Mozilla Foundation Security Advisory 2015-58

Mozilla Windows updater can be run outside of application directory

Announced

May 12, 2015

Reporter

Holger Fuhrmannek

Impact

High

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 38
SeaMonkey 2.35
Thunderbird 38.0.1

Description

Security researcher Holger Fuhrmannek previously reported CVE-2015-0833, which was fixed in MFSA2015-12. That flaw allowed for the updater to load binary DLL format files from the local working directory or from the Windows temporary directories. During the fixing of CVE-2015-0833, the need to ensure that updates use the updater.exe from the application directory was identified to mitigate the potential for further similar vulnerabilities. This change to updater.exe for Windows systems has been made in this release.

This issue is specific to Windows and does not affect Linux or OS X systems.

References

Run updater.exe from the application directory when not using the service for an update (CVE-2015-2720)
The updater.exe loads the bcrypt.dll and other dll's from the working and binary directory when not using the service (CVE-2015-0833)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-58

Mozilla Windows updater can be run outside of application directory

Description

References