Closed Bug 53511 Opened 24 years ago Closed 24 years ago

Execution of untrusted binary code using XPInstall

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect, P1)

x86
Windows 2000
defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: tobias.trelle, Assigned: dbragg)

References

()

Details

(Whiteboard: [nsbeta3+][PDTP1])

Attachments

(1 file)

With the current XPI implementation is it possible to execute untrusted binaries that could perform potentially harmful tasks, such as formatting your harddisk or sending sensitive information over the network. I prepared an XPI archive to demonstrate this security hole. This XPI archive runs a Win32 binary that simple shows a message box but could do anything that is possible with the Win32 API. This bug is not based on some tricky coding. It seems to be a bug in the software design of XPI so I assume it is not limited to the Win32 platform. The bug occurs with M17, NNPR1, NNPR2. I tested it with Win NT4, Win2000.
Seeing this with 2000091908 on NT4. Shortly after one clicks the "XPI archive" link and says "Ok" to "The following packages will be installed," the message box appears as illustrated. Classic workaround is of course "don't do that, then."
Still, XPI is much more insecure than the current SmartUpdate procedure. To do the same with SmartUpdate I have to digitally sign the archive with e.g. a VeriSign code signing certificate. Please don't get me wrong: I like XPI very much the way it works now because I won't have to buy a commercial code signing cert at $400 per year as I have to do with NN4. But think of the ongoing anti-JavaScript and anit-everything-scriptable paranoia. The current XPI implementation will make it even worse.
Installing software is inherently unsafe. Signing didn't change that, it simply meant that the potentially unsafe action had not been tampered with since it was signed with a particular company's cert. There was no guarantees the software was virus free or non-malicious, simply that you would know who to blame if it was (assuming the company's certificate hadn't been stolen). The real problem here is that the XPInstall confirmation dialog does not make this risk clear to users. It should contain text similar to the 4.x download screen for "untrusted" helper apps: "Software that contains malicious programming instructions could damage or otherwise compromise the contents of your computer. You should only install files from sites that you trust." This is a localization change, and "p1" only in a legal sense -- seeking permission from PDT and localization to do this.
Assignee: dveditz → dbragg
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: nsbeta3, rtm
Priority: P3 → P1
Whiteboard: [nsbeta3+]
Sounds good to me if Montse agrees
The wording is fine.
approved by localization due to its severity
PDT agrees P1
Whiteboard: [nsbeta3+] → [nsbeta3+][PDTP1]
Zee bug she is feexed. Added text mostly as presented in the bug. It now reads: "A web site is requesting permission to install software on your machine."> "Software that contains malicious programming instructions could damage or otherwise compromise the contents of your computer. You should only install software from sites that you trust. Changed the "Packages to install" to "Would you like to install the following packages?" so it fits more with the OK/Cancel button.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Build: 2000-09-22-08-M18(WIN), 2000-09-22-08-M18(MAC), 2000-09-22-08-M18(LINUX) Looks really nice. Scrolling looks good. Resizing column headers looks clean.
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: