Fri, Aug 7, 2015.

2:26:54 PM.

Yes Please :-)

Thanks

cheers,

/tap

-----Original Message-----

From: Jakob Holderbaum <hi (at) jakob (dot) io [email concealed]>

Date: Fri, 7 Aug 2015 09:13:04

To: <bugtraq (at) securityfocus (dot) com [email concealed]>

Subject: Re: [FD] Mozilla extensions: a security nightmare

I want to stress the point made here.

Please continue the rather childish accusations *in private*.

On 08/07/2015 08:52 AM, Frank Waarsenburg wrote:

> Time to unsubscribe from Bugtraq. I follow that list to be informed

> of vulnerabilities, not to get spammed by fighting ego's. Get a

> life.

>

> ___________________________________

>

> Frank Waarsenburg Chief Information Security Officer

>

> RAM Infotechnology

>

> -----Original Message----- From: Steve Friedl

> [mailto:steve (at) unixwiz (dot) net [email concealed]] Sent: vrijdag 7 augustus 2015 8:17 To:

> 'Stefan Kanthak'; 'Mario Vilas' Cc: 'bugtraq'; 'fulldisclosure'

> Subject: RE: [FD] Mozilla extensions: a security nightmare

>

>> Posting on top because that's where the cursor happens to be is

>> like

> sh*tt*ng in your pants because that's where your *ssh*l* happens to

> be!

>

> Here, let me fix this for you:

>

>> "I don't expect to be taking seriously by any technical community"

>

> -----Original Message----- From: Stefan Kanthak

> [mailto:stefan.kanthak (at) nexgo (dot) de [email concealed]] Sent: Thursday, August 06, 2015

> 12:33 PM To: Mario Vilas Cc: bugtraq; fulldisclosure Subject: Re:

> [FD] Mozilla extensions: a security nightmare

>

> "Mario Vilas" <mvilas (at) gmail (dot) com [email concealed]> wrote:

>

>> W^X applies to memory protection, completely irrelevant here.

>

> I recommend to revisit elementary school and start to learn reading!

>

> http://seclists.org/bugtraq/2015/Aug/8

>

> | JFTR: current software separates code from data in virtual memory

> and | uses "write xor execute" or "data execution prevention"

> to | prevent both tampering of code and execution of data. |

> The same separation and protection can and of course needs to be |

> applied to code and data stored in the file system too!

>

>> Plus you're saying in every situation when a user can overwrite its

>> own binaries in its own home folder it's a bug

>

> Again: learn to read!

>

> <http://seclists.org/bugtraq/2015/Aug/14>

>

> | No. Writing executable code is NOT the problem here. | The problem

> is running this code AFTER it has been tampered. | (Not only) Mozilla

> but does NOT detect tampered code.

>

>> - that would make every single Linux distro vulnerable whenever you

>> install some software in your own home directory that only you can

>> use.

>

> # mount /home -onoexec

>

>> If you're talking about file and directory permissions it makes

>> sense to talk about privilege escalation.

>

> No.

>

>> But I don't think you really understand those security principles

>> you're citing. For example, can you give me an example of an

>> attack

> scenario?

>

> The attack vector is OBVIOUS, exploitation is TRIVIAL.

>

>> Also, take a chill pill. Your aggressive tone isn't really helping

>> you at all.

>

> Posting on top because that's where the cursor happens to be is like

> sh*tt*ng in your pants because that's where your *ssh*l* happens to

> be!

>

--

Jakob Holderbaum, M.Sc.

Embedded Software & Test Engineer

0176 637 297 71

http://jakob.io/

http://jakob.io/mentoring/

hi (at) jakob (dot) io [email concealed]

@hldrbm

[ reply ]