Mozilla Foundation Security Advisory 2016-69

Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter

Announced
August 2, 2016
Reporter
Holger Fuhrmannek
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 48

Description

Security researcher Holger Fuhrmannek reported that when the Updater is opened directly using the callback application path parameter, a copy of a user specified file is made as a callback file. If the target of this file is made with a locked hardlink, an arbitrary local file can be replaced on the system even if there is no privileged write access to the targeted file. If this targeted file is run by other processes with privileges, this could allow for arbitrary code execution by a malicious user with local system access. This is not exploitable by web content.

This issue is specific to Windows and does not affect Linux or OS X systems.

References