[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Mozilla extensions: a security nightmare
- To: <fulldisclosure@xxxxxxxxxxxx>
- Subject: Re: [FD] Mozilla extensions: a security nightmare
- From: "Thomas D." <whistl0r@xxxxxxxxx>
- Date: Mon, 10 Aug 2015 11:45:16 +0200
Hi,
Mario Vilas wrote:
> %APPDATA% is within the user's home directory - by default it should not
> be writeable by other users. If this is the case then the problem is one of
> bad file permissions, not the location.
Correct.
> Incidentally, many other browsers and tons of software also store
> executable code in %APPDATA%.
OK, installing into %APPDATA% or %LOCALAPPDATA% will remove Windows' tampering
protection.
I hope you are not arguing that because nowadays many application will install
into %APPDATA% or %LOCALAPPDATA% they became "safe" because they are so many?!
Remember how the thing with %APPDATA% and %LOCALAPPDATA% started/became
mainstream: There was a small search corp. who thought they need to develop
another browser. They had the users on their side but getting market share
would require them to be able to push the browser on the user's desktop - also
on work. So they started to install to %LOCALAPPDATA% per default... to get
around a security mechanism.
Sane with Dropbox and Co: To get required market share you need to be on user's
desktop. They make their money with business customers. But IT in corporations
are moving slow. Convincing IT staff that using cloud storage (store your
important data on someone else computer) isn't easy. But people will use
everything which is free at their home. If these people can install Dropbox on
corporate's network, too... well you know the game: If the critical mass is
already using Dropbox (even without your consent) chances are high (if it is
working for your team), that your IT department will get the order to buy it...
However Dropbox is now moving from user's profile back to %programfiles%
starting with 3.6.x. From my knowledge the main reason doing that is to support
system-wide updates which you cannot do when everyone has installed the
software in his/her user profile (Chrome offers a system-wide installation,
too), no security concerns. But if you ask them they won't decline that this
will hardening Dropbox for free.
Back to the Mozilla problem and this topic:
Like said you are right, only the current user can write to %APPDATA% or
%LOCALAPPDATA% per default. But every application the user runs can do that. So
for example if the attacker manage to send the victim a malicious document
which will replace the DLLs Stefan mentioned, the attacker could steal the
victim's Exchange/Gmail account credentials.
Yes, the attacker must find a way to get his "malware" on the victims computer
and the first immutable laws of security says
"If a bad guy can persuade you to run his program on your computer, it's not
your computer anymore"
(https://technet.microsoft.com/en-us/magazine/2008.10.securitywatch.aspx)
but that's not that theoretical like it maybe sounds. Remember the recent
Firefox flaw
(https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/).
Drive-by-download attacks are normal today and if they succeed the attacker's
code is running with user privileges and can modify files in %APPDATA% and
%LOCALAPPDATA%... So using Windows like it was designed is more important than
ever.
Regards,
Thomas
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/