[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <du506b$hk9$1@sea.gmane.org>
Date: Wed, 1 Mar 2006 20:28:59 -0000
From: "Dave Korn" <davek_throwaway@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Re: Evil side of Firefox extensions
azurIt wrote:
> But everything has an other side..
Same goes for any other executable. This isn't news and it isn't unique
to firefox. If you download and install programs, or extensions, or
plugins, or active x objects, or any other kind of executable code, it can
be malicious. Why aren't you issuing a report about a vulnerability in
cmd.exe?
> connection and send data through it to the internet. The worst of all
> is that _anyone_, who has physical access to your computer, can
> install extensions into your browser _without_ your notification.
No, that's not the worst of all. Anyone who has physical access to your
computer can do ANYTHING they want to it. " If a bad guy has unrestricted
physical access to your computer, it's not your computer anymore."
> Solution
> --------
> I think that the solution for this should be in the ability of
> locking the installation of extensions with a password. Every user
> will be able to read hash of the password (so the browser can verify
> it) and only system administrator will be allowed to change it (it
> can be stored for example in registers [Windows] or somewhere in /etc
> dir [Linux]).
Should it also prevent your bookmarks being changed, or your proxy
settings? Should Windows not let you install software without a password?
Should everything on your computer be read-only?
It's unfair to blame Firefox for this problem that is inherent to and
generic across every single computer, operating system and application in
the entire world, and trying to tackle just one particular instance of the
problem in one particular feature of one particular browser is a)
ineffective and b) missing the point.
cheers,
DaveK
--
Can't think of a witty .sigline today....
Powered by blists - more mailing lists