CVE-2020-15663
First published: Tue Aug 25 2020(Updated: )
If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with administrative privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with system privileges.Note: This issue only affected Windows operating systems. Other operating systems are unaffected.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox ESR | <78.2 | 78.2 |
| Mozilla Thunderbird | <68.12 | 68.12 |
| Mozilla Firefox ESR | <68.12 | 68.12 |
| Mozilla Thunderbird | <78.2 | 78.2 |
| Mozilla Firefox | <80 | 80 |
| Mozilla Firefox | <80.0 | |
| Mozilla Firefox ESR | >=68.0<68.12 | |
| Mozilla Firefox ESR | >=78.0<78.2 | |
| Mozilla Thunderbird | >=68.0<68.12 | |
| Mozilla Thunderbird | >=78.0<78.2 | |
| Mozilla Firefox | >=78.0<78.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1643199
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-38/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-37/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-40/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-41/
- https://www.mozilla.org/security/advisories/mfsa2020-36/
- https://www.mozilla.org/security/advisories/mfsa2020-37/
- https://www.mozilla.org/security/advisories/mfsa2020-38/
- https://www.mozilla.org/security/advisories/mfsa2020-40/
- https://www.mozilla.org/security/advisories/mfsa2020-41/
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2020-15663?
CVE-2020-15663 is a vulnerability that allows the execution of updater.exe from a user-writable directory with system privileges on Mozilla Thunderbird and Firefox.
Which software versions are affected by CVE-2020-15663?
Mozilla Thunderbird versions up to and including 68.12, Mozilla Firefox versions up to and including 80, and Mozilla Firefox ESR versions up to and including 78.2 are affected by CVE-2020-15663.
What is the severity of CVE-2020-15663?
CVE-2020-15663 has a severity rating of 8.8 (critical).
How can I fix the CVE-2020-15663 vulnerability?
To fix the CVE-2020-15663 vulnerability, update Mozilla Thunderbird to version 68.12 or later, update Mozilla Firefox to version 80 or later, or update Mozilla Firefox ESR to version 78.2 or later.
Where can I find more information about CVE-2020-15663?
You can find more information about CVE-2020-15663 on the Mozilla Bugzilla page (https://bugzilla.mozilla.org/show_bug.cgi?id=1643199) and the Mozilla security advisories MFSA2020-40 (https://www.mozilla.org/en-US/security/advisories/mfsa2020-40/) and MFSA2020-41 (https://www.mozilla.org/en-US/security/advisories/mfsa2020-41/).
- collector/mozilla-advisory
- agent/type
- agent/first-publish-date
- agent/references
- agent/severity
- agent/weakness
- source/Mozilla
- agent/software-canonical-lookup
- agent/description
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/event
- agent/softwarecombine
- agent/trending
- agent/tags
- agent/source
- vendor/mozilla
- canonical/mozilla firefox esr
- canonical/mozilla thunderbird
- canonical/mozilla firefox
- version/mozilla firefox esr/68.0
- version/mozilla firefox esr/78.0
- version/mozilla thunderbird/68.0
- version/mozilla thunderbird/78.0
- version/mozilla firefox/78.0