Closed Bug 53511 Opened 24 years ago Closed 24 years ago

Execution of untrusted binary code using XPInstall

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect, P1)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: tobias.trelle, Assigned: dbragg)

References

(
URL
)

Details

(Whiteboard: [nsbeta3+][PDTP1])

Attachments

(1 file)

Diff for new warning message on install confirm dialog
2.04 KB, text/plain
Details 
With the current XPI implementation is it possible to execute untrusted binaries
that could perform potentially harmful tasks, such as formatting your harddisk
or sending sensitive information over the network.

I prepared an XPI archive to demonstrate this security hole. This XPI archive
runs a Win32 binary that simple shows a message box but could do anything that
is possible with the Win32 API. This bug is not based on some tricky coding. It
seems to be a bug in the software design of XPI so I assume it is not limited to
the Win32 platform.

The bug occurs with M17, NNPR1, NNPR2. I tested it with Win NT4, Win2000.
Seeing this with 2000091908 on NT4.  Shortly after one clicks the "XPI archive"
link and says "Ok" to "The following packages will be installed," the message
box appears as illustrated.

Classic workaround is of course "don't do that, then."

Still, XPI is much more insecure than the current SmartUpdate
procedure. To do the same with SmartUpdate I have to digitally sign the
archive with e.g. a VeriSign code signing certificate.

Please don't get me wrong: I like XPI very much the way it works
now because I won't have to buy a commercial code signing cert at
$400 per year as I have to do with NN4.

But think of the ongoing anti-JavaScript and anit-everything-scriptable
paranoia. The current XPI implementation will make it even worse.
Installing software is inherently unsafe. Signing didn't change that, it simply 
meant that the potentially unsafe action had not been tampered with since it 
was signed with a particular company's cert. There was no guarantees the 
software was virus free or non-malicious, simply that you would know who to 
blame if it was (assuming the company's certificate hadn't been stolen).

The real problem here is that the XPInstall confirmation dialog does not make 
this risk clear to users. It should contain text similar to the 4.x download 
screen for "untrusted" helper apps:

"Software that contains malicious programming instructions could damage or 
otherwise compromise the contents of your computer. You should only install 
files from sites that you trust."

This is a localization change, and "p1" only in a legal sense -- seeking 
permission from PDT and localization to do this.
Assignee: dveditz → dbragg
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: nsbeta3, rtm
Priority: P3 → P1
Whiteboard: [nsbeta3+]
Sounds good to me if Montse agrees

The wording is fine.
approved by localization due to its severity
PDT agrees P1
Whiteboard: [nsbeta3+] → [nsbeta3+][PDTP1]
Zee bug she is feexed.  Added text mostly as presented in the bug.

It now reads:
"A web site is requesting permission to install software on your machine.">

"Software that contains malicious programming instructions could damage or 
otherwise compromise the contents of your computer.  You should only install 
software from sites that you trust.

Changed the "Packages to install" to "Would you like to install the following 
packages?" so it fits more with the OK/Cancel button.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Build: 2000-09-22-08-M18(WIN), 2000-09-22-08-M18(MAC), 2000-09-22-08-M18(LINUX)

Looks really nice.  Scrolling looks good.  Resizing column headers looks clean.
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: