Since the launch of Thunderbird 38 Mozilla e-mail client of the Lightning extension provided, but how the extension is implemented is a security risk for Windows users. The German software developer Stefan Kanthak even calls it a "security nightmare".
Lightning provides Thunderbird with an agenda. The extension is enabled by default, although users can turn off or Lightning.Mozilla install the extension in the profile of users and not in the Program Files directory. Mozilla thus violating the mandatory development guidelines for Windows, according Kanthak. It also introduces a security risk.
Applications in the Program Files directory can only be changed by users with appropriate privileges. That does not apply to files in the AppData directory. It is in this directory where the Thunderbird profile of users is stored and the Lightning extension is located. "This is a fundamental vulnerability in Mozilla's extensions and a security nightmare," writes Kanthak the Buggtraq mailing list .
According to the developer, users perform for safety reasons no code in their user profile. That does not apply to Lightning, which is being carried out from here. An attacker with access to the system can therefore replace the DLL files and JavaScript of the extension. Kanthak Mozilla advises to turn off local installation of extensions in Mozilla products and only global installations to allow extensions.
No comments:
Post a Comment