Hi @ll, back in 2015 and 2016, I disclosed several BLOODY beginner's errors alias epic failures in Mozilla's PERMANENTLY vulnerable executable installers for Windows, built by completely incompetent tinkerers: * Defense in depth -- the Mozilla way: return and exit codes are dispensable alias and * Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE alias and * Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream alias and * [CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's executable installers alias The Register picked it up: In the meantime more than 5 years have passed, but Mozilla still has ABSOLUTELY no clue and continues to put its poor unsuspecting victims at risk. JFTR: the well-known weaknesses demonstrated below are classified as - CWE-377: Insecure Temporary File - CWE-379: Creation of Temporary File in Directory with Incorrect Permissions Proof ~~~~~ 0. Log on to a current installation of Windows 10 20H* under the user account created during Windows setup. 1. Download the (executable) online or offline installers for Mozilla Firefox ( or ) and the (executable) offline installer for Mozilla Thunderbird (), then save them in your "Downloads" directory. 2. Start Windows Explorer, open the "Downloads" directory, then right- click the downloaded installers to open their context menu and click "Properties". Switch to the "Digital Signatures" tab of the "Properties" dialog box and notice the SHA-1 only signature: OUCH! Mozilla, please quit your CA/B forum membership, NOW and forever! JFTR: Windows 8[.1] (released 2012) and Windows 10 (released 2015) support SHA-2 signatures out-of-the-box. Even Windows 7, which went out of extended support in January 2020, supports SHA-2 signatures since October 14, 2014, when update was published and distributed via Windows Update. Microsoft deprecated and abandoned SHA-1 only certificates and signatures in 2019, after announcing this step back in 2013! 3. Start a command prompt in the "Downloads" directory and run the following command line to show the version string of the program used to build the executable installers from their application manifest: FINDSTR.exe /C:"" /E "Firefox Installer.exe" "Firefox*Setup*.exe" "Thunderbird*Setup*.exe" | Firefox Installer.exe:7-Zip Self-extracting Archive v18.05 | Firefox Setup ....exe:7-Zip Self-extracting Archive v18.05 | Thunderbird Setup ....exe:7-Zip Self-extracting Archive v18.05 OUCH: Mozilla builds their executable installers with the superseded, unsupported and possibly^Wdefinitely vulnerable version 18.05 of 7-Zip, released April 30, 2018. The current version 19.00 of 7-Zip was released February 21, 2019, more that 2 years ago. As already reported in 2016, Mozilla's tinkerers don't care for upstream fixes! 4. Run the following (block of) command lines to modify the NTFS ACL of your "Temp" directory to deny execution of files beyond it, change its path temporarily and execute the self-extractors: ICACLS.exe "%TMP%" /Deny *S-1-1-0:(IO)(OI)(X) FOR %? IN ("Firefox Installer.exe" "Firefox*Setup*.exe") DO @"%~f?" SET TMP=NUL: FOR %? IN ("Thunderbird*Setup*.exe") DO @"%~f?" SET TMP=%TEMP% Admire the 2 error message boxes (but DON'T close them yet): | 7-Zip [X] | | (X) Access is denied. | | [ OK ] | 7-Zip [X] | | (X) The system cannot find the file specified. | | [ OK ] OUCH: access is denied where, and which file cannot be found? 5. Run the following (block of) command lines to list the files and directories extracted to your "Temp" directory as well as their owner and permissions: FOR /D %? IN ("%TMP%\7zS*") DO @( DIR "%?" /A /Q ICACLS.EXE "%?" ICACLS.EXE "%?\setup*.exe") | Directory of C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1 | | 03/05/2021 6:13 PM AMNESIAC\Stefan . ... | 02/22/2021 5:15 PM AMNESIAC\Stefan 476.472 setup-stub.exe ... | C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1 Everyone:(I)(OI)(IO)(DENY)(S,X) | NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) | BUILTIN\Administrators:(I)(OI)(CI)(F) | AMNESIAC\Stefan:(I)(OI)(CI)(F) | | Successfully processed 1 files; Failed processing 0 files | | C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1\setup-stub.exe Everyone:(I)(OI)(IO)(DENY)(S,X) | NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) | BUILTIN\Administrators:(I)(OI)(CI)(F) | AMNESIAC\Stefan:(I)(OI)(CI)(F) | | Successfully processed 1 files; Failed processing 0 files OUCH: the 7-Zip self-extractor fails to create directories and extracted files with proper permissions, allowing either the "denial of service" demonstrated here or the "escalation of privilege" already shown in 2015. OUCH: the 7-Zip self-extractor fails to check that extraction of its payload succeeds, there's only one subdirectory 7zS* present in %TEMP%, another "denial of service". Did I already state that 7-Zip is VULNERABLE crap, written by an incompetent kid that doesn't know the 101 of computer programming? Mozilla, abandon to use such CRAP! 6. Run the following (block of) command lines to copy the extracted setup*.exe to your "Downloads" directory, determine its version from the embedded application manifest, and execute it: FOR /D %? IN ("%TMP%\7zS*") DO @COPY "%?\setup*.exe" FINDSTR.exe /C:"Nullsoft Install System v3.01[...] OUCH: the payload of the VULNERABLE 7-Zip self-extractor is built with the superseded, unsupported and possibly^Wdefinitely vulnerable version 3.01 of the Nullsoft Install System, released December 11, 2016; its current version is but 3.06.1, released July 31, 2020! Hey, you kids at Mozilla, are you sure that nobody fixes bugs and vulnerabilities in the course of 60 months and at least 5 releases! 7. Close the 2 open error message boxes from 7-Zip, then admire the error message box displayed from setup.exe or setup-stub.exe (but DON'T close it yet): | Setup [X] | | Sorry, Firefox can't be installed. This version of | Firefox requires Microsoft Windows 7 or newer. | Please click the OK button for additional information. | | [ OK ] [ Cancel ] OUCH: VERY FUNNY, setup*.exe is actually running on Windows 10! Did I already state that NSIS too is VULNERABLE crap, written by an incompetent kid that doesn't know the 101 of computer programming? Hey Mozilla, abandon to use such CRAP! 8. Run the following (block of) command lines to determine the cause for the bogus error message: FOR /D %? IN ("%TMP%\ns*.tmp") DO @( DIR "%?" /A /Q ICACLS.exe "%?" /T) | Directory of C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp | | 03/05/2021 6:15 PM AMNESIAC\Stefan . ... | 03/05/2021 6:15 PM AMNESIAC\Stefan 11.776 System.dll ... | C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp Everyone:(I)(OI)(IO)(DENY)(S,X) | NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) | BUILTIN\Administrators:(I)(OI)(CI)(F) | AMNESIAC\Stefan:(I)(OI)(CI)(F) | | C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp\System.dll Everyone:(I)(DENY)(S,X) | NT AUTHORITY\SYSTEM:(I)(F) | BUILTIN\Administrators:(I)(F) | AMNESIAC\Stefan:(I)(F) | | Successfully processed 2 files; Failed processing 0 files Ouch: NSIS too uses the "Temp" directory to create a subdirectory and extract executable files it tries to load later, but fails to create them with proper permissions! 9. Finally close the bogus error message box and run the following command line to remove the NTFS ACE added in step 4: ICACLS.exe "%TMP%" /Remove:d *S-1-1-0 stay tuned, and far away from executable installers as well as crap from Mozilla, NSIS and 7-Zip Stefan Kanthak