Re: [FD] Mozilla extensions: a security nightmare

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

"Mario Vilas" <mvilas () gmail com> wrote:

> %APPDATA% is within the user's home directory - by default it should
> not be writeable by other users.

Did I mention OTHER users?
Clearly not, so your "argument" is moot.

> If this is the case then the problem is one of bad file permissions,
> not the location.
>
> Incidentally, many other browsers and tons of software also store
> executable code in %APPDATA%.

Cf. <http://seclists.org/fulldisclosure/2013/Aug/198>

EVERY program which stores executable code in user-writable locations
is CRAPWARE and EVIL since it undermines the security boundary created
by privilege separation and installation of executables in write-protected
locations.
Both are BASIC principles of computer security.

> I think "security nightmare" may be a bit of an overstatement here.

No, it's just the right wording since it violates two basic principles.

> I'll refrain from panicking about this "issue" for the time being.

JFTR: top posting is a bad habit too!

On Tue, Aug 4, 2015 at 3:22 PM, Stefan Kanthak <stefan.kanthak () nexgo de>
wrote:

> Hi @ll,
>
> Mozilla Thunderbird 38 and newer installs and activates per default
> the 'Lightning' extension.
>
> Since extensions live in the (Firefox and) Thunderbird profiles
> (which are stored beneath %APPDATA% in Windows) and 'Lightning' comes
> (at least for Windows) with a DLL and some Javascript, Thunderbird
> with 'Lightning' violates one of the mandatory and basic requirements
> of the now 20 year old "Designed for Windows" guidelines and breaks a
> security boundary: applications must be installed in %ProgramFiles%
> where they are protected against tampering by unprivileged users (and
> of course malware running in their user accounts too) since only
> privileged users can write there.
>
> Code installed in %APPDATA% (or any other user-writable location) is
> but not protected against tampering.
> This is a fundamental flaw of (not only) Mozilla's extensions, and a
> security nightmare.
>
> Separation of code from (user) data also allows to use whitelisting
> (see <https://technet.microsoft.com/en-us/library/bb457006.aspx> for
> example) to secure Windows desktops and servers: users (and of course
> Windows too) don't need to run code stored in their user profiles,
> they only need to run the installed programs/applications, so unwanted
> software including malware can easily be blocked from running.
>
> JFTR: current software separates code from data in virtual memory and
>       uses "write xor execute" or "data execution prevention" to
>       prevent both tampering of code and execution of data.
>       The same separation and protection can and of course needs to be
>       applied to code and data stored in the file system too!
>
> The Lightning extension for Windows but defeats the tamper protection
> and code/data separation provided by Windows:
>
> 1. its calbasecomps.dll can be replaced or overwritten with an
>    arbitrary DLL which DllMain() is executed every time this DLL is
>    loaded;
>
> 2. its (XUL/chrome) Javascripts can be replaced or overwritten and
>    used to load and call arbitrary DLLs via js-ctypes.
>
>    Only non-XUL/chrome Javascript is less critical since its execution
>    is confined by (Firefox and) Thunderbird and subject to the
>    restrictions imposed by these programs for non-XUL/chrome Javascript.
>
>
> Mitigation(s):
> ~~~~~~~~~~~~~~
>
> Disable profile local installation of extensions in Mozilla products,
> enable ONLY application global installation of extensions.
>
> stay tuned
> Stefan Kanthak
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/