Re: [FD] Mozilla extensions: a security nightmare

From: Reindl Harald <h.reindl@thelounge.net>
To: Stefan Kanthak <stefan.kanthak@nexgo.de>,Ansgar Wiechers <bugtraq@planetcobalt.net>
Cc: bugtraq@securityfocus.com
Subject: Re: [FD] Mozilla extensions: a security nightmare
Date:


that's all fine but

* nothing new, independent of lightning
* how do you imagine a restricted user install a extension otherwise
* and no - he must not do that is not a acceptable solution

security and usability are always a tradeoff
hence the topic *is* nonsense

Am 05.08.2015 um 21:27 schrieb Stefan Kanthak:
> "Ansgar Wiechers" <bugtraq@planetcobalt.net> wrote:
>
>> On 2015-08-05 Stefan Kanthak wrote:
>>> "Mario Vilas" <mvilas@gmail.com> wrote:
>>>> If this is the case then the problem is one of bad file permissions,
>>>> not the location.
>>>>
>>>> Incidentally, many other browsers and tons of software also store
>>>> executable code in %APPDATA%.
>>>
>>> Cf. <http://seclists.org/fulldisclosure/2013/Aug/198>
>>>
>>> EVERY program which stores executable code in user-writable locations
>>> is CRAPWARE and EVIL since it undermines the security boundary created
>>> by privilege separation and installation of executables in
>>> write-protected locations.
>>> Both are BASIC principles of computer security.
>>
>> Nonsense.
>
> Really?
>
>> That only becomes an issue if anyone other than the user putting the
>> code into the location is supposed to be running something from that
>> location.
>
> Are you SURE that everybody who installs TB 38 knows or recognizes
> that TB writes executable code to their user profile(s)?
> Who is but the user who puts the code into that location in the first
> place?
> The user who executes TB and let it create/update the profile?
> The administrator who installs TB?
> The creator of TBs installer?
>
>> Otherwise you'd have to prevent users from putting scripts or
>> standalone executables anywhere they have write access.
>
> No. Writing executable code is NOT the problem here.
> The problem is running this code AFTER it has been tampered.
> (Not only) Mozilla but does NOT detect tampered code.
>
>> Which is somewhat less than desirable (or feasible) in most environments.
>
> I recommend to get the idea of "write Xor execute"...
>
>> The problem with browser extensions is that they're exposed to input
>> from the outside world, which could make them remotely exploitable in
>> case of a vulnerability, and that user-installed extensions are not
>> subject to company software update procedures.
>
> That's still ANOTHER problem





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.