Mozilla Foundation Security Advisory 2014-16

Files extracted during updates are not always read only

Announced

March 18, 2014

Reporter

Ash

Impact

Moderate

Products

Firefox, Firefox ESR, SeaMonkey, Thunderbird

Fixed in

Firefox 28
Firefox ESR 24.4
SeaMonkey 2.25
Thunderbird 24.4

Description

Security researcher Ash reported an issue where the extracted files for updates to existing files are not read only during the update process. This allows for the potential replacement or modification of these files during the update process if a malicious application is present on the local system.

References

Files extracted from Mar file are not locked during update (CVE-2014-1496)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2014-16

Files extracted during updates are not always read only

Description

References