Overview
Mozilla's Linux installers may not properly set file permissions on the installed program files. A local user may then be able to modify or replace these files with malicious versions.
Description
Some versions of Mozilla's Linux installer may create installation and program files with global read and write permissions. A local user may then be able to modify or replace these files with malicious versions. |
Impact
A local user may modify files, or replace files with malicious versions. |
Solution
This vulnerability is resolved in Firefox Preview Release, Mozilla 1.7.3, and Thunderbird 0.8. |
As a workaround for older versions, modify the installed files permissions using chmod. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://bugzilla.mozilla.org/show_bug.cgi?id=231083
- http://bugzilla.mozilla.org/show_bug.cgi?id=235781
- http://www.mozilla.org/projects/security/known-vulnerabilities.html
- http://secunia.com/advisories/12526/
- http://www.securitytracker.com/alerts/2004/Sep/1011317.html
- http://www.securitytracker.com/alerts/2004/Sep/1011318.html
Acknowledgements
Thanks to Daniel Koukola for reporting this vulnerability.
This document was written by Jason A Rafail.
Other Information
| CVE IDs: | None |
| Severity Metric: | 10.55 |
| Date Public: | 2004-09-14 |
| Date First Published: | 2004-09-17 |
| Date Last Updated: | 2004-09-17 18:02 UTC |
| Document Revision: | 11 |