Closed
Bug 53511
Opened 24 years ago
Closed 24 years ago
Execution of untrusted binary code using XPInstall
Categories
(Core Graveyard :: Installer: XPInstall Engine, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: tobias.trelle, Assigned: dbragg)
References
()
Details
(Whiteboard: [nsbeta3+][PDTP1])
Attachments
(1 file)
(deleted),
text/plain
|
Details |
With the current XPI implementation is it possible to execute untrusted binaries
that could perform potentially harmful tasks, such as formatting your harddisk
or sending sensitive information over the network.
I prepared an XPI archive to demonstrate this security hole. This XPI archive
runs a Win32 binary that simple shows a message box but could do anything that
is possible with the Win32 API. This bug is not based on some tricky coding. It
seems to be a bug in the software design of XPI so I assume it is not limited to
the Win32 platform.
The bug occurs with M17, NNPR1, NNPR2. I tested it with Win NT4, Win2000.
Comment 1•24 years ago
|
||
Seeing this with 2000091908 on NT4. Shortly after one clicks the "XPI archive"
link and says "Ok" to "The following packages will be installed," the message
box appears as illustrated.
Classic workaround is of course "don't do that, then."
Reporter | ||
Comment 2•24 years ago
|
||
Still, XPI is much more insecure than the current SmartUpdate
procedure. To do the same with SmartUpdate I have to digitally sign the
archive with e.g. a VeriSign code signing certificate.
Please don't get me wrong: I like XPI very much the way it works
now because I won't have to buy a commercial code signing cert at
$400 per year as I have to do with NN4.
But think of the ongoing anti-JavaScript and anit-everything-scriptable
paranoia. The current XPI implementation will make it even worse.
Comment 3•24 years ago
|
||
Installing software is inherently unsafe. Signing didn't change that, it simply
meant that the potentially unsafe action had not been tampered with since it
was signed with a particular company's cert. There was no guarantees the
software was virus free or non-malicious, simply that you would know who to
blame if it was (assuming the company's certificate hadn't been stolen).
The real problem here is that the XPInstall confirmation dialog does not make
this risk clear to users. It should contain text similar to the 4.x download
screen for "untrusted" helper apps:
"Software that contains malicious programming instructions could damage or
otherwise compromise the contents of your computer. You should only install
files from sites that you trust."
This is a localization change, and "p1" only in a legal sense -- seeking
permission from PDT and localization to do this.
Comment 4•24 years ago
|
||
Sounds good to me if Montse agrees
Comment 5•24 years ago
|
||
The wording is fine.
Zee bug she is feexed. Added text mostly as presented in the bug.
It now reads:
"A web site is requesting permission to install software on your machine.">
"Software that contains malicious programming instructions could damage or
otherwise compromise the contents of your computer. You should only install
software from sites that you trust.
Changed the "Packages to install" to "Would you like to install the following
packages?" so it fits more with the OK/Cancel button.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 10•24 years ago
|
||
Build: 2000-09-22-08-M18(WIN), 2000-09-22-08-M18(MAC), 2000-09-22-08-M18(LINUX)
Looks really nice. Scrolling looks good. Resizing column headers looks clean.
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•