icon_firefox[CVE-2016-1941] Delay following click events in file download dialog too short on OS X


Delay following click events in file download dialog too short on OS X


Announced: January 26, 2016
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox
Fixed in: Firefox 44


Description

Security researcher Jordi Chancel reported an issue on OS X where the delay between the download dialog getting focus and the button getting enabled was too short. If an attacker is able to induce the user to double-click in a specific location, they can then pass the second click through to the dialog below, leading to unintentional actions such as the running of downloaded software.


Vulnerability demonstration (video):


Comments are closed.