Vulnerability CVE-2017-7760: Information

Description

The Mozilla Windows updater modifies some files to be updated by reading the original file and applying changes to it. The location of the original file can be altered by a malicious user by passing a special path to the callback parameter through the Mozilla Maintenance Service, allowing the manipulation of files in the installation directory and privilege escalation by manipulating the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.

Severity: HIGH (7.8) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-7760

Published: June 12, 2018

Modified: Aug. 14, 2018

Error type identifier: CWE-417

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
firefox	sisyphus	54.0.1-alt1	127.0-alt1	ALT-PU-2017-1886-1	185325	Fixed
firefox	p10	54.0.1-alt1	118.0.2-alt0.p10.1	ALT-PU-2017-1886-1	185325	Fixed
firefox	p9	54.0.1-alt1	105.0.1-alt0.c9.1	ALT-PU-2017-1886-1	185325	Fixed
firefox	p8	54.0.1-alt0.M80P.1	68.0.1-alt0.M80P.1	ALT-PU-2017-1981-1	185512	Fixed
firefox	c10f1	54.0.1-alt1	112.0.2-alt0.p10.1	ALT-PU-2017-1886-1	185325	Fixed
firefox	c9f2	54.0.1-alt1	105.0.1-alt0.c9.1	ALT-PU-2017-1886-1	185325	Fixed
firefox	c7	52.5.3-alt0.M70C.1	60.8.0-alt0.M70C.1	ALT-PU-2018-1225-1	200642	Fixed
firefox	p11	54.0.1-alt1	126.0.1-alt1	ALT-PU-2017-1886-1	185325	Fixed
firefox-esr	sisyphus	52.2.0-alt1	115.11.0-alt1	ALT-PU-2017-1770-1	184555	Fixed
firefox-esr	p10	52.2.0-alt1	115.11.0-alt1	ALT-PU-2017-1770-1	184555	Fixed
firefox-esr	p9	52.2.0-alt1	102.11.0-alt0.c9.1	ALT-PU-2017-1770-1	184555	Fixed
firefox-esr	p8	52.3.0-alt0.M80P.1	68.4.1-alt0.M80P.1	ALT-PU-2017-2230-1	188380	Fixed
firefox-esr	c10f1	52.2.0-alt1	115.9.1-alt0.c10.1	ALT-PU-2017-1770-1	184555	Fixed
firefox-esr	c9f2	52.2.0-alt1	102.12.0-alt0.c9.1	ALT-PU-2017-1770-1	184555	Fixed
firefox-esr	p11	52.2.0-alt1	115.11.0-alt1	ALT-PU-2017-1770-1	184555	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://www.mozilla.org/security/advisories/mfsa2017-16/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-15/	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1348645	Exploit Issue Tracking Patch Vendor Advisory
1038689	Third Party Advisory VDB Entry
99057	Third Party Advisory VDB Entry

Affected configurations:
1. Configuration 1
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2017-7760: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1