lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: whiteclover79-security at yahoo.com.tw (Daniel Wang)
Subject: Is Mozilla's "patch" enough?

Aviv Raff wrote:
> How can it not be a security flaw of mozilla if a setting in the
> user.js overrides the global security setting defined by a patch, and
> any manual setting defined by the user through the about:config?
> 
> I understand that if an attacker has the ability to change the user.js
> file he can do worse things, but why should there be a way to override
> security patches without uninstalling them?
> 
> I think user.js (or the lockPref settings in mozila.cfg) makes Mozilla
> more spyware/worms oriented.

Please explain your point.

AFAIK, the preferences component of Mozilla has no code that can write 
to user.js.

As for mozilla.cfg, 1) it is obscured by simple byte-shift, 2) its first 
line is bypassed (and should be made an invalid JS code), and 3) must be 
referenced in all.js (or another default pref file) to work.

I don't understand how someone can change user.js/mozilla.cfg without 
already having access to the client computer.


Powered by blists - more mailing lists