lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: whiteclover79-security at yahoo.com.tw (Daniel Wang) Subject: Is Mozilla's "patch" enough? Aviv Raff wrote: > How can it not be a security flaw of mozilla if a setting in the > user.js overrides the global security setting defined by a patch, and > any manual setting defined by the user through the about:config? > > I understand that if an attacker has the ability to change the user.js > file he can do worse things, but why should there be a way to override > security patches without uninstalling them? > > I think user.js (or the lockPref settings in mozila.cfg) makes Mozilla > more spyware/worms oriented. Please explain your point. AFAIK, the preferences component of Mozilla has no code that can write to user.js. As for mozilla.cfg, 1) it is obscured by simple byte-shift, 2) its first line is bypassed (and should be made an invalid JS code), and 3) must be referenced in all.js (or another default pref file) to work. I don't understand how someone can change user.js/mozilla.cfg without already having access to the client computer.
Powered by blists - more mailing lists