[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Is Mozilla's "patch" enough?

To: Pavel Kankovsky <peak@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
From: Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>
Date: Mon, 12 Jul 2004 11:20:23 -0400

Pavel Kankovsky wrote:

The user has already lost. Game over.

An attacker can exploit the ability to modify the user's configuration in
many different ways. E.g. redirect the browser to a proxy under the
attacker's control, make Mozilla use a trojanized Chrome or a trojanized
Java plugin, etc.

My thought about this is that if someone can gain access to the system in order to change the contents of prefs.js, then why would they want to be able to run even more code via shell: ?

At that point they already have the ability to run code on the box because they have to be able to do that to modify the config files.

And yes, I firmly believe that whitelisting the "safe" protocols is better than maintaining a blacklist.

-Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] Is Mozilla's "patch" enough?
  - From: Pavel Kankovsky

Prev by Date: Re: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
Next by Date: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
Previous by thread: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
Next by thread: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
Index(es):
- Date
- Thread