Full Disclosure mailing list archives
Re: Is Mozilla's "patch" enough?
From: Daniel Wang <whiteclover79-security () yahoo com tw>
Date: Tue, 13 Jul 2004 02:15:40 -0700
Aviv Raff wrote:
How can it not be a security flaw of mozilla if a setting in the user.js overrides the global security setting defined by a patch, and any manual setting defined by the user through the about:config? I understand that if an attacker has the ability to change the user.js file he can do worse things, but why should there be a way to override security patches without uninstalling them? I think user.js (or the lockPref settings in mozila.cfg) makes Mozilla more spyware/worms oriented.
Please explain your point.AFAIK, the preferences component of Mozilla has no code that can write to user.js.
As for mozilla.cfg, 1) it is obscured by simple byte-shift, 2) its first line is bypassed (and should be made an invalid JS code), and 3) must be referenced in all.js (or another default pref file) to work.
I don't understand how someone can change user.js/mozilla.cfg without already having access to the client computer.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Is Mozilla's "patch" enough?, (continued)
- Re: Is Mozilla's "patch" enough? Barry Fitzgerald (Jul 12)
- Re: Is Mozilla's "patch" enough? Thomas Kaschwig (Jul 13)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Georgi Guninski (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Florian Weimer (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Florian Weimer (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Aviv Raff (Jul 12)
- Re: Is Mozilla's "patch" enough? Thomas Kaschwig (Jul 12)
- Re: Is Mozilla's "patch" enough? Daniel Wang (Jul 13)