LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

it is not a security thing

it is not a security thing

Posted Nov 26, 2009 19:15 UTC (Thu) by zuki (subscriber, #41808)
Parent article: Firefox locks down the components directory

Clearly, having executables loaded automatically at application startup simply because they are located in the components directory is a security hole, particularly when they are beyond the reach of Firefox's add-on management interface...

To me this doesn't seem so clear - if something is able to write files in the directory containing the installed program, it already has taken over this user and it might just as well overwrite the whole program with a "special" version. No need to install extensions.

This does seem to be what Mike Shaver thinks (in bug #519357):
This isn't designed to protect against attacks on Firefox; that is a hard battle to win (though we do the hash check on every update, and pave over if there's a mismatch). This is to close off an extension mechanism that "happened to work"

Once you are done, you're done, so not everything is a security hole.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds