CVE-2024-11693 Overview
A security bypass vulnerability exists in Mozilla Firefox and Thunderbird on Windows operating systems where the executable file warning dialog was not presented when downloading .library-ms files. This flaw allows attackers to deliver potentially malicious Windows Library files without triggering the standard security warning that users rely on to make informed decisions about downloaded content.
Windows Library files (.library-ms) are XML-based configuration files that define virtual folders and can reference network locations. When opened, these files can be leveraged to initiate connections to attacker-controlled servers or trick users into accessing malicious content through seemingly benign library definitions.
Critical Impact
Attackers can deliver malicious .library-ms files to Windows users without triggering download warnings, potentially leading to arbitrary code execution, credential theft, or system compromise through Windows Library file abuse.
Affected Products
- Mozilla Firefox versions prior to 133
- Mozilla Firefox ESR versions prior to 128.5
- Mozilla Thunderbird versions prior to 133 and 128.5
Discovery Timeline
- 2024-11-26 - CVE CVE-2024-11693 published to NVD
- 2025-04-03 - Last updated in NVD database
Technical Details for CVE-2024-11693
Vulnerability Analysis
This vulnerability represents a security control bypass in Mozilla's file download handling mechanism specifically affecting Windows operating systems. The issue stems from an incomplete implementation of the dangerous file type detection system, where .library-ms files were not included in the list of file extensions that should trigger a download warning.
Windows Library files are a feature introduced in Windows 7 that allows users to aggregate content from multiple locations into a single view. The .library-ms format is an XML-based file that can specify local paths, network shares, and even UNC paths. When a user opens such a file, Windows Explorer processes it and connects to any referenced locations.
The absence of a download warning for this file type creates a significant security gap. Users who download a .library-ms file from an untrusted source would not receive the typical "This file could harm your computer" warning that accompanies other potentially dangerous file types. This missing warning undermines the defense-in-depth approach that browsers employ to protect users from malicious downloads.
Root Cause
The root cause of this vulnerability is an incomplete file extension blocklist in Mozilla's download handler. The browser's security mechanism failed to recognize .library-ms files as potentially dangerous executable content that requires user acknowledgment before saving or opening. This oversight in file type categorization allowed these Windows-specific library files to bypass the standard download warning system.
Attack Vector
An attacker can exploit this vulnerability through network-based attack vectors by hosting a malicious .library-ms file on a web server or attaching it to an email (for Thunderbird). The attack flow involves:
- The attacker crafts a .library-ms file containing references to attacker-controlled network shares or malicious file paths
- The victim is social-engineered into downloading the file through a phishing link or compromised website
- Due to the vulnerability, no download warning is presented to the user
- When the victim opens the file, Windows Explorer processes the library definition
- The victim's system connects to the attacker-specified locations, potentially exposing credentials through SMB authentication or loading malicious content
The attack requires user interaction to open the downloaded file, but the missing warning significantly increases the likelihood of successful exploitation by removing a critical security checkpoint in the download process.
Detection Methods for CVE-2024-11693
Indicators of Compromise
- Unexpected .library-ms files appearing in download directories or email attachments
- Network connections to unusual external SMB shares or WebDAV servers initiated by Windows Explorer
- Windows Library files containing references to external or unknown network locations
- Suspicious authentication attempts to external servers following browser downloads
Detection Strategies
- Monitor file downloads for .library-ms file extensions, particularly from untrusted sources
- Implement endpoint detection rules to alert on newly created .library-ms files in user download folders
- Configure SIEM rules to correlate browser download events with subsequent SMB or WebDAV connection attempts
- Deploy email gateway rules to quarantine or flag attachments with .library-ms extensions
Monitoring Recommendations
- Enable detailed logging for Windows Explorer and file association handling events
- Monitor outbound SMB traffic (port 445) for connections to non-corporate destinations
- Implement browser extension policies that restrict downloads of potentially dangerous file types
- Review and audit any existing .library-ms files on endpoints for unauthorized external references
How to Mitigate CVE-2024-11693
Immediate Actions Required
- Update Mozilla Firefox to version 133 or later immediately
- Update Mozilla Firefox ESR to version 128.5 or later
- Update Mozilla Thunderbird to version 133 or 128.5 or later
- Review recent downloads on Windows systems for any suspicious .library-ms files
Patch Information
Mozilla has addressed this vulnerability in Firefox 133, Firefox ESR 128.5, Thunderbird 133, and Thunderbird 128.5. Organizations should prioritize updating affected browsers and email clients, particularly on Windows systems where this vulnerability applies. Detailed patch information is available in the Mozilla Security Advisory MFSA-2024-63, MFSA-2024-64, MFSA-2024-67, and MFSA-2024-68. The underlying bug is tracked in Mozilla Bug Report #1921458.
Workarounds
- Block .library-ms file downloads at the network perimeter using web proxy or firewall rules
- Configure email security gateways to strip or quarantine .library-ms attachments
- Implement Group Policy to restrict the execution of .library-ms files from download locations
- Educate users about the risks of opening unexpected library files and to verify downloads before opening
# Windows Group Policy workaround - Block .library-ms execution from Downloads
# Can be implemented via Software Restriction Policies or AppLocker
# Example: Create a path rule to block execution from user download folders
# Path: %USERPROFILE%\Downloads\*.library-ms
# Security Level: Disallowed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
