I think this is S4 because it's a very edgy edge case and because we explicitly want this behaviour. I think there are two outstanding questions: 1) Can we change the logic around the checking before requesting elevation? I.e., ["could you please actually check whether the install location is user-writable instead of hard-coding allowed directories?"](https://bugzilla.mozilla.org/show_bug.cgi?id=1676840#c0) and, ["could you compare file versions between updater.exe and the target firefox.exe to prevent the downgrade attack?"](https://bugzilla.mozilla.org/show_bug.cgi?id=1676840#c0). Molly can have the last word here but the rule of thumb is that junctions and races make these types of dynamic properties of the system can be exploited. Experience is not in our favour here. We believe that the vast majority of non-writable installations are in the given hardcoded locations, so doing the simplest possible thing is reasonable. 2) ["In this case, the updater did not ask elevation regardless of the maintenance service setting. Is it unexpected?"](https://bugzilla.mozilla.org/show_bug.cgi?id=1676840#c4) I'm having a hard time understanding what was tried and what happened. emk, can you detail exactly what steps you took and what you observed? There are a lot of things in play here: registry keys in HKLM, for example, can subtly impact the behaviour of the MMS, etc.
Bug 1676840 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I think this is S4 because it's a very edgy edge case and because we explicitly want this behaviour. I think there are two outstanding questions: 1) Can we change the logic around the checking before requesting elevation? I.e., ["could you please actually check whether the install location is user-writable instead of hard-coding allowed directories?"](https://bugzilla.mozilla.org/show_bug.cgi?id=1676840#c0) and, ["could you compare file versions between updater.exe and the target firefox.exe to prevent the downgrade attack?"](https://bugzilla.mozilla.org/show_bug.cgi?id=1676840#c0). Molly can have the last word here but the rule of thumb is that junctions and races mean that these types of dynamic properties of the system can be exploited. Experience is not in our favour here. We believe that the vast majority of non-writable installations are in the given hardcoded locations, so doing the simplest possible thing is reasonable. 2) ["In this case, the updater did not ask elevation regardless of the maintenance service setting. Is it unexpected?"](https://bugzilla.mozilla.org/show_bug.cgi?id=1676840#c4) I'm having a hard time understanding what was tried and what happened. emk, can you detail exactly what steps you took and what you observed? There are a lot of things in play here: registry keys in HKLM, for example, can subtly impact the behaviour of the MMS, etc.