UniversalBrowserRead privilege escalation
- July 25, 2006
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 184.108.40.206
- SeaMonkey 1.0.3
- Thunderbird 220.127.116.11
shutdown reports that scripts granted the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context. This allows the attacker the ability to run scripts with the full privelege of the user running the browser, possibly installing malware or snooping on private data. This has been fixed so that UniversalBrowserRead and UniversalBrowserWrite are limited to reading from and writing into only normally-privileged browser windows and frames.
UniversalBrowserRead privileges should not be granted to sites found on the internet. Even after fixing this vulnerability that permission by design allows the privileged script to read potentially sensitive data from any other site it wishes, including those it opens without your knowledge (in a hidden frame, for example). You should grant enhanced privileges only when a trusted system administrator tells you that it is safe to do so.