BugTraq
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 03:33PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 06:14PM
Ansgar Wiechers (bugtraq planetcobalt net) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 07:27PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 10:55AM
Reindl Harald (h reindl thelounge net) (2 replies)
that's all fine but

* nothing new, independent of lightning
* how do you imagine a restricted user install a extension otherwise
* and no - he must not do that is not a acceptable solution

security and usability are always a tradeoff
hence the topic *is* nonsense

Am 05.08.2015 um 21:27 schrieb Stefan Kanthak:
> "Ansgar Wiechers" <bugtraq (at) planetcobalt (dot) net [email concealed]> wrote:
>
>> On 2015-08-05 Stefan Kanthak wrote:
>>> "Mario Vilas" <mvilas (at) gmail (dot) com [email concealed]> wrote:
>>>> If this is the case then the problem is one of bad file permissions,
>>>> not the location.
>>>>
>>>> Incidentally, many other browsers and tons of software also store
>>>> executable code in %APPDATA%.
>>>
>>> Cf. <http://seclists.org/fulldisclosure/2013/Aug/198>
>>>
>>> EVERY program which stores executable code in user-writable locations
>>> is CRAPWARE and EVIL since it undermines the security boundary created
>>> by privilege separation and installation of executables in
>>> write-protected locations.
>>> Both are BASIC principles of computer security.
>>
>> Nonsense.
>
> Really?
>
>> That only becomes an issue if anyone other than the user putting the
>> code into the location is supposed to be running something from that
>> location.
>
> Are you SURE that everybody who installs TB 38 knows or recognizes
> that TB writes executable code to their user profile(s)?
> Who is but the user who puts the code into that location in the first
> place?
> The user who executes TB and let it create/update the profile?
> The administrator who installs TB?
> The creator of TBs installer?
>
>> Otherwise you'd have to prevent users from putting scripts or
>> standalone executables anywhere they have write access.
>
> No. Writing executable code is NOT the problem here.
> The problem is running this code AFTER it has been tampered.
> (Not only) Mozilla but does NOT detect tampered code.
>
>> Which is somewhat less than desirable (or feasible) in most environments.
>
> I recommend to get the idea of "write Xor execute"...
>
>> The problem with browser extensions is that they're exposed to input
>> from the outside world, which could make them remotely exploitable in
>> case of a vulnerability, and that user-installed extensions are not
>> subject to company software update procedures.
>
> That's still ANOTHER problem

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlXDPQkACgkQhmBjz394AnmTmwCgmrLbXcSuN/Mtl7ivSp8zqUxo
CfcAnjosfWAgNVpwOCk8o6ugWK6hX7KY
=JYPA
-----END PGP SIGNATURE-----

[ reply ]
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 05:03PM
Christoph Gruber (list guru at) (2 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 06:05PM
Andrew Deck (andrew hastings deck gmail com)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 05:28PM
Reindl Harald (h reindl thelounge net)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 04:08PM
Bruce A. Peters (bpeters se-kure com) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 15 2015 04:41PM
Stefan Kanthak (stefan kanthak nexgo de)


 

Privacy Statement
Copyright 2010, SecurityFocus