You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-71

Mozilla Foundation Security Advisory 2013-71

Title: Further Privilege escalation through Mozilla Updater
Impact: High
Announced: August 6, 2013
Reporter: Ash
Products: Firefox, Thunderbird, Seamonkey

Fixed in: Firefox 23.0
  Firefox ESR 17.0.8
  Thunderbird 17.0.8
  Thunderbird ESR 17.0.8
  Seamonkey 2.20

Description

Security researcher Ash reported an issue with the Mozilla Updater on Windows 7 and later versions of Windows. On vulnerable platforms, the Mozilla Updater can be made to load a specific malicious DLL file from the local system. This DLL file can run in a privileged context through the Mozilla Maintenance Service's privileges, allowing for local privilege escalation. The DLL file can also run in an unprivileged context if the Mozilla Updater is run directly by a user in the same directory as the file. Local file system access is necessary in order for this issue to be exploitable.

References