A recent vulnerability (CVE-2022-26386) has been discovered that affects Firefox and Thunderbird users on macOS and Linux systems. This vulnerability allows other local users on the same system to access temporary files downloaded by these browsers. We will discuss the specifics of this vulnerability and provide the proper mitigations for affected users. Please note that other operating systems, such as Windows, are not affected by this security issue.

Vulnerability Details

Prior to the vulnerability being discovered, Firefox and Thunderbird on macOS and Linux downloaded temporary files to a user-specific directory within the '/tmp' location. However, due to a behavioral change, the downloaded files were saved directly to '/tmp', enabling other local users on the system to access these files. This presented a significant security risk, so the developers have now reverted back to the original, user-specific directory in '/tmp'.

Here is a code snippet that demonstrates the previous problematic functionality

import os
import shutil
import tempfile

def download_file_to_tmp(url):
    tmp_file = os.path.join('/tmp', os.path.basename(url))
    # Download the file from the URL (omitted for simplicity)
    # ...
    return tmp_file

def main():
    url = "https://example.com/sensitive_file.txt";
    tmp_file = download_file_to_tmp(url)
    # Do something with the downloaded file
    # ...
    os.remove(tmp_file)

if __name__ == "__main__":
    main()

Affected Versions

The affected versions of the software include Firefox ESR versions earlier than 91.7 and Thunderbird versions earlier than 91.7.

Mitigations

To mitigate this issue, affected users should update their Firefox and Thunderbird installations to the latest versions available. The latest versions include a fix that reverts the behavior to downloading temporary files to the user-specific subdirectory within '/tmp', as intended.

Here is an updated code snippet that shows the corrected functionality

import os
import shutil
import tempfile

def download_file_to_tmp(url):
    tmp_dir = tempfile.mkdtemp()
    tmp_file = os.path.join(tmp_dir, os.path.basename(url))
    # Download the file from the URL (omitted for simplicity)
    # ...
    return tmp_file

def main():
    url = "https://example.com/sensitive_file.txt";
    tmp_file = download_file_to_tmp(url)
    # Do something with the downloaded file
    # ...
    os.remove(tmp_file)

if __name__ == "__main__":
    main()

Conclusion

It is crucial for users to keep their software up to date to ensure the highest level of security protection. Updating to the latest version of Firefox and Thunderbird will protect macOS and Linux users from this specific vulnerability. Although Windows users are not affected, it is still important to keep browsers current for overall system security.

1. Mozilla Security Advisory for Firefox ESR
2. Mozilla Security Advisory for Thunderbird
3. National Vulnerability Database

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/23/2023 13:53:00 UTC