CVE-2017-7760

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Mozilla Windows updater modifies some files to be updated by reading the original file and applying changes to it. The location of the original file can be altered by a malicious user by passing a special path to the callback parameter through the Mozilla Maintenance Service, allowing the manipulation of files in the installation directory and privilege escalation by manipulating the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.

El actualizador de Mozilla para Windows modifica algunos archivos para que sean actualizados mediante la lectura del archivo original y aplicándole los cambios. La ubicación del archivo original puede ser alterada por un usuario malicioso pasando una ruta especial al parámetro callback a través de Mozilla Maintenance Service, lo que permite la manipulación de archivos en el directorio de instalación y un escalado de privilegios manipulando Mozilla Maintenance Service, el cual tiene acceso privilegiado. Nota: Este ataque requiere acceso local al sistema y solo afecta a Windows. Otros sistemas operativos no se han visto afectados. La vulnerabilidad afecta a Firefox ESR en versiones anteriores a la 52.2 y Firefox en versiones anteriores a la 54.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-12 CVE Reserved
2018-06-11 CVE Published
2023-06-05 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-417: Communication Channel Errors

CAPEC

References (5)

URL	Tag	Source
http://www.securityfocus.com/bid/99057	Third Party Advisory
http://www.securitytracker.com/id/1038689	Third Party Advisory

URL	Date	SRC
https://bugzilla.mozilla.org/show_bug.cgi?id=1348645	2024-08-05

URL	Date	SRC

URL	Date	SRC
https://www.mozilla.org/security/advisories/mfsa2017-15	2018-08-14
https://www.mozilla.org/security/advisories/mfsa2017-16	2018-08-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mozilla Search vendor "Mozilla"	Firefox Search vendor "Mozilla" for product "Firefox"	< 54.0 Search vendor "Mozilla" for product "Firefox" and version " < 54.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	< 52.2.0 Search vendor "Mozilla" for product "Firefox Esr" and version " < 52.2.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe