Re: Mozilla extensions: a security nightmare

["Thomas D." <whistl0r () gmail com>]

Hi,

Mario Vilas wrote:
> %APPDATA% is within the user's home directory - by default it should not
> be writeable by other users. If this is the case then the problem is one of
> bad file permissions, not the location.

Correct.


> Incidentally, many other browsers and tons of software also store
> executable code in %APPDATA%.

OK, installing into %APPDATA% or %LOCALAPPDATA% will remove Windows' tampering protection.
I hope you are not arguing that because nowadays many application will install into %APPDATA% or %LOCALAPPDATA% they 
became "safe" because they are so many?!

Remember how the thing with %APPDATA% and %LOCALAPPDATA% started/became mainstream: There was a small search corp. who 
thought they need to develop another browser. They had the users on their side but getting market share would require 
them to be able to push the browser on the user's desktop - also on work. So they started to install to %LOCALAPPDATA% 
per default... to get around a security mechanism.

Sane with Dropbox and Co: To get required market share you need to be on user's desktop. They make their money with 
business customers. But IT in corporations are moving slow. Convincing IT staff that using cloud storage (store your 
important data on someone else computer) isn't easy. But people will use everything which is free at their home. If 
these people can install Dropbox on corporate's network, too... well you know the game: If the critical mass is already 
using Dropbox (even without your consent) chances are high (if it is working for your team), that your IT department 
will get the order to buy it...
However Dropbox is now moving from user's profile back to %programfiles% starting with 3.6.x. From my knowledge the 
main reason doing that is to support system-wide updates which you cannot do when everyone has installed the software 
in his/her user profile (Chrome offers a system-wide installation, too), no security concerns. But if you ask them they 
won't decline that this will hardening Dropbox for free.


Back to the Mozilla problem and this topic:
Like said you are right, only the current user can write to %APPDATA% or %LOCALAPPDATA% per default. But every 
application the user runs can do that. So for example if the attacker manage to send the victim a malicious document 
which will replace the DLLs Stefan mentioned, the attacker could steal the victim's Exchange/Gmail account credentials.

Yes, the attacker must find a way to get his "malware" on the victims computer and the first immutable laws of security 
says

  "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore"

   (https://technet.microsoft.com/en-us/magazine/2008.10.securitywatch.aspx)

but that's not that theoretical like it maybe sounds. Remember the recent Firefox flaw 
(https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/). Drive-by-download attacks are normal 
today and if they succeed the attacker's code is running with user privileges and can modify files in %APPDATA% and 
%LOCALAPPDATA%... So using Windows like it was designed is more important than ever.


Regards,
Thomas



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/