(in)SECURITY: mozilla-bonobo


	While browsing the GNOME 2.5 Getting Started page, I noticed, in the
"proposed module" list, that a module named mozilla-bonobo is to be
included in the 2.6 release.

	Did any discussion take place about the security issues implied by
this? This is a HUGE security issue, since bridging Bonobo into Mozilla
assumes that every bonobo component registered in the system is secure
against untrusted data. This is an insane assumption.

	In practice, mozilla + bonobo = MS Internet Explorer. Most security
issues exposed by Internet Explorer are related to ActiveX components,
since IE has an embedded bridge. Almost every week, a new hole is found
in some popular ActiveX component that can be exploited through Internet

	The problem is that most ActiveX that people write are not intended to
be used as web plugins (ie. not to handle untrusted data). And the same
will happen to GNOME. With sure! People will write broken bonobo
components that will expose web browser users to critical
	If such a feature was enabled by default, the reputation of GNOME and
Mozilla would be destroyed by broken third-party bonobo components.

	So we have two problems: 

	1. The current bonobo components will be exposed to the Internet, even
those that were never intended to be
	2. The cost of writing bonobo components will increase, since they now
must handle untrusted data.

	And some solutions:

	1. Forget about mozilla-bonobo
	2. Create a "safe for web" flag that bonobo components must set if they
are intended to be used as web components

	Please, let's not make the same mistakes that Micros~1 did. Let's learn
from other's mistakes.

	Time to flame me.

	Also, time to think again about the creation of a gnome-security
mailing list.

	Thanks for your attention.

Fabio Gomes de Souza <fabio gs2 com br> (+55 81 9127-0597)

|- IT Infrastructure :: Security :: Embedded systems :: Linux
`- Olinda, Brazil - +55 81 3492-7777 - negocios gs2 com br

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]