Execution of untrusted binary code using XPInstall

VERIFIED FIXED

Status

Core Graveyard
Installer: XPInstall Engine
P1
critical
VERIFIED FIXED
18 years ago
2 years ago

People

(Reporter: Tobias Trelle, Assigned: dbragg)

Tracking

Trunk
x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta3+][PDTP1], URL)

Attachments

(1 attachment)

(Reporter)

Description

18 years ago
With the current XPI implementation is it possible to execute untrusted binaries
that could perform potentially harmful tasks, such as formatting your harddisk
or sending sensitive information over the network.

I prepared an XPI archive to demonstrate this security hole. This XPI archive
runs a Win32 binary that simple shows a message box but could do anything that
is possible with the Win32 API. This bug is not based on some tricky coding. It
seems to be a bug in the software design of XPI so I assume it is not limited to
the Win32 platform.

The bug occurs with M17, NNPR1, NNPR2. I tested it with Win NT4, Win2000.

Comment 1

18 years ago
Seeing this with 2000091908 on NT4.  Shortly after one clicks the "XPI archive"
link and says "Ok" to "The following packages will be installed," the message
box appears as illustrated.

Classic workaround is of course "don't do that, then."
(Reporter)

Comment 2

18 years ago
Still, XPI is much more insecure than the current SmartUpdate
procedure. To do the same with SmartUpdate I have to digitally sign the
archive with e.g. a VeriSign code signing certificate.

Please don't get me wrong: I like XPI very much the way it works
now because I won't have to buy a commercial code signing cert at
$400 per year as I have to do with NN4.

But think of the ongoing anti-JavaScript and anit-everything-scriptable
paranoia. The current XPI implementation will make it even worse.
Installing software is inherently unsafe. Signing didn't change that, it simply 
meant that the potentially unsafe action had not been tampered with since it 
was signed with a particular company's cert. There was no guarantees the 
software was virus free or non-malicious, simply that you would know who to 
blame if it was (assuming the company's certificate hadn't been stolen).

The real problem here is that the XPInstall confirmation dialog does not make 
this risk clear to users. It should contain text similar to the 4.x download 
screen for "untrusted" helper apps:

"Software that contains malicious programming instructions could damage or 
otherwise compromise the contents of your computer. You should only install 
files from sites that you trust."

This is a localization change, and "p1" only in a legal sense -- seeking 
permission from PDT and localization to do this.
Assignee: dveditz → dbragg
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: nsbeta3, rtm
Priority: P3 → P1
Whiteboard: [nsbeta3+]

Comment 4

18 years ago
Sounds good to me if Montse agrees

Comment 5

18 years ago
The wording is fine.

Comment 6

18 years ago
approved by localization due to its severity
(Assignee)

Comment 7

18 years ago
Created attachment 15240 [details]
Diff for new warning message on install confirm dialog

Comment 8

18 years ago
PDT agrees P1
Whiteboard: [nsbeta3+] → [nsbeta3+][PDTP1]
(Assignee)

Comment 9

18 years ago
Zee bug she is feexed.  Added text mostly as presented in the bug.

It now reads:
"A web site is requesting permission to install software on your machine.">

"Software that contains malicious programming instructions could damage or 
otherwise compromise the contents of your computer.  You should only install 
software from sites that you trust.

Changed the "Packages to install" to "Would you like to install the following 
packages?" so it fits more with the OK/Cancel button.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 10

18 years ago
Build: 2000-09-22-08-M18(WIN), 2000-09-22-08-M18(MAC), 2000-09-22-08-M18(LINUX)

Looks really nice.  Scrolling looks good.  Resizing column headers looks clean.
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.