Mozilla Foundation Security Advisory 2013-45

Mozilla Updater fails to update some Windows Registry entries

Announced
May 14, 2013
Reporter
Robert Kugler
Impact
High
Products
Firefox
Fixed in
  • Firefox 21

Description

Security researcher Robert Kugler discovered that in some instances the Mozilla Maintenance Service on Windows will be vulnerable to some previously fixed privilege escalation attacks that allowed for local privilege escalation. This was caused by the Mozilla Updater not updating Windows Registry entries for the Mozilla Maintenance Service, which fixed the earlier issues present if Firefox 12 had been installed. New installations of Firefox after version 12 are not affected by this issue. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content.

References