[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003901d0d351$43ca2f80$cb5e8e80$@googlemail.com>
Date: Mon, 10 Aug 2015 11:45:16 +0200
From: "Thomas D." <whistl0r@...il.com>
To: <fulldisclosure@...lists.org>
Subject: Re: [FD] Mozilla extensions: a security nightmare
Hi,
Mario Vilas wrote:
> %APPDATA% is within the user's home directory - by default it should not
> be writeable by other users. If this is the case then the problem is one of
> bad file permissions, not the location.
Correct.
> Incidentally, many other browsers and tons of software also store
> executable code in %APPDATA%.
OK, installing into %APPDATA% or %LOCALAPPDATA% will remove Windows' tampering protection.
I hope you are not arguing that because nowadays many application will install into %APPDATA% or %LOCALAPPDATA% they became "safe" because they are so many?!
Remember how the thing with %APPDATA% and %LOCALAPPDATA% started/became mainstream: There was a small search corp. who thought they need to develop another browser. They had the users on their side but getting market share would require them to be able to push the browser on the user's desktop - also on work. So they started to install to %LOCALAPPDATA% per default... to get around a security mechanism.
Sane with Dropbox and Co: To get required market share you need to be on user's desktop. They make their money with business customers. But IT in corporations are moving slow. Convincing IT staff that using cloud storage (store your important data on someone else computer) isn't easy. But people will use everything which is free at their home. If these people can install Dropbox on corporate's network, too... well you know the game: If the critical mass is already using Dropbox (even without your consent) chances are high (if it is working for your team), that your IT department will get the order to buy it...
However Dropbox is now moving from user's profile back to %programfiles% starting with 3.6.x. From my knowledge the main reason doing that is to support system-wide updates which you cannot do when everyone has installed the software in his/her user profile (Chrome offers a system-wide installation, too), no security concerns. But if you ask them they won't decline that this will hardening Dropbox for free.
Back to the Mozilla problem and this topic:
Like said you are right, only the current user can write to %APPDATA% or %LOCALAPPDATA% per default. But every application the user runs can do that. So for example if the attacker manage to send the victim a malicious document which will replace the DLLs Stefan mentioned, the attacker could steal the victim's Exchange/Gmail account credentials.
Yes, the attacker must find a way to get his "malware" on the victims computer and the first immutable laws of security says
"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore"
(https://technet.microsoft.com/en-us/magazine/2008.10.securitywatch.aspx)
but that's not that theoretical like it maybe sounds. Remember the recent Firefox flaw (https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/). Drive-by-download attacks are normal today and if they succeed the attacker's code is running with user privileges and can modify files in %APPDATA% and %LOCALAPPDATA%... So using Windows like it was designed is more important than ever.
Regards,
Thomas
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists