Re: [Fed-Talk] Firefox self-update?
Re: [Fed-Talk] Firefox self-update?
- Subject: Re: [Fed-Talk] Firefox self-update?
- From: Todd Heberlein <email@hidden>
- Date: Wed, 29 Aug 2012 14:55:08 -0700
On Aug 29, 2012, at 11:02 AM, David Emery wrote:
> Standard user, that's why I'm surprised.
I'm afraid I can't resolve this mystery because I just foolishly logged in as myself (with admin priv) on my old machine and started firefox.
But for the security nerds out there, here are some more data points (I analyzed Apple's BSM audit logs)
(1) The program that starts the update process is firefox-bin
/Applications/Firefox.app/Contents/MacOS/firefox-bin
(2) firefox-bin actually creates another file on the fly, "updater", that actually modified the firefox binary
/Applications/Firefox.app/Contents/MacOS/updates/0/updater.app/Contents/MacOS/updater
(3) The "updater" program only exists for about 5 seconds before it is deleted, so going in with disk forensics later to determine which program changed the actual firefox binary won't work.
(4) Here is what confuses me: I just checked firefox-bin, and the quarantine bit is set, so I thought Mac OS should have prompted me whether it can execute it. Maybe it will next time because the file was changed during this last update
$ ls -l@ /Applications/Firefox.app/Contents/MacOS/firefox-bin
-rwxr-xr-x@ 1 heberlei admin 43952 Aug 29 13:15 /Applications/Firefox.app/Contents/MacOS/firefox-bin
com.apple.quarantine 42
If not, then there is an interesting issue with Apple's quarantine bit.
(5) Apple's BSM has a bug I need to write a bug report for (the launchd process running as the user isn't properly audited), and this limits some of the analysis that can be performed.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden