From: Jonathan M. <jon...@gm...> - 2010-05-27 03:41:47
|
On Wed, May 26, 2010 at 7:11 PM, Dmitrijs Ledkovs <dmi...@ub... > wrote: > > I was wondering if one can create a malicious sword module & inject > JavaScript into Xiphos and exploit xulrunner venerabilities. > It's probably possible (especially with ThML), but I don't think it's a big concern, and here's why: 1. There is not much that the Javascript could do (assuming you are not running in the chrome context). I know that theoretically there could be vulnerabilities that it could exploit, but in practice I suspect it's more effort than most people will take. 2. Getting content to users is a bit more trouble than just "send an email with a link and hope people will click on it". It's unlikely that rogue content would get into semi-official repositories like Xiphos or Crosswire. It's possible that an attacker could set up their own repository, but that's a fair amount of work to do, and you would still have to convince users to add the repository or Troy to add it to the master list (in which case it would probably be removed when the exploit was discovered). You could also distribute the module as a zip file, but it would still require you to convince people to install it and to figure out how to install a zip module (not necessarily that hard, but again it would probably be stopped or heavily warned against when it was discovered to have an exploit). That being said, I imagine there are quite a few people around who would like the idea of destroying the computers of people who are reading Bibles. Jon |