[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Is Mozilla's "patch" enough?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Is Mozilla's "patch" enough?
From: Aviv Raff <avivra@xxxxxxxxx>
Date: Mon, 12 Jul 2004 15:08:38 +0300

As you may already know the Mozilla's "patch" for the shell protocol
security issue is merely a global configuration change. But is it
enough?

If an attacker has a file writing access to the user's default profile
directory, or somehow manages to update/create the file user.js (or
even worse - mozilla.cfg) he can override the patch's configuration
change, and enable the shell protocol handler again.

Trying to apply the patch again won't override the attacker's
configuration change, and doing it manually through the about:config
interface will be enough only until the user closes the browser.

Tested on Mozilla Firefox 0.9.1.

What do you think?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Is Mozilla's "patch" enough?
  - From: Pavel Kankovsky
- Re: [Full-Disclosure] Is Mozilla's "patch" enough?
  - From: Thomas Kaschwig

Prev by Date: RE: [Full-Disclosure] Microsoft laxed security is threat to internet
Next by Date: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
Previous by thread: RE: [Full-Disclosure] Microsoft laxed security is threat to internet
Next by thread: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
Index(es):
- Date
- Thread