Re: [Fed-Talk] Confirmed: non-admin user updating Firefox
Re: [Fed-Talk] Confirmed: non-admin user updating Firefox
- Subject: Re: [Fed-Talk] Confirmed: non-admin user updating Firefox
- From: Todd Heberlein <email@hidden>
- Date: Thu, 30 Aug 2012 10:19:06 -0700
On Aug 30, 2012, at 8:24 AM, "O'Donnell, Dan" <email@hidden> wrote:
> This then brings up the subject of code signing by developers, which is
> apparently part of Apple's requirements for 10.8.
> However, I don't know enough about the requirement to understand if there
> truly are positive (or negative) implications with regards to applications
> that act like this. (Or like Chrome.)
>
> What might be the pros and cons, or other related implications?
Suppose you have a vulnerable Adobe Acrobat reader. A malicious document exploits it and modifies your user-installed web browser (e.g., Chrome or Firefox). Then every time you enter credentials into the browser, the attacker can capture them. Even if you use 2-factor authentication, the code in the browser can just wait for you to authenticate yourself, and then hijack the web session (e.g., to transfer your bank funds).
In theory (I haven't tested this yet), if Chrome and Firefox sign their applications, when Adobe Acrobat modifies the binaries, Mac OS X should prevent the now Trojaned programs from running.
That is one of the key benefits of signed code.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden