Re: Mozilla targeted malware in the wild

Sun, 28 Mar 2004 04:27:13 -0800

Sorry, I probably chose the wrong newsgroup, I should have realised that n.p.m.security was only for theoretically bad but practically less common exploits that make it into secure coding textbooks, not the theoretically nonexistent but practically ubiquitous type of exploit that is actually currently affecting millions of hapless users and, by proxy, everyone else.


It would be good if there were some ttechnical measures in place to make users less likely to install malicious code 


Hey, you can *disable* the software installation entirely in the
preferences, and if you don't, you are *asked* for confirmation *every
time* such an installation is requested.

But /users don't read warning messages/. Even if users do read the warning message, they probably don't understand it. Even if they read and understand the warning message, they have no idea how to respond - given a site which says "you may see a popup asking if you want to install some software, click OK to get superplugin7 which you'll need to view the content of this site" users will always click OK.

More than that, we ship with XPInstall enabled and activley encourge users to install extensions into Firefox and Thunderbird.

What other technical measures do you need?

Some that might actually be effective; there is some discussion on the Mozillazine thread which included:

Only allow XPIInstall to init after a user click (siimilar to popup blocking)
Whitelisting of a few trusted sites in the default installation
Whitelisting of a few trusted certificates in the default iinstallation
Blacklisting of known-bad extensions or sites (could work like a builtin spyware scanner that refused to install extensions that were known to be harmful)
Scanning of extensions to produce a security profile based on the actions those extensions take

I don't know if you've noticed, but in the last few years, a huge number of security exploits have been the 'trick the user into running unsafe code' type and not the 'exploit a buffer overflow or other programming error' type. Certianly these are the types of exploits that have been most effective in compromising the machines of the great masses. It's very easy to bury your head in the sand and say "oh, that's user error", but is is the job of the program to prevent the user from making those errors, particularly when the security of the user's machine is at risk. Warning dialogs are not, never have been, and never will be, effective at doing this.
_______________________________________________
Mozilla-security mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-security

Reply via email to