BugTraq
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 03:33PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 06:14PM
Ansgar Wiechers (bugtraq planetcobalt net) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 07:27PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 10:55AM
Reindl Harald (h reindl thelounge net) (2 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 05:03PM
Christoph Gruber (list guru at) (2 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 06:05PM
Andrew Deck (andrew hastings deck gmail com)
Well, here's my 2 cents:

- Yes, it's unfortunate that firefox extensions are not in
write-protected parts of the FS.
- No, it's not worth eight paragraphs of ranting on this mailing list,
use of all caps, or calling some piece of software "evil".
- The sudo-like functionality present in Windows (and OSX, most of the
time. And GUIs, generally) is a hack, not a "solution" as such, for
reasons stated below. It'll help protect you from an enemy overwriting
files (well.. a bit. They could still write a Word doc, or a PDF, or
some other format that can cause unfortunate things to happen), but as
soon as they get any kind of execution, they're already essentially
admin.
- Number of google results for "write xor execute": 3,550. Number of
google results for "nx bit": 474,000. Use the term that is more
accurate, more helpful for someone researching the topic, and more
common.
- I'm only speaking up because this conversation has gone on for a
surprising number of posts.

## Why I'm against "sudo-like" functionality (but not sudo)

With sudo-like functionality on an O/S like Windows is that there's
nothing to prevent cross-application request forgery. If I can run
code on a given system, I can run administrative code on that system
by creating a window that vaguely resembles the one Windows pops up
asking the user to perform an update (of, for example, a firefox
extension) and enter their admin password.

And now I have their admin password.

That's a problem in OSX, it's a problem in Windows, and it's a problem
in every operating system that I've seen running a GUI. If a part of
the screen were reserved for security requests, wouldn't be an issue.
But it is an issue. If you care about security, and you're entering
admin creds into a GUI on the system, let alone running a browser,
you're Doing It Wrong(TM).

With sudo, you're explicitly asking to run a program with admin creds,
but more importantly you're asking to be asked for creds. You know
exactly what program is asking you for the password, and you know
exactly why. With Windows, who the hell knows?

[ reply ]
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 05:28PM
Reindl Harald (h reindl thelounge net)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 04:08PM
Bruce A. Peters (bpeters se-kure com) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 15 2015 04:41PM
Stefan Kanthak (stefan kanthak nexgo de)


 

Privacy Statement
Copyright 2010, SecurityFocus