[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Mozilla extensions: a security nightmare
From: "Thomas D." <whistl0r () gmail ! com>
Date: 2015-08-10 9:45:16
Message-ID: 003901d0d351$43ca2f80$cb5e8e80$ () googlemail ! com
[Download RAW message or body]
Hi,
Mario Vilas wrote:
> %APPDATA% is within the user's home directory - by default it should not
> be writeable by other users. If this is the case then the problem is one of
> bad file permissions, not the location.
Correct.
> Incidentally, many other browsers and tons of software also store
> executable code in %APPDATA%.
OK, installing into %APPDATA% or %LOCALAPPDATA% will remove Windows' tampering protection.
I hope you are not arguing that because nowadays many application will install into %APPDATA% \
or %LOCALAPPDATA% they became "safe" because they are so many?!
Remember how the thing with %APPDATA% and %LOCALAPPDATA% started/became mainstream: There was a \
small search corp. who thought they need to develop another browser. They had the users on \
their side but getting market share would require them to be able to push the browser on the \
user's desktop - also on work. So they started to install to %LOCALAPPDATA% per default... to \
get around a security mechanism.
Sane with Dropbox and Co: To get required market share you need to be on user's desktop. They \
make their money with business customers. But IT in corporations are moving slow. Convincing IT \
staff that using cloud storage (store your important data on someone else computer) isn't easy. \
But people will use everything which is free at their home. If these people can install Dropbox \
on corporate's network, too... well you know the game: If the critical mass is already using \
Dropbox (even without your consent) chances are high (if it is working for your team), that \
your IT department will get the order to buy it... However Dropbox is now moving from user's \
profile back to %programfiles% starting with 3.6.x. From my knowledge the main reason doing \
that is to support system-wide updates which you cannot do when everyone has installed the \
software in his/her user profile (Chrome offers a system-wide installation, too), no security \
concerns. But if you ask them they won't decline that this will hardening Dropbox for free.
Back to the Mozilla problem and this topic:
Like said you are right, only the current user can write to %APPDATA% or %LOCALAPPDATA% per \
default. But every application the user runs can do that. So for example if the attacker manage \
to send the victim a malicious document which will replace the DLLs Stefan mentioned, the \
attacker could steal the victim's Exchange/Gmail account credentials.
Yes, the attacker must find a way to get his "malware" on the victims computer and the first \
immutable laws of security says
"If a bad guy can persuade you to run his program on your computer, it's not your computer \
anymore"
(https://technet.microsoft.com/en-us/magazine/2008.10.securitywatch.aspx)
but that's not that theoretical like it maybe sounds. Remember the recent Firefox flaw \
(https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/). \
Drive-by-download attacks are normal today and if they succeed the attacker's code is running \
with user privileges and can modify files in %APPDATA% and %LOCALAPPDATA%... So using Windows \
like it was designed is more important than ever.
Regards,
Thomas
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic