[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40F2AC37.1020409@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: Is Mozilla's "patch" enough?
Pavel Kankovsky wrote:
>
>The user has already lost. Game over.
>
>An attacker can exploit the ability to modify the user's configuration in
>many different ways. E.g. redirect the browser to a proxy under the
>attacker's control, make Mozilla use a trojanized Chrome or a trojanized
>Java plugin, etc.
>
>
>
My thought about this is that if someone can gain access to the system
in order to change the contents of prefs.js, then why would they want to
be able to run even more code via shell: ?
At that point they already have the ability to run code on the box
because they have to be able to do that to modify the config files.
And yes, I firmly believe that whitelisting the "safe" protocols is
better than maintaining a blacklist.
-Barry
Powered by blists - more mailing lists