In early 2022, Mozilla fixed a critical security vulnerability — CVE-2022-22753 — that let crafty attackers exploit a Time-of-Check Time-of-Use (TOCTOU) bug in the Firefox Maintenance Service for Windows. This flaw opened the door to privilege escalation: a user with limited permissions could potentially gain powerful SYSTEM access, giving them the highest privileges on a Windows machine.
Let’s unpack how this bug worked, how it could be exploited, and what you need to know to stay safe.
What Is a TOCTOU Bug?
"Time-of-Check Time-of-Use" (TOCTOU) bugs are sneaky. They happen when a program checks to see if something is safe (like, "Can I write here? Is this file OK?") and then later, before acting, the conditions change. Malware or attackers can race to change things in that small window, tricking the program.
Think of it like checking if a door is locked, turning away for a second, and then trying to walk through — someone might have unlocked it in that split second.
How The CVE-2022-22753 Exploit Worked
Firefox on Windows (versions before 97) ships with a "Maintenance Service." This service usually updates Firefox without popping up annoying User Account Control (UAC) prompts, because it runs as SYSTEM. So, if this service can be tricked into writing to *any* directory, an attacker can use it to plant files with SYSTEM ownership anywhere.
The Bug:
When updating Firefox, the Maintenance Service would check if a regular user had permission to write to certain directories. But between the “check” and actual “use,” an attacker could change what the directory points to, like with a junction or symlink, redirecting the write to any location, not just their own folders.
Result:
Boom – a low-privileged user can trick the service into writing privileged files, replacing critical system files or placing malicious executables, escalating straight to SYSTEM access.
Example Exploit Scenario (Pseudo-code)
Here's a simplified walk-through of how an attacker could abuse this bug using directory junctions (a sort of Windows "symlink" for directories):
import os
import time
import subprocess
victim_dir = r'C:\Users\Attacker\AppData\Local\Temp\FirefoxUpdate'
target_dir = r'C:\Windows\System32\drivers'
# Step 1: Create the directory where the updater will look
os.makedirs(victim_dir, exist_ok=True)
# Step 2: Start the update, let the maintenance service check permissions
# (This is the tricky timing step: you'd trigger the update and race.)
# Step 3: Replace the directory with a junction after the check, before the use
# Requires admin or SeCreateSymbolicLinkPrivilege, or use other tricks.
subprocess.call(['cmd', '/c', f'rmdir "{victim_dir}"'])
subprocess.call(['cmd', '/c', f'mklink /J "{victim_dir}" "{target_dir}"'])
# Step 4: Malicious payload gets written to system directory as SYSTEM
# The attacker supplies a malicious DLL, .exe, or other payload.
Note: In practice, the timing here is difficult. Attackers use various racing and monitoring techniques to hit the window between permission check and use.
Firefox ESR: Versions before 91.6
Only the Windows versions are affected — Mac and Linux are safe from this one.
Real-World Impact
With a working exploit, a local user (say, someone with a standard account), could write files to protected system directories. From there, it's just a hop to becoming SYSTEM. For example:
Hijacking service binaries
Any of these could lead to complete system takeover.
If your Firefox, Thunderbird, or Firefox ESR auto-updated since Feb 2022, you're protected.
- Manual fix: Update Firefox to version 97 or newer; Thunderbird to 91.6+; Firefox ESR to 91.6+ on Windows.
Admins:
References & Further Reading
- Mozilla Foundation Security Advisory 2022-05
- CVE-2022-22753 on NIST NVD
- Red Hat Security
Final Thoughts
CVE-2022-22753 is a classic example of how “race conditions” in privileged software can unravel OS security. Maintenance and updater services are juicy targets, since they run with high privileges behind the scenes.
If you’re a developer:
Always watch out for TOCTOU bugs when checking permissions and then acting on files. Use safe primitives, hold locks, or ensure revalidation before acting.
If you’re a user:
Stay up to date — and encourage friends and coworkers to auto-update, especially on Windows. The best defense is often just letting those patches install!
---
*This content is exclusive and written in plain American English for clarity. For more details, see the official references linked above.*
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/29/2022 23:03:00 UTC