Add-on code stored in profile folder raises security risk

Aug 5, 2015 06:44 GMT  ·  By

Stefan Kanthak has raised an interesting issue on the SecurityFocus forums regarding Mozilla Thunderbird and its Lightning extension, bundled with the software starting with version 38.

According to Mr. Kanthak, Lightning, which is provided as a built-in organizer with Mozilla's Thunderbird email reader, "violates one of the mandatory and basic requirements of the now 20 year old 'Designed for Windows' guidelines."

By this he refers to a set of guidelines Microsoft put into place a long time ago, recommending software developers to install applications inside its infamous "/Program Files/" folder where only privileged users have access rights.

This prevents unauthorized tampering of an application's sensitive files, putting a weak but effective wall in front of malware and others of the sort.

Mr. Kanthak is now criticizing Mozilla, not for bundling Lightning with its software, but for allowing some DLL and JavaScript files to exist in the Windows "%APPDATA%" folder where attackers can leverage them.

The problem: Lightning add-on stores DLL and JS files in the user's profile folder

The files he is referring to are calbasecomps.dll and a large list of "(XUL/chrome) Javascripts," all of which can easily be replaced by an attacker and used to load malicious code when the application is started or used.

"Code installed in %APPDATA% (or any other user-writable location) is but not protected against tampering. This is a fundamental flaw of (not only) Mozilla's extensions, and a security nightmare," says Mr. Kanthak.

In the above statement, he is referring to an unofficial design rule that states that application code should be separated from user data, which the "%APPDATA%" folder was meant to hold.

According to his and Microsoft's official point of view, applications don't need to execute code stored in user profiles, but this should be limited only to files stored in safe locations like the "/Program Files/" folder.

His recommendation is for Mozilla to "disable profile local installation of extensions in Mozilla products, [and] enable ONLY application global installation of extensions."

UPDATE #1: We were contacted by Mozilla regarding Mr. Kanthak's comments. Dan Veditz, Principal Security Engineer had the following to say: "The way Mozilla approaches the executable code in Windows users' profile is a general property of the way our add-ons work. We are currently not aware of any particular vulnerability in Lightning, nor with the general approach of bundling functionality as add-ons, which we've been doing with Firefox for some time now. Additionally, we strive to be consistent across platforms, and the Windows guidelines referred to only apply to that platform, and not, for example, MacOS or Linux."

Which, to be fair, is true, since there were no major security incidents reported about any of Mozilla's products where its add-on infrastructure was used to deliver malware or other malicious code.

The same architecture of placing DLLs in user profile folders is also used by other software like OpenOffice, Dropbox, or Chrome, as we were informed via email by one of our readers that calls himself Eric, which also said: "there are enough anti-malware/virus solutions that can protect against arbitrary code execution and detect changed files."

UPDATE #2: Mr. Kanthak contacted us after we published Mr. Veditz's response, pointing out there is no difference between his disclosure and CVE-2015-4495, which Mozilla describes as "inject script into a non-privileged part of the internal PDF viewer." He also pointed us to a conversation on Microsoft's Developer Network where a Microsoft employee explains why installation of code in user-writable locations is a bad idea, being a "creative method" which leads to opening up vulnerabilities.