CVE-2020-15663: Critical severity firefox esr vulnerability
If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with administrative privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with system privileges.Note: This issue only affected Windows operating systems. Other operating systems are unaffected.
Other sources
If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with System Privileges. Note: This issue only affected Windows operating systems. Other operating systems are unaffected.. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, and Firefox ESR < 78.2.
If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with System Privileges.Note: This issue only affected Windows operating systems. Other operating systems are unaffected.
If Thunderbird is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with System Privileges.Note: This issue only affected Windows operating systems. Other operating systems are unaffected.
— Mozilla
Affected Software
Event History
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
Frequently Asked Questions
What is CVE-2020-15663?
CVE-2020-15663 is a vulnerability that allows the execution of updater.exe from a user-writable directory with system privileges on Mozilla Thunderbird and Firefox.
Which software versions are affected by CVE-2020-15663?
Mozilla Thunderbird versions up to and including 68.12, Mozilla Firefox versions up to and including 80, and Mozilla Firefox ESR versions up to and including 78.2 are affected by CVE-2020-15663.
What is the severity of CVE-2020-15663?
CVE-2020-15663 has a severity rating of 8.8 (critical).
How can I fix the CVE-2020-15663 vulnerability?
To fix the CVE-2020-15663 vulnerability, update Mozilla Thunderbird to version 68.12 or later, update Mozilla Firefox to version 80 or later, or update Mozilla Firefox ESR to version 78.2 or later.
Where can I find more information about CVE-2020-15663?
You can find more information about CVE-2020-15663 on the Mozilla Bugzilla page (https://bugzilla.mozilla.org/show_bug.cgi?id=1643199) and the Mozilla security advisories MFSA2020-40 (https://www.mozilla.org/en-US/security/advisories/mfsa2020-40/) and MFSA2020-41 (https://www.mozilla.org/en-US/security/advisories/mfsa2020-41/).