XSim security vulnerability - embedded web browser

Here you find known solutions about the X-Sim software.
Do not post any questions, use the sections below instead!

XSim security vulnerability - embedded web browser

Postby DEADBEEF » Thu 5. Sep 2013, 14:09

X-Sim requires elevated privileges to run properly and contains an in-built web browser.
As such, you're only ever one hijacked server, or redirected DNS record, or compromised hosts file, from having a totally compromised system.

I just thought this should be pointed out as it's potentially quite an issue, especially since any affected machines are likely to be connected to hardware which has the potential to severely injure someone if intentionally misconfigured.


NB. Is there a better place for reporting bug/issues with the software, or is this the right place?
DEADBEEF
 
Posts: 15
Joined: Tue 27. Aug 2013, 03:39
Has thanked: 0 time
Been thanked: 3 times

Re: XSim security vulnerability - embedded web browser

Postby sirnoname » Thu 5. Sep 2013, 16:15

Where is the difference between the IE and the embedded webbrowser? see -> Steam
If a answer is correct or did help you for a solution, please use the solve button.
User avatar
sirnoname
Site Admin
 
Posts: 1829
Images: 45
Joined: Thu 1. Sep 2011, 22:02
Location: Munich, Germany
Has thanked: 35 times
Been thanked: 128 times

Re: XSim security vulnerability - embedded web browser

Postby DEADBEEF » Thu 5. Sep 2013, 17:37

Steam doesn't need to be ran with elevated privileges in order to operate properly though, whereas X-Sim does.
It's the elevated privileges which makes it a bigger issue than other applications with built-in browsers.

With regards to steam, Valve also has full control of the pages it displays within the steam browser. If you attempt to load an external site you'll get a warning that you're leaving the Steam/Valve 'walled garden' and the link will be opened in your regular browser, not in steam. This wasn't always the case, but was added to prevent phishing based attacks used to harvest user accounts.

Steam has also had far more serious browser-based vulnerabilities in the past, so they're not immune just because they're a big company.



MotionJoy is another similar application which requires elevated privileges, but what's worse is that it also defaults to loading web ads from shady Chinese * sites. They've allegedly had issues in the past with these sites taking advantage of the browser's elevated security permissions to install malware/viruses. Some people even think that the application itself is a scam designed to infect the user's computer. I wouldn't go that far, but running a web browser with elevated permissions is pretty much always a really bad idea.
DEADBEEF
 
Posts: 15
Joined: Tue 27. Aug 2013, 03:39
Has thanked: 0 time
Been thanked: 3 times

Re: XSim security vulnerability - embedded web browser

Postby sirnoname » Thu 5. Sep 2013, 22:20

If it is time I do an update to avoid browsing outside X-Sim or perhaps a warning. The code is already inside but de-activated.
Bugtracker is on the left side.
If a answer is correct or did help you for a solution, please use the solve button.
User avatar
sirnoname
Site Admin
 
Posts: 1829
Images: 45
Joined: Thu 1. Sep 2011, 22:02
Location: Munich, Germany
Has thanked: 35 times
Been thanked: 128 times


Return to X-Sim Q&A/FAQs

Who is online

Users browsing this forum: No registered users and 1 guest