lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8beca8204071209457b72450a@mail.gmail.com>
From: avivra at gmail.com (Aviv Raff)
Subject: Is Mozilla's "patch" enough?

If you don't have anyhing to say but flaming, why do you pollute the list too?

Security patches shouldn't be overridden unless intended too (i.e uninstalled). 
If an attacker can override the patch by a simple line of settings in
a configuration file (aka user.js) and the user cannot change this
settings by simply applying the patch again, or manually changing it
via the about:config interface, it is wrong.
Most of the users don't know how to use the preferences files, or even
know they exist. Moreover, user.js doesn't exist by default.


On Mon, 12 Jul 2004 18:42:07 +0300, Georgi Guninski
<guninski@...inski.com> wrote:
> On Mon, Jul 12, 2004 at 05:23:29PM +0300, Aviv Raff wrote:
> >
> > I understand that if an attacker has the ability to change the user.js
> > file he can do worse things, but why should there be a way to override
> > security patches without uninstalling them?
> >
> 
> if you understand your dumbness why do you continue to polute the list?
> updated builds for the so called "os" are available at mozilla.org - go get
> them.
> there are a lot of ways to override security patches without uninstalling them
> 
> georgi
> 
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ