Installer will launch incorrect executable following new installation

Installer will launch incorrect executable following new installation

Announced

August 28, 2012

Reporter

Masato Kinugawa

Impact

Moderate

Products

Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR

Fixed in

• Firefox 15
• Firefox ESR 10.0.7
• SeaMonkey 2.13.2
• Thunderbird 16.0.2
• Thunderbird ESR 10.0.10

Description

Security researcher Masato Kinugawa reported that if a crafted executable is placed in the root partition on a Windows file system, the Firefox and Thunderbird installer will launch this program after a standard installation instead of Firefox or Thunderbird, running this program with the user's privileges.

References

• Installer runs untrusted program
• CVE-2012-3974