Date: Wed, 10 Jul 2013 20:59:10 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <oss-security@...ts.openwall.com> Subject: CVE request for Mozilla Thunderbird (Windows) The installer of Mozilla Thunderbird writes the following command line with unquoted spaces for uninstallation into the Windows registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 17.0.5 (x86 en-US)] "UninstallString"="C:\\Program Files\\Mozilla Thunderbird\\uninstall\\helper.exe" See <https://bugzilla.mozilla.org/show_bug.cgi?id=871084>, <https://bugzilla.mozilla.org/show_bug.cgi?id=786407> and <https://bugzilla.mozilla.org/show_bug.cgi?id=868746> Due to a well-known and well-documented idiosyncrasy of Windows' CreateProcess() API this can result in the execution of a rogue program "C:\Program.exe" or "C:\Program Files\Mozilla.exe" with the privileges of the caller. Since the caller of this command line typically has administrative rights this vulnerability can lead to a privilege escalation. Affected versions: all current releases. Fixed version: ? Stefan Kanthak
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.