Mozilla Foundation Security Advisory 2015-58

Mozilla Windows updater can be run outside of application directory

Announced
May 12, 2015
Reporter
Holger Fuhrmannek
Impact
High
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 38
  • SeaMonkey 2.35
  • Thunderbird 38.0.1

Description

Security researcher Holger Fuhrmannek previously reported CVE-2015-0833, which was fixed in MFSA2015-12. That flaw allowed for the updater to load binary DLL format files from the local working directory or from the Windows temporary directories. During the fixing of CVE-2015-0833, the need to ensure that updates use the updater.exe from the application directory was identified to mitigate the potential for further similar vulnerabilities. This change to updater.exe for Windows systems has been made in this release.

This issue is specific to Windows and does not affect Linux or OS X systems.

References