lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 25 May 2009 20:39:34 -0300
From: Fosforo <fosforo@...il.com>
To: FUDder Guy <fudderguy@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: FFSpy, a firefox malware PoC

Are  we missing DNS stuff ? Are plugins signed ? is NoScript being used by
end users ?
Maybe an evilgrade plugin is comming....

[]s Fosforo

On Mon, May 25, 2009 at 3:24 PM, FUDder Guy <fudderguy@...il.com> wrote:

> On Mon, May 25, 2009 at 8:26 PM, saphex <saphex@...il.com> wrote:
> > This isn't about making the user install a malware add-on. It's about
> > gaining access to the system trough an exploit, or physical access,
> > modify an existing add-on with your code. And Firefox wont even
> > notice. Instead of installing a fancy rootkit or keylogger, just go
> > straight to the browser, simple. Go tell your average user to check
> > the codebase of the plug-ins he has installed in is Firefox from time
> > to time in order to make sure they haven't been tampered with, yeah
> > good choice...........
> >
>
> I agree that attacking Firefox is a simpler way to carry out the
> attack than installing rootkit or keylogger. However, this is no
> simpler than asking someone to download a cool game, script of
> screensaver from my site.
>
> Moreover, only addons.mozilla.org and update.mozilla.org are set as
> allowed sites for addon installations by default in the browser. If
> one tries to install addons from other site, Firefox issues a warning.
> So, this is pretty good. As far as the possibility of malicious addon
> on Mozilla site is concerened, the probability is pretty low as the
> addons on the Mozilla site appear for download only after a review
> process.
>
> So, I don't see this type of attack particularly more dangerous than a
> user downloading a software or script with trojan and running it. I
> also don't see this type of attack any simpler than fooling a user to
> run a cool game or script.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ