HTTP/2 200
x-backend-server: bedrock-5455fcf68c-7xksv.gcp-us-west1
server: granian
x-content-type-options: nosniff
cache-control: max-age=600
strict-transport-security: max-age=31536000
etag: "8ecb4e1e4f80976c38602bb600ec157a"
expires: Thu, 16 Oct 2025 14:33:55 GMT
content-language: en-US
content-type: text/html; charset=utf-8
content-security-policy: object-src 'none'; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; style-src 'self' 'unsafe-inline' www.mozilla.org; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; frame-ancestors 'none'; default-src 'self' *.mozilla.org; font-src 'self' www.mozilla.org; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; upgrade-insecure-requests; media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; base-uri 'none'; frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com
content-security-policy-report-only: object-src 'none'; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; style-src 'self' www.mozilla.org; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; frame-ancestors 'none'; default-src 'self' *.mozilla.org; font-src 'self' www.mozilla.org; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; upgrade-insecure-requests; media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; base-uri 'none'; frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com
cross-origin-opener-policy: same-origin
x-clacks-overhead: GNU Terry Pratchett
x-frame-options: DENY
via: 1.1 google, 1.1 varnish, 1.1 varnish
referrer-policy: strict-origin-when-cross-origin
content-encoding: gzip
accept-ranges: bytes
age: 0
date: Thu, 16 Oct 2025 14:23:55 GMT
x-served-by: cache-bom-vanm7210026-BOM, cache-bom-vanm7210081-BOM
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1760624635.392775,VS0,VE384
vary: Accept-Encoding
content-length: 7274
Privilege escalation through Mozilla Updater — Mozilla
Help us improve your Mozilla experience
In addition to Cookies necessary for this site to function, we’d like your permission to set some additional Cookies to better understand your browsing needs and improve your experience. Rest assured — we value your privacy.
Accept All Additional Cookies
Reject All Additional Cookies
Cookie settings
Mozilla Foundation Security Advisory 2013-34
Privilege escalation through Mozilla Updater
Announced
April 2, 2013
Reporter
Ash
Impact
High Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
Firefox 20
Firefox ESR 17.0.5
SeaMonkey 2.17
Thunderbird 17.0.5
Thunderbird ESR 17.0.5
Description
Security researcher Ash reported an issue with the Mozilla
Updater. The Mozilla Updater can be made to load a malicious local DLL file in a
privileged context through either the Mozilla Maintenance Service or
independently on systems that do not use the service. This occurs when the DLL
file is placed in a specific location on the local system before the Mozilla
Updater is run. Local file system access is necessary in order for this issue to
be exploitable.
References
