Lucene search

Mozilla FoundationMFSA2013-34

HistoryApr 02, 2013 - 12:00 a.m.

Privilege escalation through Mozilla Updater — Mozilla

2013-04-0200:00:00

Mozilla Foundation

www.mozilla.org

6.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

40.2%

JSON

Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is placed in a specific location on the local system before the Mozilla Updater is run. Local file system access is necessary in order for this issue to be exploitable.

Affected configurations

Vulners

Node

mozillafirefoxRange<20

mozillafirefox_esrRange<17.0.5

mozillaseamonkeyRange<2.17

mozillathunderbirdRange<17.0.5

mozillathunderbird_esrRange<17.0.5

CPENameOperatorVersion
firefoxlt20
firefox esrlt17.0.5
seamonkeylt2.17
thunderbirdlt17.0.5
thunderbird esrlt17.0.5

Name	Operator	Version
firefox	lt	20
firefox esr	lt	17.0.5
seamonkey	lt	2.17
thunderbird	lt	17.0.5
thunderbird esr	lt	17.0.5

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0797

bugzilla.mozilla.org/show_bug.cgi?id=830134

6.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

40.2%

JSON

Related for MFSA2013-34