CVE-2017-7768: Infoleak
First published: Tue Jun 13 2017(Updated: )
The Mozilla Maintenance Service can be invoked by an unprivileged user to read 32 bytes of any arbitrary file on the local system by convincing the service that it is reading a status file provided by the Mozilla Windows Updater. The Mozilla Maintenance Service executes with privileged access, bypassing system protections against unprivileged users. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <54.0 | |
| Firefox ESR | <52.2.0 | |
| Microsoft Windows | ||
| Firefox | <54 | 54 |
| Firefox ESR | <52.2 | 52.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/99057
- https://www.mozilla.org/security/advisories/mfsa2017-15/
- http://www.securitytracker.com/id/1038689
- https://bugzilla.mozilla.org/show_bug.cgi?id=1336979
- https://www.mozilla.org/security/advisories/mfsa2017-16/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2017-5472
- CVE-2017-7749
- CVE-2017-7750
- CVE-2017-7751
- CVE-2017-7752
- CVE-2017-7754
- CVE-2017-7755
- CVE-2017-7756
- CVE-2017-7757
- CVE-2017-7778
- CVE-2017-7758
- CVE-2017-7759
- CVE-2017-7760
- CVE-2017-7761
- CVE-2017-7762
- CVE-2017-7763
- CVE-2017-7764
- CVE-2017-7765
- CVE-2017-7766
- CVE-2017-7767
- CVE-2017-7768
- CVE-2017-7770
- CVE-2017-5471
- CVE-2017-5470
Frequently Asked Questions
What is the severity of CVE-2017-7768?
The severity of CVE-2017-7768 is considered to be moderate as it allows an unprivileged user to read arbitrary files on the system.
How do I fix CVE-2017-7768?
To fix CVE-2017-7768, upgrade Firefox to version 54 or later or Firefox ESR to version 52.2.0 or later.
What products are affected by CVE-2017-7768?
The affected products include Mozilla Firefox versions up to 54 and Mozilla Firefox ESR versions up to 52.2.
Can CVE-2017-7768 be exploited remotely?
No, CVE-2017-7768 requires local access to the system to exploit the vulnerability.
What permissions are necessary to exploit CVE-2017-7768?
Exploitation of CVE-2017-7768 requires only unprivileged user access to the local system.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/references
- vendor/mozilla
- canonical/firefox
- canonical/firefox esr
- vendor/microsoft
- canonical/microsoft windows