User can update without having write access

RESOLVED INCOMPLETE

Status

()

Toolkit
Application Update
RESOLVED INCOMPLETE
a year ago
11 months ago

People

(Reporter: Fred Ziems, Unassigned)

Tracking

51 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

Logged into a workstation as a standard user (WIN10N workstation) started FF, went to help about, checked for updates.  Started downloading the update to 52, then said it was installing, then said to restart the browser, restarted, checked version was now at 52.  


Actual results:

checked the program files (x86) mozilla firefox folder, the firefox.exe file was updated + several other files.  I checked the security on the folder and the files and the only ID with write access to the file is the administrators.  i checked the details on the file and the name in the details was the standard user name.


Expected results:

The user should have been asked for the administrator ID and PASSWORD!  How did this Happen!

Comment 1

a year ago
I suspect this is the maintenance service in action ( https://support.mozilla.org/t5/Install-and-Update/What-is-the-Mozilla-Maintenance-Service/ta-p/11800 ), but I'll let :rstrong and/or you (the reporter) confirm.
Group: firefox-core-security → toolkit-core-security
Component: Untriaged → Application Update
Flags: needinfo?(robert.strong.bugs)
Flags: needinfo?(fziems)
Product: Firefox → Toolkit
That is most likely the Mozilla Maintenance Service performing the update.

Please check if it is listed in "Programs and Features" under Control Panel.
Flags: needinfo?(robert.strong.bugs)
Triage group consensus: appears to be working as designed, so opening access.
Group: toolkit-core-security
No response to comment #2. Resolving incomplete
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Flags: needinfo?(fziems)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.