CVE-2024-11695
📋 TL;DR
This vulnerability allows attackers to craft URLs with Arabic script and whitespace characters to hide the true origin of web pages, enabling spoofing attacks. It affects Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR users running outdated versions. Attackers could trick users into believing they are visiting legitimate sites when they are actually on malicious ones.
💻 Affected Systems
- Firefox
- Firefox ESR
- Thunderbird
- Thunderbird ESR
📦 What is this software?
Firefox by Mozilla
Firefox by Mozilla
Thunderbird by Mozilla
Thunderbird by Mozilla
⚠️ Risk & Real-World Impact
Worst Case
Users could be tricked into entering sensitive credentials or financial information on spoofed websites that appear legitimate, leading to account compromise or financial fraud.
Likely Case
Phishing attacks where users are directed to fake login pages or malicious sites that appear to be trusted domains.
If Mitigated
Users who verify URLs carefully or use additional security measures might detect the spoofing, but the visual deception could still trick many users.
🎯 Exploit Status
Exploitation requires user interaction (clicking a crafted link) but no authentication. The technique is simple to implement once understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firefox 133+, Firefox ESR 128.5+, Thunderbird 133+, Thunderbird ESR 128.5+
Vendor Advisory: https://www.mozilla.org/security/advisories/
Restart Required: Yes
Instructions:
1. Open the affected application (Firefox or Thunderbird). 2. Go to Settings/Preferences > General/Advanced. 3. Check for updates and apply any available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript for suspicious sites
allTemporarily disable JavaScript for untrusted sites to prevent execution of malicious scripts that might exploit this vulnerability.
In Firefox: about:config > javascript.enabled = false
Use URL inspection tools
allInstall browser extensions that highlight or decode URL components to reveal hidden characters.
🧯 If You Can't Patch
- Educate users to carefully inspect URLs before clicking, especially checking for unusual characters or domains.
- Implement network filtering to block known malicious domains and monitor for suspicious URL patterns.
🔍 How to Verify
Check if Vulnerable:
Check the browser version in Settings/Preferences > General/Advanced or type 'about:support' in the address bar.Check Version:
Firefox/Thunderbird: about:support or check in Help > AboutVerify Fix Applied:
Verify the version is at or above the patched versions: Firefox 133+, Firefox ESR 128.5+, Thunderbird 133+, Thunderbird ESR 128.5+.📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns with Arabic script or excessive whitespace in web server logs
- User reports of suspicious or spoofed websites
Network Indicators:
- HTTP requests containing URLs with mixed scripts and unusual encoding
- Traffic to domains that spoof legitimate sites
SIEM Query:
Search web proxy logs for URLs containing Arabic script characters (Unicode range U+0600-U+06FF) combined with whitespace patterns.🔗 References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1925496
- https://www.mozilla.org/security/advisories/mfsa2024-63/
- https://www.mozilla.org/security/advisories/mfsa2024-64/
- https://www.mozilla.org/security/advisories/mfsa2024-67/
- https://www.mozilla.org/security/advisories/mfsa2024-68/
- https://lists.debian.org/debian-lts-announce/2024/11/msg00029.html
