Mozilla Foundation Security Advisory 2013-87
Shared object library loading from writable location
- Announced
- September 17, 2013
- Reporter
- Vladimir Vukicevic
- Impact
- High
- Products
- Firefox
- Fixed in
-
- Firefox 24
Description
Mozilla developer Vladimir Vukicevic reported that Firefox for Android will optionally load a shared object (.so) library in order to enable GL tracing. When this is occurs, it can be from a world writable location, allowing for it to be replaced by malicious third party applications before it is loaded by Firefox. This would allow for accessing of all Firefox data or for malicious code to be run by Firefox. This flaw requires malicious software to be loaded on the device and is not accessible by web content.