Security bod Stefan Kanthak is asking Mozilla to quit using Windows self-extracting installs.
Last week, Kanthak posted to Full Disclosure that Mozilla's SETUP.EXE package has a long-standing bug that allows privilege escalation for local users.
“SETUP.EXE loads SHFOLDER.DLL ['] from a temporary (sub)directory "%TEMP%\7zS<hex>.tmp\" created during self-extraction of the full setup packages”, he writes – and that opens up the install to DLL substitution.
That's most particularly an issue in the corporate environment, since it would get users past the privileges set by sysadmins.
The problem Kanthak describes is simple: self-extracting archives (not just from Mozilla) are subject to an ancient exploit in the DLL search order. The attacker can load a rogue DLL instead of what the installer expects.
The DLL in Mozilla's install that offends Kanthak is SHFOLDER.DLL, which he describes as “cruft from the last millennium, it was used on Windows 9x without Internet Explorer 4”.
From there, privilege escalation – and therefore access to files and settings that are meant to be blocked from the user – is easy, he says.
Of course, the more savvy sysadmin knows not to let Windows machines detect and auto-run installers, and as an extra precaution, Kanthak reminds everyone to turn off code execution in all ”%TEMP%” directories and their subdirectories. ®