Multiple Mozilla products contain a flaw that is triggered when a specially crafted HTML page hosted on a windows share is loaded by a user, which may allow for the loading of arbitrary .lnk files located on the same windows share. This grants a local attacker the ability to redirect shortcut files to arbitrary locations, which will allow the attacker to gain access to arbitrary files.

Upgrade Firefox or Thunderbird to version 13 or 10.0.5 for ESR, and SeaMonkey to version 2.10 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2012-1945 (see also: NVD)
• Secunia Advisory ID: 49366 49368 49405 49435 49446 49507 49641 49672 51766
• Bugtraq ID: 53799
• Vendor Specific News/Changelog Entry: http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00012.html
  http://www.gentoo.org/security/en/glsa/glsa-201301-01.xml
  http://www.mozilla.org/security/announce/2012/mfsa2012-37.html
  http://www.ubuntu.com/usn/usn-1463-1
  http://www.ubuntu.com/usn/usn-1463-4/
  https://bugzilla.mozilla.org/show_bug.cgi?id=670514 [ Auth Req'd ]
  https://hermes.opensuse.org/messages/14941334
• RedHat RHSA: RHSA-2012:0710 RHSA-2012:0715

• Paul Stone