Bug 977377 - (CVE-2016-2809) VUL-0: CVE-2016-2809: MozillaFirefox: Maintenance Service updater File Deletion Elevation of Privilege
(CVE-2016-2809)
VUL-0: CVE-2016-2809: MozillaFirefox: Maintenance Service updater File Deleti...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All All
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on: 977333
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-27 08:36 UTC by Andreas Stieger
Modified: 2020-04-09 12:05 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-04-27 08:36:22 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2016-40/

Security researcher Holger Fuhrmannek reported an issue where the Mozilla Maintenance Service updater on Windows can delete arbitrary files because of its privileged system access. This file deletion can then potentially be used for further privilege escalation. This flaw requires users to execute a locally saved file in order for it to be triggered.

Maintenance Service updater File Deletion Elevation of Privilege (CVE-2016-2809)
https://bugzilla.mozilla.org/show_bug.cgi?id=1212939
Comment 1 Andreas Stieger 2016-04-27 08:38:44 UTC
This issue does not affect non-Windows operating systems.
Comment 2 Bernhard Wiedemann 2016-04-30 08:00:44 UTC
This is an autogenerated message for OBS integration:
This bug (977377) was mentioned in
https://build.opensuse.org/request/show/392977 Factory / MozillaFirefox
https://build.opensuse.org/request/show/392978 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/392979 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/392980 13.1 / MozillaFirefox
Comment 3 Bernhard Wiedemann 2016-05-04 06:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (977377) was mentioned in
https://build.opensuse.org/request/show/393514 Factory / MozillaFirefox