Closed Bug 864859 Opened 12 years ago Closed 11 years ago

[Security Review] MMS support

Categories

(mozilla.org :: Security Assurance, task, P1)

Product:
mozilla.org
Component:
Security Assurance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pauljt, Assigned: pauljt)

References

(
URL
)

Details

(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy])

Review app and underlying platform change that support MMS.
Large complex feature, large attack surface ->P1
Priority: P2 → P1
Assignee: nobody → ptheriault
OS: Mac OS X → All
Hardware: x86 → All
Reviewed MMS app inside gaia SMS app, and a high level review of MMS gecko code. The main control for MMS,as with SMS is that it is protected by the 'sms' permission, which is certified only. Gaia Components: One potential issue was identified relating to MMS. See 912885 for details. Other notes rolled into SMS gaia review: https://wiki.mozilla.org/Security/Reviews/Gaia/sms Gecko Components: - Re-uses existing system messages (sms-sent, sms-recieved) which have permission checks on them - Only content accessible interface (apart from readonly) is under navigator, and requires 'sms' permission - Examined code to look for any risk of malformed MMS causing issues. Most parsing happens at Gaia layer though. Would be good to fuzz MMS (in a similar manner to existing SMS fuzzing). I'll raise a separate bug for this testing.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
(In reply to Paul Theriault [:pauljt] from comment #2) > Gaia Components: > One potential issue was identified relating to MMS. See 912885 for details. Note that I still have a sec-approval request there ;)
You need to log in before you can comment on or make changes to this bug.