Mozilla Foundation Security Advisory 2005-21

Overwrite arbitrary files downloading .lnk twice

Announced
February 24, 2005
Reporter
Masayuki Nakano
Risk
Low
Impact
Critical
Products
Firefox, Mozilla Suite, Thunderbird
Fixed in
  • Firefox 1.0.1
  • Mozilla Suite 1.7.6
  • Thunderbird 1.0.2

Description

If a windows user can be convinced to download a .lnk file twice to the same location an attacker can overwrite (essentially delete) arbitrary files on the user's machine: the file referenced by the first .lnk will be overwritten by the second download rather than replacing the .lnk itself. On some older versions of windows .pif and .url files can be used to accomplish the same thing.

If an attacker knows the user will download twice and is able to send different content the second time then attackers could replace the targeted file with content of their choosing. The first .lnk would point to the target file and the second download would contain the compromised version of the target.

Workaround

Do not download .pif, .lnk, or .url files. If running Windows XP use a limited (non-administrator) account to prevent malicious access to critical operating system files.

References