Mozilla has issued a security patch to mitigate a critical privilege escalation vulnerability discovered in the Mozilla Maintenance Service. The Mozilla Maintenance Service is an additional Firefox and Thunderbird service that allows for background program upgrades.
Firefox clients will no longer have to click ‘Yes’ in the Windows User Account Control (UAC) window before updating their web browser or email client. With the release of Firefox 97 today, Mozilla addressed the privilege escalation security vulnerability identified as CVE-2022–22753.
On unpatched systems, successful exploitation can let hackers to elevate their privileges to NT AUTHORITYSYSTEM account permissions. “The Maintenance (Updater) Service had a Time-of-Check Time-of-Use flaw that could be exploited to give Users write access to any directory. This may have been used to get access to the SYSTEM” Mozilla clarified the situation. “Only Firefox on Windows is affected by this problem. The performance of other operating systems is unaffected.”
Firefox 97 also fixes various memory safety problems discovered by Mozilla developers and the community in Firefox 96 and Firefox ESR 91.5, according to Mozilla. “We believe that some of these flaws might have been exploited to run arbitrary code with enough effort,” Mozilla added.
Today’s update also includes bug fixes and additional features, such as support for Windows 11’s new type of scrollbars and enhancements to macOS system font loading, which makes opening and switching to new tabs faster. Support for directly creating PostScript for printing on Linux has similarly been removed in Firefox 97, while printing to PostScript printers remains a supported option.
Mozilla also patched a memory corruption flaw in its cross-platform Network Security Services (NSS) cryptographic libraries in December. Exploitation could result in a heap-based buffer overflow on systems running vulnerable Firefox versions, with the consequences ranging from program crashes to arbitrary code execution to bypassing security software if code execution is attained. At the time, Mozilla indicated that all PDF viewers and email clients that use NSS versions released since October 2012 for signature verification were likely impacted.