Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
- August 2, 2016
- Holger Fuhrmannek
- Fixed in
- Firefox 48
Security researcher Holger Fuhrmannek reported that when the Updater is opened directly using the callback application path parameter, a copy of a user specified file is made as a callback file. If the target of this file is made with a locked hardlink, an arbitrary local file can be replaced on the system even if there is no privileged write access to the targeted file. If this targeted file is run by other processes with privileges, this could allow for arbitrary code execution by a malicious user with local system access. This is not exploitable by web content.
This issue is specific to Windows and does not affect Linux or OS X systems.