Bugtraq mailing list archives
Re: [FD] Mozilla extensions: a security nightmare
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Wed, 5 Aug 2015 20:14:57 +0200
On 2015-08-05 Stefan Kanthak wrote:
"Mario Vilas" <mvilas () gmail com> wrote:If this is the case then the problem is one of bad file permissions, not the location. Incidentally, many other browsers and tons of software also store executable code in %APPDATA%.Cf. <http://seclists.org/fulldisclosure/2013/Aug/198> EVERY program which stores executable code in user-writable locations is CRAPWARE and EVIL since it undermines the security boundary created by privilege separation and installation of executables in write-protected locations. Both are BASIC principles of computer security.
Nonsense. That only becomes an issue if anyone other than the user putting the code into the location is supposed to be running something from that location. Otherwise you'd have to prevent users from putting scripts or standalone executables anywhere they have write access. Which is somewhat less than desirable (or feasible) in most environments. The problem with browser extensions is that they're exposed to input from the outside world, which could make them remotely exploitable in case of a vulnerability, and that user-installed extensions are not subject to company software update procedures. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Mozilla extensions: a security nightmare Stefan Kanthak (Aug 04)
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 05)
- Re: [FD] Mozilla extensions: a security nightmare Ansgar Wiechers (Aug 05)
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Reindl Harald (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Bruce A. Peters (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 17)
- Re: [FD] Mozilla extensions: a security nightmare Christoph Gruber (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Reindl Harald (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Andrew Deck (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 05)
- Message not available
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)