Mozilla Foundation Security Advisory 2016-69

Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter

Announced

August 2, 2016

Reporter

Holger Fuhrmannek

Impact

Moderate

Products

Firefox

Fixed in

Firefox 48

Description

Security researcher Holger Fuhrmannek reported that when the Updater is opened directly using the callback application path parameter, a copy of a user specified file is made as a callback file. If the target of this file is made with a locked hardlink, an arbitrary local file can be replaced on the system even if there is no privileged write access to the targeted file. If this targeted file is run by other processes with privileges, this could allow for arbitrary code execution by a malicious user with local system access. This is not exploitable by web content.

This issue is specific to Windows and does not affect Linux or OS X systems.

References

Arbitrary file overwrite with updater and moz maintenance service (CVE-2016-5253)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-69

Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter

Description

References