Arbitrary file overwriting through Mozilla Maintenance Service with hard links
- August 11, 2015
- James Forshaw
- Firefox, Firefox ESR, SeaMonkey, Thunderbird
- Fixed in
- Firefox 40
- Firefox ESR 38.2
- SeaMonkey 2.35
- Thunderbird 38.2
Security researcher James Forshaw, security researcher with Google Project Zero, reported that the Mozilla Maintenance Service on Windows can be made to write its log file in a restricted location with an arbitrary file name through the use of a hard link by means of a race condition. This can allow the log file to overwrite another named file that a user would not have the privileges to change. If the overwritten file is used as source input or script by a program with elevated privileges, it could allow for an escalation of privilege attack. This requires local file system access and the ability to execute local programs to be exploitable.
This issue only affects Windows systems. OS X and Linux operating systems are unaffected.