Mozilla patches a vulnerability in Firefox that helps hackers gain admin rights of Windows

This vulnerability resides in the Mozilla Maintenance Service, so if successfully exploited, hackers can gain admin rights of the system.

Mozilla Maintenance Service is an optional service of Firefox and Thunderbird that keeps application updates running in the background. It provides Firefox users with a seamless update experience, without the need to click the "Yes" option in Windows User Account Control (UAC) before updating their web browser or email client.

Mozilla has patched the privilege escalation vulnerability tracked under code CVE-2022-22753 in the just released Fifefox 97 update.

When successfully exploiting CVE-2022-22753 on unpatched computers, hackers can take over NT AUTHORITYSYSTEM, the highest control on Windows systems.

"A Time-of-Check Time-of-Use bug exists in the Mozilla Maintenance Service that can be abused to give users write permission to an arbitrary directory. This can be used to elevate access permissions. SYSTEM level," Mozilla shared. "This bug only affects Firefox on Windows. Other operating systems are not affected."

Mozilla also adds that Firefox 97 has resolved many of the memory-safe bugs found by the Mozilla community and developers in Firefox 96 and Firefox ESR 91.5.

Firefox 97 adds some new features and improvements

Besides bug fixes, the new Firefox update also brings a number of new features and improvements. The first is the new style scrollbars on Windows 11 and the next is an improvement in loading system fonts on macOS that makes opening and switching new tabs faster.

David Pac

Update 09 February 2022