Vulnerability Note VU#653160

Mozilla Linux installer does not properly set file permissions

Overview

Mozilla's Linux installers may not properly set file permissions on the installed program files. A local user may then be able to modify or replace these files with malicious versions.

I. Description

Some versions of Mozilla's Linux installer may create installation and program files with global read and write permissions. A local user may then be able to modify or replace these files with malicious versions.

II. Impact

A local user may modify files, or replace files with malicious versions.

III. Solution

This vulnerability is resolved in Firefox Preview Release, Mozilla 1.7.3, and Thunderbird 0.8.

As a workaround for older versions, modify the installed files permissions using chmod.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Mozilla	Vulnerable	17-Sep-2004

References

http://bugzilla.mozilla.org/show_bug.cgi?id=231083
http://bugzilla.mozilla.org/show_bug.cgi?id=235781
http://www.mozilla.org/projects/security/known-vulnerabilities.html
http://secunia.com/advisories/12526/
http://www.securitytracker.com/alerts/2004/Sep/1011317.html
http://www.securitytracker.com/alerts/2004/Sep/1011318.html

Credit

Thanks to Daniel Koukola for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

Date Public:	2004-09-14
Date First Published:	2004-09-17
Date Last Updated:	2004-09-17
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	10.55
Document Revision:	10

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader