Mozilla Foundation Security Advisory 2015-57

Privilege escalation through IPC channel messages

Announced

May 12, 2015

Reporter

Jed Davis, Christoph Diehl

Impact

High

Products

Firefox, Firefox ESR, SeaMonkey, Thunderbird

Fixed in

Firefox 38
Firefox ESR 31.7
SeaMonkey 2.35
Thunderbird 31.7
Thunderbird 38.0.1

Description

Mozilla Developer Jed Davis and Mozilla security engineer Christoph Diehl reported that Mozilla had inherited a Inter-process Communication (IPC) vulnerability when IPC was introduced into Mozilla products through third-party code. This could allow for privilege escalation through IPC channels due to lack of message validation in the listener process.

This issue only affects systems running Windows, leaving Linux and OS X unaffected.

References

IPC Channel does not validate the listener (CVE-2011-3079)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-57

Privilege escalation through IPC channel messages

Description

References