Mozilla Foundation Security Advisory 2014-16

Files extracted during updates are not always read only

Announced
March 18, 2014
Reporter
Ash
Impact
Moderate
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird
Fixed in
  • Firefox 28
  • Firefox ESR 24.4
  • SeaMonkey 2.25
  • Thunderbird 24.4

Description

Security researcher Ash reported an issue where the extracted files for updates to existing files are not read only during the update process. This allows for the potential replacement or modification of these files during the update process if a malicious application is present on the local system.

References