You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-32

Mozilla Foundation Security Advisory 2013-32

Title: Privilege escalation through Mozilla Maintenance Service
Impact: High
Announced: April 2, 2013
Reporter: Frédéric Hoguin
Products: Firefox, Thunderbird

Fixed in: Firefox 20.0
  Firefox ESR 17.0.5
  Thunderbird 17.0.5
  Thunderbird ESR 17.0.5


Security researcher Frédéric Hoguin discovered that the Mozilla Maintenance Service on Windows was vulnerable to a buffer overflow. This system is used to update software without invoking the User Account Control (UAC) prompt. The Mozilla Maintenance Service is configured to allow unprivileged users to start it with arbitrary arguments. By manipulating the data passed in these arguments, an attacker can execute arbitrary code with the system privileges used by the service. This issue requires local file system access to be exploitable.