LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Scan would have prevented this

Scan would have prevented this

Posted May 15, 2008 1:51 UTC (Thu) by dwheeler (subscriber, #1216)
In reply to: This mirrors Microsofts shipping of Nimda to Korea by thumperward
Parent article: Mozilla ships a compromised extension

Actually, language packs are only supposed to have a VERY limited set of constructs, and that is already documented in the Mozilla information. The problem is that currently there's no automated chack for this currently (this is a known bug, and hopefully this will spur quick repair of this).

Human review would ALSO have dealt with this, but language packs are unique among OSS packages: Most developers CANNOT understand the contents of most language packs, because they're specific to a language. This is actually an interesting exploit to counter the OSS "mass review" - pick a component that CANNOT be reviewed by nearly everyone. Thankfully, the solution is obvious too... for language packs, permit only a very few (secure) constructs and forbid the rest.

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds