Rapid7 Vulnerability & Exploit Database

MFSA2005-47 Firefox: Code execution via "Set as Wallpaper"

Back to Search

MFSA2005-47 Firefox: Code execution via "Set as Wallpaper"

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
11/21/2013
Created
07/25/2018
Added
11/21/2013
Modified
01/30/2015

Description

If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then they can run arbitary code on the user's computer. The image "source" must be a javascript: url containing an eval() statement and such an image would get the "broken image" icon, but with CSS it could be made transparent and placed on top of a real image.The attacker would have to convince the user to change their desktop background to the exploit image, and to do so by using the Firefox context menu rather than first saving the image locally and using the normal mechanism provided by their operating system.This affects only Firefox 1.0.3 and 1.0.4; earlier versions are unaffected. The implementation of this feature in the Mozilla Suite is also unaffected.

Solution(s)

  • mozilla-firefox-upgrade-1_0_5

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;