lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Aug 2015 17:33:09 +0200
From: "Stefan Kanthak" <>
To: "Mario Vilas" <>
Cc: "bugtraq" <>,
  "fulldisclosure" <>
Subject: Re: [FD] Mozilla extensions: a security nightmare

"Mario Vilas" <> wrote:

> %APPDATA% is within the user's home directory - by default it should
> not be writeable by other users.

Did I mention OTHER users?
Clearly not, so your "argument" is moot.

> If this is the case then the problem is one of bad file permissions,
> not the location.
> Incidentally, many other browsers and tons of software also store
> executable code in %APPDATA%.

Cf. <>

EVERY program which stores executable code in user-writable locations
is CRAPWARE and EVIL since it undermines the security boundary created
by privilege separation and installation of executables in write-protected
Both are BASIC principles of computer security.

> I think "security nightmare" may be a bit of an overstatement here.

No, it's just the right wording since it violates two basic principles.

> I'll refrain from panicking about this "issue" for the time being.

JFTR: top posting is a bad habit too!

On Tue, Aug 4, 2015 at 3:22 PM, Stefan Kanthak <>

> Hi @ll,
> Mozilla Thunderbird 38 and newer installs and activates per default
> the 'Lightning' extension.
> Since extensions live in the (Firefox and) Thunderbird profiles
> (which are stored beneath %APPDATA% in Windows) and 'Lightning' comes
> (at least for Windows) with a DLL and some Javascript, Thunderbird
> with 'Lightning' violates one of the mandatory and basic requirements
> of the now 20 year old "Designed for Windows" guidelines and breaks a
> security boundary: applications must be installed in %ProgramFiles%
> where they are protected against tampering by unprivileged users (and
> of course malware running in their user accounts too) since only
> privileged users can write there.
> Code installed in %APPDATA% (or any other user-writable location) is
> but not protected against tampering.
> This is a fundamental flaw of (not only) Mozilla's extensions, and a
> security nightmare.
> Separation of code from (user) data also allows to use whitelisting
> (see <> for
> example) to secure Windows desktops and servers: users (and of course
> Windows too) don't need to run code stored in their user profiles,
> they only need to run the installed programs/applications, so unwanted
> software including malware can easily be blocked from running.
> JFTR: current software separates code from data in virtual memory and
>       uses "write xor execute" or "data execution prevention" to
>       prevent both tampering of code and execution of data.
>       The same separation and protection can and of course needs to be
>       applied to code and data stored in the file system too!
> The Lightning extension for Windows but defeats the tamper protection
> and code/data separation provided by Windows:
> 1. its calbasecomps.dll can be replaced or overwritten with an
>    arbitrary DLL which DllMain() is executed every time this DLL is
>    loaded;
> 2. its (XUL/chrome) Javascripts can be replaced or overwritten and
>    used to load and call arbitrary DLLs via js-ctypes.
>    Only non-XUL/chrome Javascript is less critical since its execution
>    is confined by (Firefox and) Thunderbird and subject to the
>    restrictions imposed by these programs for non-XUL/chrome Javascript.
> Mitigation(s):
> ~~~~~~~~~~~~~~
> Disable profile local installation of extensions in Mozilla products,
> enable ONLY application global installation of extensions.
> stay tuned
> Stefan Kanthak
> _______________________________________________
> Sent through the Full Disclosure mailing list
> Web Archives & RSS:

Powered by blists - more mailing lists