Mozilla Foundation Security Advisory 2010-52

Windows XP DLL loading vulnerability

Announced
September 7, 2010
Reporter
Haifei Li, Acros Security
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.12
  • Firefox 3.6.9
  • SeaMonkey 2.0.7
  • Thunderbird 3.0.7
  • Thunderbird 3.1.3

Description

Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. This DLL is only loaded at startup so a successful attack requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL.

This issue was also independently reported to Mozilla by Acros Security. After the issue became public a number of other community members contacted Mozilla to report the issue.

Firefox users on Windows Vista or Windows 7 were not vulnerable to this attack because dwmapi.dll is part of the OS in Vista and later versions and the legitimate copy is successfully loaded by Firefox before attempting to load the planted DLL.

References