CVE-2020-35112: 
NixOS vulnerability analysis and mitigation

CVE-2020-35112 is a security vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that affects Windows operating systems. The vulnerability was disclosed on December 15, 2020, and fixed in Firefox 84, Firefox ESR 78.6, and Thunderbird 78.6. The issue occurs when users download files without extensions on Windows systems (Mozilla Advisory, NVD).

The vulnerability manifests when a user downloads a file lacking an extension on Windows and attempts to 'Open' it from the downloads panel. If an executable file exists in the downloads directory with the same base name but with an executable extension (such as .bat or .exe), that executable would be launched instead of the intended file. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker to trick users into executing malicious files when they attempt to open downloaded files without extensions. This could lead to unauthorized code execution on affected systems. The issue specifically affects Windows users of Firefox, Firefox ESR, and Thunderbird, while other operating systems remain unaffected (Mozilla Advisory).

The vulnerability was fixed in Firefox 84, Firefox ESR 78.6, and Thunderbird 78.6. Mozilla's solution involves treating requests to 'Open' extensionless files as 'Open Folder' instead, similar to Chrome's approach to the same issue. Users are advised to update their software to these versions or newer to protect against this vulnerability (Mozilla Advisory).