Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <63140AD44DF9493C81881ACAE3C6E1D6@celsius>
Date: Wed, 10 Jul 2013 20:56:57 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <oss-security@...ts.openwall.com>
Subject: CVE request for Mozilla Firefox (Windows)

The installer of Mozilla Firefox writes the following command line
with unquoted spaces for uninstallation into the Windows registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 22.0 (x86 en-US)]
"UninstallString"="C:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe"

See <https://bugzilla.mozilla.org/show_bug.cgi?id=871084>,
<https://bugzilla.mozilla.org/show_bug.cgi?id=786407> and
<https://bugzilla.mozilla.org/show_bug.cgi?id=868746>

Due to a well-known and well-documented idiosyncrasy of Windows'
CreateProcess() API this can result in the execution of a rogue
program "C:\Program.exe" or "C:\Program Files\Mozilla.exe" with the
privileges of the caller.
Since the caller of this command line typically has administrative
rights this vulnerability can lead to a privilege escalation.

Affected versions: all current releases.

Fixed version: 23.0.

Stefan Kanthak

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.