[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8beca8204071207234688da01@mail.gmail.com>
From: avivra at gmail.com (Aviv Raff)
Subject: Is Mozilla's "patch" enough?
How can it not be a security flaw of mozilla if a setting in the
user.js overrides the global security setting defined by a patch, and
any manual setting defined by the user through the about:config?
I understand that if an attacker has the ability to change the user.js
file he can do worse things, but why should there be a way to override
security patches without uninstalling them?
I think user.js (or the lockPref settings in mozila.cfg) makes Mozilla
more spyware/worms oriented.
On Mon, 12 Jul 2004 16:01:53 +0200, Thomas Kaschwig <thomas@...chwig.net> wrote:
> Aviv Raff wrote:
>
> > If an attacker has a file writing access to the user's default profile
> > directory, or somehow manages to update/create the file user.js (or
> > even worse - mozilla.cfg) he can override the patch's configuration
> > change, and enable the shell protocol handler again.
>
> Nobody should have write access to your user profile. If someone is able
> to modify your user.js file, (s)he can enable some worse options, e.g.
> the protocol handler for `hcp' or `vbscript', but this is not a security
> flaw of mozilla...
>
> Thomas
> --
> PGP/GnuPG: http://www.kaschwig.net/kaschwig.gpg.asc * KeyID: 0x3D68D63A
> Fingerprint: 274A 4CB8 B362 D593 39D6 0989 8FC3 725F 3D68 D63A
>
Powered by blists - more mailing lists