Mozilla Foundation Security Advisory 2013-62

Inaccessible updater can lead to local privilege escalation

Announced

June 25, 2013

Reporter

Seb Patane

Impact

High

Products

Firefox

Fixed in

Firefox 22

Description

Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. He discovered that when the Mozilla Updater executable was inaccessible, the Maintenance Service will behave incorrectly and can be made to use an updater at an arbitrary location. This updater will run with the system privileges used by the Maintenance Service, allowing for local privilege escalation. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content.

References

Arbitrary code execution using a temporarily inaccessible file (CVE-2013-1700)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2013-62

Inaccessible updater can lead to local privilege escalation

Description

References