{
	"id": "aa25c3f2-f998-410f-b403-276846dacdf0",
	"created_at": "2026-04-06T00:15:42.123887Z",
	"updated_at": "2026-04-10T03:23:52.372636Z",
	"deleted_at": null,
	"sha1_hash": "06a3b5b89824b6dc87984c5d16a52249782a642f",
	"title": "Firefox installer DLL hijacking",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34412,
	"plain_text": "Firefox installer DLL hijacking\r\nArchived: 2026-04-02 10:55:05 UTC\r\nMozilla Foundation Security Advisory 2012-98\r\nAnnounced\r\nNovember 20, 2012\r\nReporter\r\nRobert Kugler\r\nImpact\r\nHigh\r\nProducts\r\nFirefox, Firefox ESR\r\nFixed in\r\nFirefox 17\r\nFirefox 18\r\nFirefox ESR 10.0.11\r\nFirefox ESR 10.0.12\r\nFirefox ESR 17.0.1\r\nDescription\r\nSecurity researcher Robert Kugler reported that when a specifically named DLL file on a Windows computer is\r\nplaced in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL when\r\nit is launched. In circumstances where the installer is run by an administrator privileged account, this allows for\r\nthe downloaded DLL file to be run with administrator privileges. This can lead to arbitrary code execution from a\r\nprivileged account.\r\nAdditional vulnerable DLL file names were found and fixed in Firefox 18.0, Firefox ESR 17.0.1, and Firefox ESR\r\n10.0.12 releases.\r\nReferences\r\nDLL Hijacking - Firefox installer\r\nCVE-2012-4206\r\nSource: https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/\r\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2012-98/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/"
	],
	"report_names": [
		"mfsa2012-98"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434542,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/06a3b5b89824b6dc87984c5d16a52249782a642f.pdf",
		"text": "https://archive.orkl.eu/06a3b5b89824b6dc87984c5d16a52249782a642f.txt",
		"img": "https://archive.orkl.eu/06a3b5b89824b6dc87984c5d16a52249782a642f.jpg"
	}
}