Vulnerability Description
An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 52.2.0 |
| Microsoft | Windows | - |
References
- http://www.securityfocus.com/bid/99057Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1038689Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1342742Issue TrackingVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-15/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-16/Vendor Advisory
- http://www.securityfocus.com/bid/99057Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1038689Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1342742Issue TrackingVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-15/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-16/Vendor Advisory
FAQ
What is CVE-2017-7766?
CVE-2017-7766 is a vulnerability with a CVSS score of 7.8 (HIGH). An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and ...
How severe is CVE-2017-7766?
CVE-2017-7766 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7766?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Microsoft Windows.