Hi @ll, Mozilla finally provides MSI installers for their just released Firefox 68 and Firefox 68 ESR for Windows: <https://archive.mozilla.org/pub/firefox/releases/68.0/win32/de/Firefox%20Setup%2068.0.msi> <https://archive.mozilla.org/pub/firefox/releases/68.0esr/win32/de/Firefox%20Setup%2068.0esr.msi>
These MSI installers are but DEFECTIVE, VULNERABLE and a bluff: Mozilla just wrapped their (UPX-compressed) 7-zip self-extractors, which unpack the final NSIS installer to %TEMP% and run it from there, preserving but all their already reported deficiencies and vulnerabilities: see (among others) <https://seclists.org/fulldisclosure/2018/Feb/58> <https://seclists.org/fulldisclosure/2016/Jun/27> Demonstration: ~~~~~~~~~~~~~~ In the user account created during Windows setup, add the NTFS ACL "(D;OIIO;WP;;;WD)" meaning "deny execution of files for everybody, inheritable to files in all subdirectories" to your %TEMP%\ directory, then run the MSI installer. As soon as the error dialog "7-Zip: (x) Access Denied!" is shown peek into %SystemRoot%\Installer\ and your %TEMP%\ directory: - the most recent "%SystemRoot%\Installer\MSI<4 hex digits>.tmp" is the UPX-compressed 7-zip self-extractor which is wrapped in the bogus MSI installer; - this 7-zip self-extractor is run (elevated!) with the following command line: MSI*.tmp /S /TaskbarShortcut=true /DesktopShortcut=true /StartMenuShortcut=true /MaintenanceService=true /RemoveDistribution=true /PreventRebootRequired=false /OptionalExtensions=true /LaunchedFromMSI - it creates an UNPROTECTED subdirectory %TEMP%\7zS<8 hex digits>\ which inherits the NTFS ACL from its parent %TEMP%\, thus granting full access for the (unprivileged) user account, who can tamper with the extracted files in any way, then runs (here: tries to run) the extracted "%TEMP%\7zS<8 hex digits>\setup.exe" elevated. stay tuned, and FAR away from Mozilla's crap! Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/