Mozilla Foundation Security Advisory 2005-21

Overwrite arbitrary files downloading .lnk twice

Announced

February 24, 2005

Reporter

Masayuki Nakano

Risk

Low

Impact

Critical

Products

Firefox, Mozilla Suite, Thunderbird

Fixed in

Firefox 1.0.1
Mozilla Suite 1.7.6
Thunderbird 1.0.2

Description

If a windows user can be convinced to download a .lnk file twice to the same location an attacker can overwrite (essentially delete) arbitrary files on the user's machine: the file referenced by the first .lnk will be overwritten by the second download rather than replacing the .lnk itself. On some older versions of windows .pif and .url files can be used to accomplish the same thing.

If an attacker knows the user will download twice and is able to send different content the second time then attackers could replace the targeted file with content of their choosing. The first .lnk would point to the target file and the second download would contain the compromised version of the target.

Workaround

Do not download .pif, .lnk, or .url files. If running Windows XP use a limited (non-administrator) account to prevent malicious access to critical operating system files.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=271732

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice