Closed Bug 645639 Opened 10 years ago Closed 10 years ago

snippet details URL is not secure, can spoof major updates

Categories

(Mozilla Messaging :: Release Engineering, defect, P2)

defect

Tracking

(blocking-thunderbird3.1 .10+, thunderbird3.1 .10-fixed)

RESOLVED FIXED
Tracking Status
blocking-thunderbird3.1 --- .10+
thunderbird3.1 --- .10-fixed

People

(Reporter: standard8, Assigned: gozer)

References

()

Details

(Whiteboard: [non-code])

Attachments

(2 files)

+++ This bug was initially created as a clone of Bug #645551 +++

The major update UI displays the contents of the detailURL attribute in the update snippets. We've sandboxed the content to prevent scripts etc, but we appear to load it from an http:// url which is not secure. This means a MITM could easily replace that content. results could be simply a spoof ("click this link" to a non-mozilla site), or the content could redirect (or better, meta refresh) to a URL serving an exe, prompting the user to download a trojan.

Pointed out by Aaron Sigel
https://twitter.com/#!/diretraversal/status/52107274294018048
Depends on: 645640
We should do all the changes that have been done in Bug #645551, but I am not sure that really makes us any safer.

After all, in the end, you end up making http:// requests to bouncer and download the update via http:// from a mirror, so you could MITM that instead.
(In reply to comment #1)
> We should do all the changes that have been done in Bug #645551, but I am not
> sure that really makes us any safer.
> 
> After all, in the end, you end up making http:// requests to bouncer and
> download the update via http:// from a mirror, so you could MITM that instead.

Wish I could undo a bug comment. This is incorrect on my part, since the original AUS request was over SSL *and* included sizes+checksums, a rogue (or MITM) mirror would simply just get ignored as an invalid update.

So, let's just update our configuration for this.
Attachment #522403 - Flags: review?(john.hopkins)
Attachment #522404 - Flags: review?(john.hopkins)
Attachment #522403 - Flags: review?(john.hopkins) → review+
Attachment #522404 - Flags: review?(john.hopkins) → review+
blocking-thunderbird3.1: --- → .10+
Whiteboard: [non-code]
HG commit:

https://hg.mozilla.org/build/tools/rev/1a4da595fcce

CVS commit:

Checking in moz19-thunderbird-branch-major-update-patcher2.cfg;
/cvsroot/mozilla/tools/patcher-configs/moz19-thunderbird-branch-major-update-patcher2.cfg,v  <--  moz19-thunderbird-branch-major-update-patcher2.cfg
new revision: 1.26; previous revision: 1.25
done
Checking in moz192-thunderbird-branch-major-update-patcher2.cfg;
/cvsroot/mozilla/tools/patcher-configs/moz192-thunderbird-branch-major-update-patcher2.cfg,v  <--  moz192-thunderbird-branch-major-update-patcher2.cfg
new revision: 1.18; previous revision: 1.17
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Assignee: nobody → gozer
You need to log in before you can comment on or make changes to this bug.