocol handler being invoked from browser/email client processes (Firefox, Thunderbird) on Windows
  • Block or alert on use of the search: and search-ms: URI protocol handlers being invoked from browser/email client processes on Windows
  • Scope detection to Windows hosts only; Linux and macOS are not affected by this CVE
  • ·Vulnerable versions: Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11. Ensure detections target these unpatched versions.
  • ·No in-the-wild exploitation specifically through Thunderbird or Firefox was confirmed at time of disclosure, though the underlying ms-msdt protocol had known exploited vulnerabilities.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vulncheck6.5MEDIUM
vendor_redhat7.8HIGH
vendor_debian6.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.