Re: [FD] Mozilla extensions: a security nightmare

2015-08-07 Thread Teddy A PURWADI
Fri, Aug 7, 2015. 2:26:54 PM. Yes Please :-) Thanks cheers, /tap -Original Message- From: Jakob Holderbaum Date: Fri, 7 Aug 2015 09:13:04 To: Subject: Re: [FD] Mozilla extensions: a security nightmare I want to stress the point made here. Please continue the rather childish

Re: [FD] Mozilla extensions: a security nightmare

2015-08-07 Thread Jakob Holderbaum
'Stefan Kanthak'; 'Mario Vilas' Cc: 'bugtraq'; 'fulldisclosure' > Subject: RE: [FD] Mozilla extensions: a security nightmare > >> Posting on top because that's where the cursor happens to be is >> like > sh*tt*ng in your pants because tha

Re: [FD] Mozilla extensions: a security nightmare

2015-08-07 Thread Reindl Harald
Am 06.08.2015 um 21:33 schrieb Stefan Kanthak: # mount /home -o noexec "bash /home/whatever/binary" and you are done any attacker which don't know this would not come far at all signature.asc Description: OpenPGP digital signature

RE: [FD] Mozilla extensions: a security nightmare

2015-08-07 Thread Frank Waarsenburg
riedl [mailto:st...@unixwiz.net] Sent: vrijdag 7 augustus 2015 8:17 To: 'Stefan Kanthak'; 'Mario Vilas' Cc: 'bugtraq'; 'fulldisclosure' Subject: RE: [FD] Mozilla extensions: a security nightmare > Posting on top because that's where the cursor happen

RE: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Steve Friedl
ssage- From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de] Sent: Thursday, August 06, 2015 12:33 PM To: Mario Vilas Cc: bugtraq; fulldisclosure Subject: Re: [FD] Mozilla extensions: a security nightmare "Mario Vilas" wrote: > W^X applies to memory protection, completely irrelev

Re: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Stefan Kanthak
"Mario Vilas" wrote: > W^X applies to memory protection, completely irrelevant here. I recommend to revisit elementary school and start to learn reading! http://seclists.org/bugtraq/2015/Aug/8 | JFTR: current software separates code from data in virtual memory and | uses "write xor execu

Re: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Stefan Kanthak
"Mario Vilas" wrote: > This makes no sense. Right. "W^X" obviously doesnt make sense to YOU. > Administrator can write everywhere and users can write their own > directories. There is no privilege escalation here, no security > boundary being crossed. Who wrote anything about "privilege escala

Re: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Andrew Deck
Well, here's my 2 cents: - Yes, it's unfortunate that firefox extensions are not in write-protected parts of the FS. - No, it's not worth eight paragraphs of ranting on this mailing list, use of all caps, or calling some piece of software "evil". - The sudo-like functionality present in Windows (a

Re: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Reindl Harald
Am 06.08.2015 um 19:03 schrieb Christoph Gruber: Reindl Harald wrote: that's all fine but * nothing new, independent of lightning ACK * how do you imagine a restricted user install a extension otherwise Real sandboxing, if not possible, give the users the possibility to activate admin

Re: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Stefan Kanthak
"Mario Vilas" wrote: > If it can only be written by your own user, what would be the > security boundary being crossed here? Please read AGAIN what I already wrote! | The security boundary created by privilege separation ie. Administrator/root vs. "user" | and installation of executables in w

Re: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Christoph Gruber
Reindl Harald wrote: > > that's all fine but > > * nothing new, independent of lightning ACK > * how do you imagine a restricted user install a extension otherwise Real sandboxing, if not possible, give the users the possibility to activate admin-installed extension, and not the possibility

Re: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Bruce A. Peters
gtraq@securityfocus.com Sent: Thursday, August 6, 2015 5:55:05 AM Subject: Re: [FD] Mozilla extensions: a security nightmare that's all fine but * nothing new, independent of lightning * how do you imagine a restricted user install a extension otherwise * and no - he must not do that is n

Re: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Reindl Harald
that's all fine but * nothing new, independent of lightning * how do you imagine a restricted user install a extension otherwise * and no - he must not do that is not a acceptable solution security and usability are always a tradeoff hence the topic *is* nonsense Am 05.08.2015 um 21:27 schrieb

Re: [FD] Mozilla extensions: a security nightmare

2015-08-06 Thread Stefan Kanthak
"Ansgar Wiechers" wrote: > On 2015-08-05 Stefan Kanthak wrote: >> "Mario Vilas" wrote: >>> If this is the case then the problem is one of bad file permissions, >>> not the location. >>> >>> Incidentally, many other browsers and tons of software also store >>> executable code in %APPDATA%. >> >>

Re: [FD] Mozilla extensions: a security nightmare

2015-08-05 Thread Ansgar Wiechers
On 2015-08-05 Stefan Kanthak wrote: > "Mario Vilas" wrote: >> If this is the case then the problem is one of bad file permissions, >> not the location. >> >> Incidentally, many other browsers and tons of software also store >> executable code in %APPDATA%. > > Cf.

Re: [FD] Mozilla extensions: a security nightmare

2015-08-05 Thread Stefan Kanthak
"Mario Vilas" wrote: > %APPDATA% is within the user's home directory - by default it should > not be writeable by other users. Did I mention OTHER users? Clearly not, so your "argument" is moot. > If this is the case then the problem is one of bad file permissions, > not the location. > > Incid