Full Disclosure mailing list archives
Is Mozilla's "patch" enough?
From: Aviv Raff <avivra () gmail com>
Date: Mon, 12 Jul 2004 15:08:38 +0300
As you may already know the Mozilla's "patch" for the shell protocol security issue is merely a global configuration change. But is it enough? If an attacker has a file writing access to the user's default profile directory, or somehow manages to update/create the file user.js (or even worse - mozilla.cfg) he can override the patch's configuration change, and enable the shell protocol handler again. Trying to apply the patch again won't override the attacker's configuration change, and doing it manually through the about:config interface will be enough only until the user closes the browser. Tested on Mozilla Firefox 0.9.1. What do you think? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Pavel Kankovsky (Jul 12)
- Re: Is Mozilla's "patch" enough? William Warren (Jul 12)
- Re: Is Mozilla's "patch" enough? Thomas Kaschwig (Jul 12)
- Re: Is Mozilla's "patch" enough? Barry Fitzgerald (Jul 12)
- Re: Is Mozilla's "patch" enough? William Warren (Jul 12)
- Re: Is Mozilla's "patch" enough? Thomas Kaschwig (Jul 13)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Georgi Guninski (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Florian Weimer (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Pavel Kankovsky (Jul 12)