Bugtraq mailing list archives
RE: [FD] Mozilla extensions: a security nightmare
From: Frank Waarsenburg <fwaarsenburg () ram-it nl>
Date: Fri, 7 Aug 2015 06:52:57 +0000
Time to unsubscribe from Bugtraq. I follow that list to be informed of vulnerabilities, not to get spammed by fighting ego's. Get a life. ___________________________________ Frank Waarsenburg Chief Information Security Officer RAMÂ Infotechnology -----Original Message----- From: Steve Friedl [mailto:steve () unixwiz net] Sent: vrijdag 7 augustus 2015 8:17 To: 'Stefan Kanthak'; 'Mario Vilas' Cc: 'bugtraq'; 'fulldisclosure' Subject: RE: [FD] Mozilla extensions: a security nightmare
Posting on top because that's where the cursor happens to be is like
sh*tt*ng in your pants because that's where your *ssh*l* happens to be! Here, let me fix this for you:
"I don't expect to be taking seriously by any technical community"
-----Original Message----- From: Stefan Kanthak [mailto:stefan.kanthak () nexgo de] Sent: Thursday, August 06, 2015 12:33 PM To: Mario Vilas Cc: bugtraq; fulldisclosure Subject: Re: [FD] Mozilla extensions: a security nightmare "Mario Vilas" <mvilas () gmail com> wrote:
W^X applies to memory protection, completely irrelevant here.
I recommend to revisit elementary school and start to learn reading! http://seclists.org/bugtraq/2015/Aug/8 | JFTR: current software separates code from data in virtual memory and | uses "write xor execute" or "data execution prevention" to | prevent both tampering of code and execution of data. | The same separation and protection can and of course needs to be | applied to code and data stored in the file system too!
Plus you're saying in every situation when a user can overwrite its own binaries in its own home folder it's a bug
Again: learn to read! <http://seclists.org/bugtraq/2015/Aug/14> | No. Writing executable code is NOT the problem here. | The problem is running this code AFTER it has been tampered. | (Not only) Mozilla but does NOT detect tampered code.
- that would make every single Linux distro vulnerable whenever you install some software in your own home directory that only you can use.
# mount /home -onoexec
If you're talking about file and directory permissions it makes sense to talk about privilege escalation.
No.
But I don't think you really understand those security principles you're citing. For example, can you give me an example of an attack
scenario? The attack vector is OBVIOUS, exploitation is TRIVIAL.
Also, take a chill pill. Your aggressive tone isn't really helping you at all.
Posting on top because that's where the cursor happens to be is like sh*tt*ng in your pants because that's where your *ssh*l* happens to be!
Current thread:
- Re: [FD] Mozilla extensions: a security nightmare, (continued)
- Re: [FD] Mozilla extensions: a security nightmare Reindl Harald (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Bruce A. Peters (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 17)
- Re: [FD] Mozilla extensions: a security nightmare Christoph Gruber (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Reindl Harald (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Andrew Deck (Aug 06)
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- RE: [FD] Mozilla extensions: a security nightmare Steve Friedl (Aug 06)
- RE: [FD] Mozilla extensions: a security nightmare Frank Waarsenburg (Aug 07)
- Re: [FD] Mozilla extensions: a security nightmare Jakob Holderbaum (Aug 07)
- Re: [FD] Mozilla extensions: a security nightmare Teddy A PURWADI (Aug 07)
- Re: [FD] Mozilla extensions: a security nightmare Reindl Harald (Aug 07)