CVE-2018-12383 : Security Advisory and Response

A security vulnerability in Firefox, Firefox ESR, and Thunderbird versions prior to specific versions could expose stored passwords beyond user expectations.

Understanding CVE-2018-12383

This CVE highlights a flaw in password management that could lead to the unintended exposure of stored passwords.

What is CVE-2018-12383?

The vulnerability allows access to unencrypted copies of passwords saved before Firefox 58, even after setting a master password, due to an older stored password file not being removed during a data format transition.

The Impact of CVE-2018-12383

The security issue affects Firefox versions earlier than 62, Firefox ESR versions earlier than 60.2.1, and Thunderbird versions earlier than 60.2.1, potentially compromising stored password security.

Technical Details of CVE-2018-12383

This section delves into the specifics of the vulnerability.

Vulnerability Description

The flaw arises from the failure to delete older unencrypted password files when transitioning to a new format post-Firefox 58, allowing unauthorized access to stored passwords.

Affected Systems and Versions

Firefox versions prior to 62
Firefox ESR versions prior to 60.2.1
Thunderbird versions prior to 60.2.1

Exploitation Mechanism

Unauthorized access to stored passwords is possible due to the retention of unencrypted password files from older versions.

Mitigation and Prevention

Protecting against this vulnerability requires immediate actions and long-term security practices.

Immediate Steps to Take

Update Firefox, Firefox ESR, and Thunderbird to versions 62, 60.2.1, and 60.2.1 respectively.
Avoid saving sensitive passwords in vulnerable versions.

Long-Term Security Practices

Regularly update software to the latest versions.
Use strong, unique passwords and consider password managers.

Patching and Updates

Apply patches provided by Mozilla for Firefox, Firefox ESR, and Thunderbird to address the vulnerability.