Mozilla Foundation Security Advisory 2014-16
Files extracted during updates are not always read only
- Announced
- March 18, 2014
- Reporter
- Ash
- Impact
- Moderate
- Products
- Firefox, Firefox ESR, SeaMonkey, Thunderbird
- Fixed in
-
- Firefox 28
- Firefox ESR 24.4
- SeaMonkey 2.25
- Thunderbird 24.4
Description
Security researcher Ash reported an issue where the
extracted files for updates to existing files are not read only during the
update process. This allows for the potential replacement or modification of
these files during the update process if a malicious application is present on
the local system.
References