Mozilla Foundation Security Advisory 2015-57

Privilege escalation through IPC channel messages

Announced
May 12, 2015
Reporter
Jed Davis, Christoph Diehl
Impact
High
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird
Fixed in
  • Firefox 38
  • Firefox ESR 31.7
  • SeaMonkey 2.35
  • Thunderbird 31.7
  • Thunderbird 38.0.1

Description

Mozilla Developer Jed Davis and Mozilla security engineer Christoph Diehl reported that Mozilla had inherited a Inter-process Communication (IPC) vulnerability when IPC was introduced into Mozilla products through third-party code. This could allow for privilege escalation through IPC channels due to lack of message validation in the listener process.

This issue only affects systems running Windows, leaving Linux and OS X unaffected.

References