Hello and great work so far Firefox team!
Currently, Firefox can be used in Windows from the command line to open any URL (start firefox www.google.com). Since any brows… (ďalšie informácie)
Hello and great work so far Firefox team!
Currently, Firefox can be used in Windows from the command line to open any URL (start firefox www.google.com). Since any browser is expected to have Internet access to any website or IP address, this is a real security concern in case of default deny security for firewall outbound traffic.
Here is a hacker scenario:
The PC has a list of whitelist applications allowed to connect to the Internet. This prevents lots of malware from connecting to their remote servers. However, malware can bypass that by listening on localhost and requesting Firefox to open the remote server. This way the malware sends and receives data with the server using Firefox after requesting an URL with the malware local port specified as query parameter.
This can be avoided with a special about:config option that completely disables command line processing. I don't know if that's entirely possible, but preventing Firefox to start URLs from command line or explicitly requesting Internet access for static HTML files should be enough.
Note: I use NoScript and that helps in this case, but it is not a bullet proof solution. It may be possible that one of the CDN I have allowed gets hacked with malicious JavaScript. If the malware is already on the PC, it can connect to the remote server using the hacked CDN that is allowed in NoScript. This is a two piece attack, but I still think that using Firefox to access to random URL from command line is dangerous and should have an option to be turned off.