Mozilla Foundation Security Advisory 2013-87

Shared object library loading from writable location

Announced
September 17, 2013
Reporter
Vladimir Vukicevic
Impact
High
Products
Firefox
Fixed in
  • Firefox 24

Description

Mozilla developer Vladimir Vukicevic reported that Firefox for Android will optionally load a shared object (.so) library in order to enable GL tracing. When this is occurs, it can be from a world writable location, allowing for it to be replaced by malicious third party applications before it is loaded by Firefox. This would allow for accessing of all Firefox data or for malicious code to be run by Firefox. This flaw requires malicious software to be loaded on the device and is not accessible by web content.

References