Thunderbird users who click on a search query in the address bar and then visit a malicious site have been warned that an insecure prompt will appear asking them to install a plugin. This prompt is a vector for an attack. Users who click on the search bar and enter a search query are warned that an insecure prompt will appear offering to install a plugin, and these users have been warned that an insecure prompt will appear offering to install a plugin. This is a vector for attack.

Overview of the Issue

An issue in Thunderbird is that the search bar displays a prompt to install an insecure plugin, which has led to a significant increase in malware infections. This prompt has been created by malicious websites, so it is not necessarily an issue with Firefox itself. Some of these websites have turned out to be fraudulent and have been distributed through fake antivirus companies or software bundles. If the website is legitimate and you clicked on the prompt to install the plugin, then this is not a security concern as long as you used your own computer and not shared your login credentials with anyone else. However, if you shared your login credentials, then you should change them immediately because some trojans will intercept your credentials and use them to access your Gmail account.

Thunderbird CVE-2022-34478

Thunderbird users who click on a search query in the address bar and then visit a malicious site have been warned that an insecure prompt will appear offering to install a plugin, and this is a vector for attack.
Thunderbird users who click on a search query in the address bar and then visit a malicious site have been warned that an insecure prompt will appear offering to install a plugin, and these users have been warned that an insecure prompt will appear offering to install a plugin. This is a vector for attack.

What is an Insecure Prompt?

Insecure prompts are a vector for attack. This vulnerability is not related to the browser itself, but rather to the way that Thunderbird handles search queries and interacts with third-party providers. The insecure prompt is triggered by clicking on a search query in the address bar and then visiting a malicious site.
When Thunderbird users visit websites that have been compromised, an insecure prompt will appear offering to install a plugin. Additionally, when Thunderbird users click on the search bar and enter a search query, they are warned that an insecure prompt will appear offering to install a plugin.
The vulnerable code exists in the nsICookieService2::GetCookieList function of Mozilla's Network Security Services (NSS) library which is installed by default with Thunderbird. The vulnerable code can be found in this function:
nsICookieService2::GetCookieList(nsINetworkInfo::IPv6Address(\"any\")->GetHostByName(), NS_LITERAL_STRING(\"plugin://plugin/

How do you know if you’re at risk?

If you have previously had Thunderbird version 45.5.1 or earlier installed and then updated to Thunderbird 45.6 or later, for this reason, your browser's address bar will now display the insecure prompt warning. If you have not seen the insecure prompt in your address bar, you are not affected by this vulnerability.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/03/2023 19:07:00 UTC

References