oss-sec mailing list archives
Re: CVE request for Mozilla Thunderbird (Windows)
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 10 Jul 2013 13:46:20 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/10/2013 12:59 PM, Stefan Kanthak wrote:
The installer of Mozilla Thunderbird writes the following command line with unquoted spaces for uninstallation into the Windows registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 17.0.5 (x86 en-US)] "UninstallString"="C:\\Program Files\\Mozilla Thunderbird\\uninstall\\helper.exe" See <https://bugzilla.mozilla.org/show_bug.cgi?id=871084>, <https://bugzilla.mozilla.org/show_bug.cgi?id=786407> and <https://bugzilla.mozilla.org/show_bug.cgi?id=868746> Due to a well-known and well-documented idiosyncrasy of Windows' CreateProcess() API this can result in the execution of a rogue program "C:\Program.exe" or "C:\Program Files\Mozilla.exe" with the privileges of the caller. Since the caller of this command line typically has administrative rights this vulnerability can lead to a privilege escalation. Affected versions: all current releases. Fixed version: ? Stefan Kanthak
Mozilla is a CNA (http://cve.mitre.org/cve/cna.html) so they'll need to handle this one. Adding them to CC. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR3boMAAoJEBYNRVNeJnmTAL8QAM+JVRhIFM0La55vt0z3XzG7 wcjoe+2oF6Y1qI5vDP0t/1SAj9yBCBEWixKrLnkeKFpOT5+SKUy+kUl3Of+u25w5 52oY8p9AmcYCuf0EaI+8BMvtC1QhDkH3h9zUS8VVzyg6V+8f1Lwby59aaTT+9XY1 OEDZ86kMnR19KV0iglb2dajrMlaepXJhls+uZWCxEiTbgvDLIgm5Gwq8GWOxztGa dqck2CyvJOdoa7Z0SoGEKYktfImsEgPfIwsJPP9+OChbHjF8yMkQzW6jnhTGsxUF yEH+JWsqJh2NxZzEukYvZ7hiBAvLLLJf+5BD6XHeo2QDJv7R/zugbcgJqkrho48Y NDgykkiJqY5FAFrqecaI96HQj/o4BsnzBHOQMjRwaH0CjpNES/Q7DBVX1Oapz1OS welco9LqsyjPiCDEJJ9c34Ysk3666KJH68WE/pFftAhqnIXuyyh8fylUn0LsKWY8 HGKmgILTGtJBKu0J0FgF+hOiqI/nWcAJSSTwSVm6nLHx5r6wDX44A/YMO+rOp+GS NpAjbV8EWN2sws9gm7CSKMR1M8kYhxHpbVGuDiSlQvMI9YtVr6pNXg6uf/5+BKag XrJ8EQ1WCrHu/3h4DVanvI/xUzJNqcoigW0cRKMGB34S6JDoJKMu4a6rgRcJEAB7 4yvTghlVWdAxASrtmCCT =luq9 -----END PGP SIGNATURE-----
Current thread:
- CVE request for Mozilla Thunderbird (Windows) Stefan Kanthak (Jul 10)
- Re: CVE request for Mozilla Thunderbird (Windows) Kurt Seifried (Jul 10)