Hello and great work so far Firefox team! Currently, Firefox can be used in Windows from the command line to open any URL (start firefox www.google.com). Since any brows… (閱讀更多)
Hello and great work so far Firefox team!
Currently, Firefox can be used in Windows from the command line to open any URL (start firefox www.google.com). Since any browser is expected to have Internet access to any website or IP address, this is a real security concern in case of default deny security for firewall outbound traffic.
Here is a hacker scenario: The PC has a list of whitelist applications allowed to connect to the Internet. This prevents lots of malware from connecting to their remote servers. However, malware can bypass that by listening on localhost and requesting Firefox to open the remote server. This way the malware sends and receives data with the server using Firefox after requesting an URL with the malware local port specified as query parameter.
This can be avoided with a special about:config option that completely disables command line processing. I don't know if that's entirely possible, but preventing Firefox to start URLs from command line or explicitly requesting Internet access for static HTML files should be enough.