Results 1 to 4 of 4

Thread: SMIME => potential security risk !

  1. #1
    Join Date
    Feb 2012
    Posts
    81
    Rep Power
    3

    Angry SMIME => potential security risk !

    Hi folks,

    just had a closer look at the SMIME stuff (NE feature), and was quite a bit shocked, what's going on here.

    Let's dig a bit in com_zimbra_smime.jarx:

    Manifest declares:


    Permissions: all-permissions

    That means nothing less than that the applet requires _FULL LOCAL PERMISSIONS_ on the Client
    machine. So, it can do _ANYTHING_ that the local user can do, if the user allows the applet to be run.

    And it gets even worse:

    It also deploys _MACHINE CODE_, which of course can do whatever it wants with the local machine
    (at least the current user account), without the user having any control whatsoever.
    (see ./com/zimbra/smime/native/* inside the jarx file)

    From a security pov this is TOTALLY INACCEPTABLE.

    This is like giving an arbitrary postal/shipping (more precisely: the company who's building their cars)
    the master key to your house !


    We seriously considered rolling out Zimbra SMIME on certain large installations.
    I'm really glad that I detected that early enough to stop the whole project.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by metux View Post
    just had a closer look at the SMIME stuff (NE feature), and was quite a bit shocked, what's going on here.
    If you have a problem to report then file a bug report, that is the correct place for it and not these forums. By all means discuss the problem in the forums but without bug report there's a possibility it may get missed. This is also posted in the wrong forum, I'll move it.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Feb 2012
    Posts
    81
    Rep Power
    3

    Default

    Quote Originally Posted by phoenix View Post
    If you have a problem to report then file a bug report,
    It's not just a bug, it's a major design flaw - the whole approach is completely wrong.

    Quote Originally Posted by phoenix View Post
    that is the correct place for it and not these forums.
    I've put it into the user forum for a good reason: warn the users (yes, especially end-users!)
    not to ever even consider using it.

    In fact, such serious misdesigns deserve a headline article @slashdot, heise, etc.

    Quote Originally Posted by phoenix View Post
    By all means discuss the problem in the forums but without bug report there's a possibility it may get missed.
    Here it is:

    https://bugzilla.zimbra.com/show_bug.cgi?id=92142

    In fact, I wouldn't be surprised at all, if it gets closed WONTFIX quickly ... ;-o

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by metux View Post
    It's not just a bug, it's a major design flaw - the whole approach is completely wrong.
    Then it still belongs in bugzilla perhaps as an RFE?

    Quote Originally Posted by metux View Post
    I've put it into the user forum for a good reason: warn the users (yes, especially end-users!)
    not to ever even consider using it.
    That's OK but you still should file a bug report (0rRFE).

    Quote Originally Posted by metux View Post
    In fact, I wouldn't be surprised at all, if it gets closed WONTFIX quickly ... ;-o
    Really, are your bug reports that bad or is this just fortune telling?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Similar Threads

  1. Replies: 1
    Last Post: 07-12-2013, 03:58 AM
  2. smime support
    By supradave in forum Administrators
    Replies: 1
    Last Post: 05-20-2010, 04:13 PM
  3. Does Zimbra Desktop increase risk of virus attack?
    By Polly in forum General Questions
    Replies: 1
    Last Post: 05-25-2009, 05:23 PM
  4. SMIME support?
    By vngarla in forum Developers
    Replies: 1
    Last Post: 02-03-2006, 09:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •