[...]. The problem with ActiveX controls isn't (apart from one or two proof-of-concept ones) someone creating a malicious signed control (or FF plugin, or whatever).
Really ? Why is there a product dedicated to avoiding them, then ? http://www.javacoolsoftware.com/spywareblaster.html
[...] The problem is the bad guys exploiting holes in controls created by others.
That's a really interesting point. Still a little search shows me more poc discussion about how to use it for denial of service than actual exploits than anything else :
http://catless.ncl.ac.uk/Risks/18.61.html#subj4
This is not to say it's not a very, very serious problem, just that I haven't found yet the proof it does today more damages in real life than the first point.
This is more a security issue, so I'm redirecting the discussion to the security group, this is the group where the discussion of "Won't badly written extension represent a major security threat for firefox ?" will be adequate.
To exploit that you must first get the personn to have the specific bad extension installed, at least it can not be done silently on Firefox.
I pointed out a few messages earlier it's a bad thing that there is no description nor name of the extension in the signature, this is just one reason more this is needed. For now, you just see when installing an extension the filename and the name of the server you download it from, they have *no* proved connexion with the real content of the extension.
The base of this problem with ActiveX is that very often their purpose is to install extensions to the browser that can be scripted from unsigned content.
Very few Firefox extensions install code that is similarly world-executable.
One possible reason ActiveX often fall to that, it's because they are fully written in C, so it's very tempting to have the low-level functionnality in the ActiveX and seperately the script on the page.
Firefox extensions include javascript code more easily than platform specific code, so most only consists of javascript (which also lowers the risk of buffer overflow problems and the like).
The second reason for this failure is that you can not have signed scripts for IE.
To implement a remote application that must do powerful things in Firefox, the correct solution is not to install an extension that then allows the remote application to do all that from unsigned script, but to use remote signed script instead.
After an extension is installed, you need an extra effort before it's functionnalities are available to unsigned code. The jsLib extension for example enables a lot of dangerous things but only to other extensions.
Of course, it's still easy for the average developper to fail and open dangerous vulnerabilities in his extension, but I believe quite a few of the work currently done for Firefox 1.1 is to close some avenues for errors here.
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
