发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:43:33

[原文]Mozilla Firefox before 1.0 is installed with world-writable permissions on Mac OS X, which allows local users to gain privileges.

[CNNVD]Mozilla Firefox不安全默认安装漏洞(CNNVD-200412-856)

        基于Mac OS X平台的Mozilla Firefox 1.0以前版本安装时具有全域可写权限,本地用户可以利用该漏洞提升特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  XF  mozilla-firefox-gain-privileges(18017)
(PATCH)  BID  11644
(PATCH)  OSVDB  11592

- 漏洞信息

Mozilla Firefox不安全默认安装漏洞
高危 设计错误
2004-12-31 00:00:00 2005-10-20 00:00:00
        基于Mac OS X平台的Mozilla Firefox 1.0以前版本安装时具有全域可写权限,本地用户可以利用该漏洞提升特权。

- 公告与补丁

        The vendor has released an upgrade dealing with this issue.
        Gentoo has released an advisory GLSA 200501-03 to address various issues in multiple browsers offered by Mozilla. Gentoo users may carry out the following commands to update their computers:
        Mozilla users:
        emerge --sync
        emerge --ask --oneshot --verbose ">=net-www/mozilla-1.7.5"
        Mozilla binary users:
        emerge --sync
        emerge --ask --oneshot --verbose ">=net-www/mozilla-bin-1.7.5"
        Firefox users:
        emerge --sync
        emerge --ask --oneshot --verbose ">=net-www/mozilla-firefox-1.0"
        Firefox binary users:
        emerge --sync
        emerge --ask --oneshot --verbose ">=net-www/mozilla-firefox-bin-1.0"
        Thunderbird users:
        # emerge --sync
        # emerge --ask --oneshot ?verbose ">=mail-client/mozilla-thunderbird-0.9"
        # emerge --sync
        # emerge --ask --oneshot ?verbose ">=mail-client/mozilla-thunderbird-bin-0.9"
        Please see the referenced advisory for more information.
        Mozilla Firefox 0.10
        Mozilla Firefox 0.10.1
        Mozilla Firefox 0.8
        Mozilla Firefox 0.9
        Mozilla Firefox 0.9.1
        Mozilla Firefox 0.9.2
        Mozilla Firefox 0.9.3

- 漏洞信息

Mozilla Firefox for MacOS Weak Permission Privilege Escalation
Local Access Required Attack Type Unknown
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

Firefox contains a flaw related to the installation on Mac OS. The issue is due to the program installing with world-writable permissions which may allow a local user to gain escalated privileges.

- 时间线

2004-11-10 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.0 Preview Release or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者