Bug 977377 (CVE-2016-2809) - VUL-0: CVE-2016-2809: MozillaFirefox: Maintenance Service updater File Deletion Elevation of Privilege
Summary: VUL-0: CVE-2016-2809: MozillaFirefox: Maintenance Service updater File Deleti...
Status: RESOLVED INVALID
Alias: CVE-2016-2809
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All All
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on: 977333
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-27 08:36 UTC by Andreas Stieger
Modified: 2020-04-09 12:05 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-04-27 08:36:22 UTC 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-40/

Security researcher Holger Fuhrmannek reported an issue where the Mozilla Maintenance Service updater on Windows can delete arbitrary files because of its privileged system access. This file deletion can then potentially be used for further privilege escalation. This flaw requires users to execute a locally saved file in order for it to be triggered.

Maintenance Service updater File Deletion Elevation of Privilege (CVE-2016-2809)
https://bugzilla.mozilla.org/show_bug.cgi?id=1212939
Comment 1 Andreas Stieger 2016-04-27 08:38:44 UTC 
This issue does not affect non-Windows operating systems.
Comment 2 Bernhard Wiedemann 2016-04-30 08:00:44 UTC 
This is an autogenerated message for OBS integration:
This bug (977377) was mentioned in
https://build.opensuse.org/request/show/392977 Factory / MozillaFirefox
https://build.opensuse.org/request/show/392978 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/392979 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/392980 13.1 / MozillaFirefox
Comment 3 Bernhard Wiedemann 2016-05-04 06:00:32 UTC 
This is an autogenerated message for OBS integration:
This bug (977377) was mentioned in
https://build.opensuse.org/request/show/393514 Factory / MozillaFirefox