CVE-2019-11753
First published: Tue Sep 03 2019(Updated: )
The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service is manipulated to update this unprotected location and the updated maintenance service in the unprotected location has been altered, the altered maintenance service can run with elevated privileges during the update process due to a lack of integrity checks. This allows for privilege escalation if the executable has been replaced locally. <br>*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.*. This vulnerability affects Firefox < 69, Firefox ESR < 60.9, and Firefox ESR < 68.1.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox ESR | <68.1 | 68.1 |
| Mozilla Firefox | <69.0 | |
| Mozilla Firefox ESR | <60.9.0 | |
| Mozilla Firefox ESR | >=68.0<68.1.0 | |
| Microsoft Windows | ||
| <60.9 | 60.9 | |
| <68.1 | 68.1 | |
| Mozilla Firefox | <69 | 69 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1574980
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html
- https://www.mozilla.org/security/advisories/mfsa2019-25/
- https://www.mozilla.org/security/advisories/mfsa2019-26/
- https://www.mozilla.org/security/advisories/mfsa2019-27/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11750
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2019-11753.
What is the severity of CVE-2019-11753?
The severity of CVE-2019-11753 is high.
Which software are affected by CVE-2019-11753?
CVE-2019-11753 affects Mozilla Firefox ESR versions 68.1 and 60.9, as well as Mozilla Firefox version up to 69.
How does CVE-2019-11753 leave Firefox vulnerable?
CVE-2019-11753 allows the Firefox installer to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware.
Is there a fix available for CVE-2019-11753?
Yes, Mozilla has released updates to address the vulnerability. It is recommended to update to the latest version of Mozilla Firefox or Mozilla Firefox ESR.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/mozilla-advisory
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- source/Mozilla
- agent/references
- agent/last-modified-date
- agent/tags
- agent/event
- agent/software-canonical-lookup
- vendor/mozilla
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- version/mozilla firefox esr/68.0
- vendor/microsoft
- canonical/microsoft windows