CVE-2004-2228

Vulnerability

Mozilla Firefox versions prior to 1.0 on Mac OS X are installed with world-writable permissions. This means that any local user can modify the Firefox installation files, including binaries and libraries. The affected versions are all Firefox releases before 1.0 on the Mac OS X platform.

Exploitation

A local attacker with a user account on the system can write to the Firefox installation directory. By replacing or modifying executable files, the attacker can cause Firefox to execute arbitrary code with the privileges of any user who subsequently runs Firefox. No special authentication or network access is required; only local file write access is needed.

Impact

Successful exploitation allows a local attacker to gain the privileges of any user who launches Firefox. This can lead to full compromise of the user's account, including access to personal data, credentials, and the ability to perform actions as that user. The attack is local and requires the victim to run the modified Firefox.

Mitigation

The vulnerability is fixed in Mozilla Firefox 1.0 and later. Users should upgrade to Firefox 1.0 or newer. The Gentoo security advisory [1] recommends upgrading to version 1.0. No workaround is available for unpatched versions.