CVE-2022-36314: 
NixOS vulnerability analysis and mitigation

CVE-2022-36314 is a security vulnerability discovered in Mozilla Firefox and Thunderbird that affects Windows users. The vulnerability was disclosed on July 26, 2022, and involves the handling of Windows shortcut (.lnk) files. When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This vulnerability affects Firefox versions prior to 103.0, Firefox ESR versions before 102.1, and Thunderbird versions before 102.1 (Mozilla Advisory, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The issue stems from improper handling of .lnk files downloaded from the internet, where the IconLocation property of the link file could be manipulated to trigger unexpected network requests. The vulnerability is categorized under CWE-427 (Uncontrolled Search Path Element) (NVD).

The vulnerability allows an attacker to capture NTLM hashes through specially crafted .lnk files when users download and subsequently open these files. The impact is limited to Windows users and requires manual interaction from the user. The severity is rated as moderate due to the manual steps and social engineering required for exploitation, and its effectiveness is primarily limited to attackers on the same local domain (Mozilla Advisory).

Mozilla addressed this vulnerability by implementing special handling for files with .lnk extensions when downloading them on Windows systems. The fix was released in Firefox 103.0, Firefox ESR 102.1, and Thunderbird 102.1. The solution involves renaming these files during download to prevent automatic handling by the operating system (Mozilla Advisory).