[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Is Mozilla's "patch" enough?
- To: Thomas Kaschwig <thomas@xxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
- From: Aviv Raff <avivra@xxxxxxxxx>
- Date: Mon, 12 Jul 2004 17:23:29 +0300
How can it not be a security flaw of mozilla if a setting in the
user.js overrides the global security setting defined by a patch, and
any manual setting defined by the user through the about:config?
I understand that if an attacker has the ability to change the user.js
file he can do worse things, but why should there be a way to override
security patches without uninstalling them?
I think user.js (or the lockPref settings in mozila.cfg) makes Mozilla
more spyware/worms oriented.
On Mon, 12 Jul 2004 16:01:53 +0200, Thomas Kaschwig <thomas@xxxxxxxxxxxx> wrote:
> Aviv Raff wrote:
>
> > If an attacker has a file writing access to the user's default profile
> > directory, or somehow manages to update/create the file user.js (or
> > even worse - mozilla.cfg) he can override the patch's configuration
> > change, and enable the shell protocol handler again.
>
> Nobody should have write access to your user profile. If someone is able
> to modify your user.js file, (s)he can enable some worse options, e.g.
> the protocol handler for `hcp' or `vbscript', but this is not a security
> flaw of mozilla...
>
> Thomas
> --
> PGP/GnuPG: http://www.kaschwig.net/kaschwig.gpg.asc * KeyID: 0x3D68D63A
> Fingerprint: 274A 4CB8 B362 D593 39D6 0989 8FC3 725F 3D68 D63A
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html