If you use Firefox or Thunderbird, there’s a hidden danger you might not know about — one that was only fixed in early 2022. This post will break down what CVE-2022-22739 is, show you how it worked, and explain what you can do to protect yourself.
What is CVE-2022-22739?
CVE-2022-22739 is a security vulnerability found in older versions of Firefox, Firefox ESR (Extended Support Release), and Thunderbird email client. It allowed shady websites to fool you into launching a program on your computer using something called “external URL protocols.” That sounds technical, but here’s a real-world example to make things clearer:
*Imagine you click a link, and instead of just opening a website, your computer starts opening another program (like Spotify, or worse, something harmful) outside your web browser. If the program is dangerous, just clicking the link puts your computer at risk!*
Thunderbird < 91.5
Note: "ESR" stands for Extended Support Release, often used by companies and organizations for more stability.
How Could Websites Abuse This?
Browsers like Firefox handle special types of links, called “protocol handlers”—for example, links that start with mailto:, tel:, or ssh:, not just the common http: or https:. Firefox should warn you and ask before letting any website launch a program using those protocols.
With this flaw, an attacker could craft a web page that would pop up a prompt “Do you want to open this program?”—but in a sneaky way, making it look like a safe action. If you mistakenly trusted the site and clicked yes, you’d unknowingly launch a program of their choosing! This could even start malware, ransomware, or other harmful apps if your computer is vulnerable.
Here’s a rough idea of how an attacker crafted a malicious webpage
<!-- This is what a malicious website could do -->
<a href="mybadprotocol:some-malicious-payload">Click here for free stuff!</a>
Or a more real-world (but still dangerous) example
// Crafting a dangerous URL protocol invocation in JavaScript
document.location = "telnet://evil.server.com/something";
If Firefox was not patched, you might see a prompt, but social engineering could convince you to say “yes.”
Exploit Details
While a full “exploit” isn’t always a point-and-click tool, here’s how an attacker could use this hole:
1. Create a fake offer or urgent message: On their malicious website, display a message like “Click here to update your security settings!”
2. Embed the protocol link: The link triggers a protocol like ms-settings:, vnc:, or even custom-handled protocols.
3. Prompt the user: Firefox prompts to open the app, but the website uses trickery to convince you to click yes.
4. Dangerous action occurs: If you approve, your system could open a vulnerable program, start downloading malware, or connect to a dangerous server.
Here’s a simple proof-of-concept for launching the calculator app on Windows (if you have a calc: protocol handler, just as an example):
<a href="calculator:">Launch Calculator!</a>
For many other applications, similar tricks could be used.
Thunderbird 91.5
After the fix, Firefox made sure websites couldn’t so easily send these protocol handler requests without real, intentional user interaction and awareness.
Full advisory from Mozilla
And here’s the official CVE details.
Update Firefox and Thunderbird to the latest versions.
2. Be wary of strange prompts asking to open external applications from your browser. If you’re not sure, click “Cancel” or “No.”
Conclusion
CVE-2022-22739 is a great reminder: sometimes, just clicking the wrong link can bypass many of your security defenses. Thankfully, keeping your software updated goes a long way. Next time your browser asks to open an external program, stop and think — it might not be as harmless as it looks.
References
- Mozilla Security Advisory 2022-02
- CVE-2022-22739 entry on MITRE
- Mozilla bug tracker for CVE-2022-22739
*Written by an infosec enthusiast who wants to make the web safer for everyone!*
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/29/2022 15:47:00 UTC