BugTraq
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 03:33PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 06:14PM
Ansgar Wiechers (bugtraq planetcobalt net) (1 replies)
On 2015-08-05 Stefan Kanthak wrote:
> "Mario Vilas" <mvilas (at) gmail (dot) com [email concealed]> wrote:
>> If this is the case then the problem is one of bad file permissions,
>> not the location.
>>
>> Incidentally, many other browsers and tons of software also store
>> executable code in %APPDATA%.
>
> Cf. <http://seclists.org/fulldisclosure/2013/Aug/198>
>
> EVERY program which stores executable code in user-writable locations
> is CRAPWARE and EVIL since it undermines the security boundary created
> by privilege separation and installation of executables in
> write-protected locations.
> Both are BASIC principles of computer security.

Nonsense. That only becomes an issue if anyone other than the user
putting the code into the location is supposed to be running something
from that location.

Otherwise you'd have to prevent users from putting scripts or
standalone executables anywhere they have write access. Which is
somewhat less than desirable (or feasible) in most environments.

The problem with browser extensions is that they're exposed to input
from the outside world, which could make them remotely exploitable in
case of a vulnerability, and that user-installed extensions are not
subject to company software update procedures.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 07:27PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 10:55AM
Reindl Harald (h reindl thelounge net) (2 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 05:03PM
Christoph Gruber (list guru at) (2 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 06:05PM
Andrew Deck (andrew hastings deck gmail com)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 05:28PM
Reindl Harald (h reindl thelounge net)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 04:08PM
Bruce A. Peters (bpeters se-kure com) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 15 2015 04:41PM
Stefan Kanthak (stefan kanthak nexgo de)


 

Privacy Statement
Copyright 2010, SecurityFocus