Seika wrote:
> Since I'm not very familiar with architecure of Firefox I just ask my
> question and hope someone is nice enough to answer it. :-)
>
> So now my question, is it possible to develop an exploit which runs
> inside the browser and uses the browser itself to offer a hacker
> remote access to my PC?
>
> The reason why I'm asking, I'm currently working on a security concept
> for a workinggroup. The concept includes a proxy where each http
> traffic is directed to. Each browser must authenticate to the proxy.
> In my concept the proxy is the only way to get into the internet. A
> trojan horse which is running from a PC can't connect to the internet
> because it doesn't know how and even if it would know how it it
> doesn't know how to authenticate to the proxy. But if browse with my
> Firefox to a website which got hacked and is used to distribute an
> exploit which runs out of my browser and with the cooperation of the
> browser, it is very simple for the exploit to get contact to the
> internet because Firefox knows why.
>
> Is it possible?
>
> Thanks for hints.
>
Of course its possible, Theres numerous documented vulnerabilities, and
possibly, albeit unknown to the greater infosec mass, undisclosed
Firefox vulnerabilites. Although these vulnerabilities are few in
number, {Especially when compared to Internet Explorer}.
I should also point out, I've never seen any such automated compromise
of Firefox browsers, I'm aware of it's existence, but it isn't that
common in the wild, imaginably even in post-0day exploit release. The
point is, Your methodology is going to disable the most basic trojans,
however for hackers {A person with shell access}, circumventing this
will be trivial, and advanced trojans may dump proxy authentication
information from Firefox/IE anyway.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
