Sunday 9 December 2012

Why does trying some Windows Live Writer Plug-ins expose me the total system compromise

As you can see on the Trying a couple more Windows Live Code Formatters post, I tried a number of Live Writer Plug-ins before I found one that I liked.
But if you notice (just to try a couple plug-ins!) I had to install a bunch of MSIs and give them full access to my box! And after installing those plug-ins run with Full Trust (again being able to do whatever they want to any of my windows processes)
This is crazy, this is faith-based security.

I was given no indication on the security-risk-profile of any of these plug-ins!
For example I would like to know what they needed in terms of privileges and if there has been any security review done on them in the past.
Basically, what I want are labels like this so that I can make a risk-based decision before installing those plug-ins.
Part of that label should be the results from SAST tools, namely Cat.Net.
Maybe a cool project for an ‘O2 Platform based Cloud service’ would be to scan and rate the 180 Windows Live Plug-ins available at http://plugins.live.com/writer/browse