Vulnerability Description
The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 52.2.0 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/99057Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1038689Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1336964Issue TrackingVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-15/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-16/Vendor Advisory
- http://www.securityfocus.com/bid/99057Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1038689Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1336964Issue TrackingVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-15/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-16/Vendor Advisory
FAQ
What is CVE-2017-7767?
CVE-2017-7767 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileg...
How severe is CVE-2017-7767?
CVE-2017-7767 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7767?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Microsoft Windows.