"Mario Vilas" <mvilas@xxxxxxxxx> wrote: > %APPDATA% is within the user's home directory - by default it should > not be writeable by other users. Did I mention OTHER users? Clearly not, so your "argument" is moot. > If this is the case then the problem is one of bad file permissions, > not the location. > > Incidentally, many other browsers and tons of software also store > executable code in %APPDATA%. Cf. <http://seclists.org/fulldisclosure/2013/Aug/198> EVERY program which stores executable code in user-writable locations is CRAPWARE and EVIL since it undermines the security boundary created by privilege separation and installation of executables in write-protected locations. Both are BASIC principles of computer security. > I think "security nightmare" may be a bit of an overstatement here. No, it's just the right wording since it violates two basic principles. > I'll refrain from panicking about this "issue" for the time being. JFTR: top posting is a bad habit too! On Tue, Aug 4, 2015 at 3:22 PM, Stefan Kanthak <stefan.kanthak@xxxxxxxx> wrote: > Hi @ll, > > Mozilla Thunderbird 38 and newer installs and activates per default > the 'Lightning' extension. > > Since extensions live in the (Firefox and) Thunderbird profiles > (which are stored beneath %APPDATA% in Windows) and 'Lightning' comes > (at least for Windows) with a DLL and some Javascript, Thunderbird > with 'Lightning' violates one of the mandatory and basic requirements > of the now 20 year old "Designed for Windows" guidelines and breaks a > security boundary: applications must be installed in %ProgramFiles% > where they are protected against tampering by unprivileged users (and > of course malware running in their user accounts too) since only > privileged users can write there. > > Code installed in %APPDATA% (or any other user-writable location) is > but not protected against tampering. > This is a fundamental flaw of (not only) Mozilla's extensions, and a > security nightmare. > > Separation of code from (user) data also allows to use whitelisting > (see <https://technet.microsoft.com/en-us/library/bb457006.aspx> for > example) to secure Windows desktops and servers: users (and of course > Windows too) don't need to run code stored in their user profiles, > they only need to run the installed programs/applications, so unwanted > software including malware can easily be blocked from running. > > JFTR: current software separates code from data in virtual memory and > uses "write xor execute" or "data execution prevention" to > prevent both tampering of code and execution of data. > The same separation and protection can and of course needs to be > applied to code and data stored in the file system too! > > The Lightning extension for Windows but defeats the tamper protection > and code/data separation provided by Windows: > > 1. its calbasecomps.dll can be replaced or overwritten with an > arbitrary DLL which DllMain() is executed every time this DLL is > loaded; > > 2. its (XUL/chrome) Javascripts can be replaced or overwritten and > used to load and call arbitrary DLLs via js-ctypes. > > Only non-XUL/chrome Javascript is less critical since its execution > is confined by (Firefox and) Thunderbird and subject to the > restrictions imposed by these programs for non-XUL/chrome Javascript. > > > Mitigation(s): > ~~~~~~~~~~~~~~ > > Disable profile local installation of extensions in Mozilla products, > enable ONLY application global installation of extensions. > > stay tuned > Stefan Kanthak > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ >
