[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Is Mozilla's "patch" enough?

To: Aviv Raff <avivra@xxxxxxxxx>
Subject: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
From: Thomas Kaschwig <sec@xxxxxxxxxxxx>
Date: Mon, 12 Jul 2004 16:51:15 +0200

Aviv Raff wrote:

> How can it not be a security flaw of mozilla if a setting in the
> user.js overrides the global security setting defined by a patch, and
> any manual setting defined by the user through the about:config?

Because *nobody* should be able to write to your user.js file. If someone 
has write access to other peoples ~/.bashrc or whatever and inserts some 
malicious code, it is also no security flaw of the bash.

> I understand that if an attacker has the ability to change the user.js

If you can find a way to modify mozilla's preferences remotly, /then/ this 
is really a problem.

> file he can do worse things, but why should there be a way to override
> security patches without uninstalling them?

You can overwrite every security patch, if you have sufficient write 
permissions.

Thomas
-- 
PGP/GnuPG: http://www.kaschwig.net/kaschwig.gpg.asc * KeyID: 0x3D68D63A
Fingerprint: 274A 4CB8 B362 D593 39D6 0989 8FC3 725F 3D68 D63A
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Is Mozilla's "patch" enough?
  - From: Aviv Raff
- Re: [Full-Disclosure] Is Mozilla's "patch" enough?
  - From: Thomas Kaschwig
- Re: [Full-Disclosure] Is Mozilla's "patch" enough?
  - From: Aviv Raff

Prev by Date: Re: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
Next by Date: Re: [Full-Disclosure] Erasing a hard disk easily
Previous by thread: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
Next by thread: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
Index(es):
- Date
- Thread