oss-sec mailing list archives
Re: CVE request for Mozilla Firefox (Windows)
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 10 Jul 2013 13:46:48 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/10/2013 12:56 PM, Stefan Kanthak wrote:
The installer of Mozilla Firefox writes the following command line with unquoted spaces for uninstallation into the Windows registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 22.0 (x86 en-US)] "UninstallString"="C:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe" See <https://bugzilla.mozilla.org/show_bug.cgi?id=871084>, <https://bugzilla.mozilla.org/show_bug.cgi?id=786407> and <https://bugzilla.mozilla.org/show_bug.cgi?id=868746> Due to a well-known and well-documented idiosyncrasy of Windows' CreateProcess() API this can result in the execution of a rogue program "C:\Program.exe" or "C:\Program Files\Mozilla.exe" with the privileges of the caller. Since the caller of this command line typically has administrative rights this vulnerability can lead to a privilege escalation. Affected versions: all current releases. Fixed version: 23.0. Stefan Kanthak
Mozilla is a CNA (http://cve.mitre.org/cve/cna.html) so they'll need to handle this one. Adding them to CC. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR3bonAAoJEBYNRVNeJnmTAMAP/jSmT4oCK0uN6UB1j5hp3Puq xL1xbhag5gXxe75DG2BO8On4gsEvcOTgJzEedlqAz2jpx/YRwiErSz8fYw4HRP3r mC9IuL51Tl1seh/L0h+0moWTX4To+E49IdsODhK5EvczCfFKVxDPxPNDDXZu0A1p qpb3sH+dujiBq9LgkZwaP43ByCl2rR1YPRdhK8JJ+yKh5WlX6CfBSSaW0xX2nB6J oPqUgNmBf45zwXJeRcvv1nSTlGtcaaK+OeOxi3Iv0ooekAeqp4m+Hsp1MjQql76R gnDjA4h2vkmXk8+UuCNxxg0LRPKNWf9WQrKxqiwrpgMpInV6BIf7785kuskaGZfI D3E247hCyWNiewddBk5No7WoIw87g0rd8osg1irvegxDVCOZAm06rcpFco67pCGm vdtpF8jnsN53qbDlXhYQ6R8D1s4dhLJTooWQ+tpRGN0mDInbnLiJtvZ7iAvByP1b w6GpR/2RHC+49NyLevjNtrJsLrtag/FBR5a3wGTpJPX6Vejl7fHTQH94HF9bZt5d eosuGwYFBHJVvvqt9wCYv9gdNNSPqq/MK1HLL1m/gALH/QVrBN7qWXIeGNXQQlMk 2fx+EtHjalDRlFBjQBv5koJUIF7vl/NUgIud6S9M0W5WpBUAdrs+hKKZQ/0dqr/2 16XrC8jWRZvgQUu8K6IA =BEs1 -----END PGP SIGNATURE-----
Current thread:
- CVE request for Mozilla Firefox (Windows) Stefan Kanthak (Jul 10)
- Re: CVE request for Mozilla Firefox (Windows) Kurt Seifried (Jul 10)