Announcement

Collapse
No announcement yet.

Firefox: Add-on security vulnerability announcement

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Firefox: Add-on security vulnerability announcement

    Read the Mozilla announcement for details. If you have installed either of these add-ons then be aware that your Firefox has likely been compromised already, regardless of what OS you run.

    http://blog.mozilla.com/addons/2010/...-announcement/

    Welcome newbies!
    Verify the ISO
    Kubuntu's documentation

    #2
    Re: Firefox: Add-on security vulnerability announcement

    I don't use those but thanks! I never thought of vulnerabilities through that vector. Should have known.

    Comment


      #3
      Re: Firefox: Add-on security vulnerability announcement

      Thanks Telengard. I guess that means that Firefox Addons should not be included in trusted sources. However, I'm glad this has caused them to do something about that. We'll see how it goes. From the link:

      Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we’re already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site.

      Comment


        #4
        Re: Firefox: Add-on security vulnerability announcement

        Originally posted by Ole Juul
        However, I'm glad this has caused them to do something about that. We'll see how it goes.
        I totally agree. It is vital that people understand the risk of installing code from untrusted sources on their systems, but few bother to consider it. What is really sad about this is that it will have a negative impact on new Add-Ons because they will remain invisible until the code is vetted by the Mozilla people. Think about how many Firefox add-ons there are, and how many new ones are submitted each day. Now imagine mods in this forum having to approve every single post before it becomes visible.

        Now it is random happenstance that I stumbled into this today, but I expect we will see more and more attacks directly on Firefox. When you think of the web browser (any web browser) as an OS inside an OS then it becomes a clear target for evil hackers and crooks everywhere.
        Welcome newbies!
        Verify the ISO
        Kubuntu's documentation

        Comment


          #5
          Re: Firefox: Add-on security vulnerability announcement

          Originally posted by Telengard


          I totally agree. It is vital that people understand the risk of installing code from untrusted sources on their systems, but few bother to consider it. What is really sad about this is that it will have a negative impact on new Add-Ons because they will remain invisible until the code is vetted by the Mozilla people. Think about how many Firefox add-ons there are, and how many new ones are submitted each day.
          A necessary evil I think though, especially since one of the principal selling points for firefox has been security. Like it or not, any add-on for firefox will without doubt be inextricably linked with mozilla in the mind of the user if they obtain it from the official addons page. Better for them to be safe than sorry I think - it doesn't take long to undo years of hard work.

          Comment


            #6
            Re: Firefox: Add-on security vulnerability announcement

            Originally posted by The Liquidator
            A necessary evil I think though, especially since one of the principal selling points for firefox has been security. Like it or not, any add-on for firefox will without doubt be inextricably linked with mozilla in the mind of the user if they obtain it from the official addons page. Better for them to be safe than sorry I think - it doesn't take long to undo years of hard work.
            I guess you're right in saying that firefox is often sold on security, but is it any better than any of the other major browsers like Galeon, Konqueror, and Epiphany? To me a browser is a browser if it does CSS and Youtube, but Firefox stands out because of the Plugins.

            It's too bad they have been so loose with them. I don't think a bunch of petty little "mods" are good for their reputation and they should stick to more serious and carefully chosen ones. I think this latest vulnerability is just their faulty policy coming back to haunt them.

            Anyway, having recently gotten a new Firefox install to work properly, I just now added my little suite of Plugins. They are:

            NoSquint 2.0.3
            Adblock Plus 1.2.1
            Web Developer 1.1.8
            ColorZilla 2.0.2
            Firebug1.5.4
            Greasemonkey o.8.20100408.6
            Aardvark 3.0
            Total Validator 6.5.0
            View Source Chart 3.01

            The first four I need, but the last five I'm trying out. What's the chance of any of those being malware?

            Comment


              #7
              Re: Firefox: Add-on security vulnerability announcement

              Thank god! I never add any "add-ons" to the firefox browser unless it has been recommended by the firefox corporation.

              Comment


                #8
                Re: Firefox: Add-on security vulnerability announcement

                When I say "security" it was primarily pitted at first against IE which at least at that time had more holes in it than a cheese-grater However IE now appears to have upped it's game in that respect (if the spin is to be believed) and there are as you say several browsers on the market that are probably just as secure so it's now down to extensions I would say. I think they need to nip this in the bud and exercise more control over this, otherwise the reputaion of Firefox could be seriously damaged.

                As an aside, of those you mention, I don't use the last 3 but the first 2, most definitely. Another favourite of mine is autocopy.

                Comment


                  #9
                  Re: Firefox: Add-on security vulnerability announcement

                  I did not use any of those but thanks for sharing the information. I also agree the Mozilla Add-ons site should only contain clean and safe add-ons, however doing that is no easy job. I only have a few add-ons installed. I do believe in the integrity of Adblock and NoScript, but some others I'm not sure. However the ones I use I believe they have already proven to be well intentioned for some years already.

                  Comment


                    #10
                    Re: Firefox: Add-on security vulnerability announcement

                    Originally posted by Telengard
                    Read the Mozilla announcement for details. If you have installed either of these add-ons then be aware that your Firefox has likely been compromised already, regardless of what OS you run.

                    http://blog.mozilla.com/addons/2010/...-announcement/

                    This is not really surprising. Application vulnerabilities is one of the areas that I see as a current weakness, and I anticipate growth over the next few years.

                    types of malicious behavior can only be detected in a code review.
                    I have said this a few times.

                    CoolPreviews: The vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer.
                    Firefox 3.0-3.6.* required. Supports Windows, Mac, and Linux.
                    There is your way in, using that vulnerability an attacker can pull down a script or binary on to a Linux desktop and booyah, pwned (as the user).
                    Don't blame me for being smarter than you, that's your parent's fault.

                    Comment


                      #11
                      Re: Firefox: Add-on security vulnerability announcement

                      Originally posted by bai.ganga
                      Thank god! I never add any "add-ons" to the firefox browser unless it has been recommended by the firefox corporation.
                      The only extension I use is NoScript because it blocks exploits via Javascript, Flash, and Java. Sometimes I try other extensions, but most of them don't provide enough functionality to justify me keeping them. Firefox has evolved well and incorporated the functions of all the extensions I used with Mozilla in the past.

                      Originally posted by zlow
                      There is your way in, using that vulnerability an attacker can pull down a script or binary on to a Linux desktop and booyah, pwned (as the user).
                      ^ This is no joke or exaggeration. The likelihood of a Linux desktop being compromised is still relatively low (compared to other systems anyway), but the mere fact that it is possible makes it a serious consideration for all system administrators.
                      Welcome newbies!
                      Verify the ISO
                      Kubuntu's documentation

                      Comment


                        #12
                        Re: Firefox: Add-on security vulnerability announcement

                        Originally posted by Telengard
                        Originally posted by zlow
                        There is your way in, using that vulnerability an attacker can pull down a script or binary on to a Linux desktop and booyah, pwned (as the user).
                        ^ This is no joke or exaggeration. The likelihood of a Linux desktop being compromised is still relatively low (compared to other systems anyway), but the mere fact that it is possible makes it a serious consideration for all system administrators.
                        In addition, if you haven't applied the MOTD update just released then the script or binary pulled down to the system can get root faster than I can type "pwned". This isn't FUD, this is FACT.
                        Don't blame me for being smarter than you, that's your parent's fault.

                        Comment


                          #13
                          Re: Firefox: Add-on security vulnerability announcement

                          Originally posted by Ole Juul
                          NoSquint 2.0.3
                          Adblock Plus 1.2.1
                          Web Developer 1.1.8
                          ColorZilla 2.0.2
                          Firebug1.5.4
                          Greasemonkey o.8.20100408.6
                          Aardvark 3.0
                          Total Validator 6.5.0
                          View Source Chart 3.01

                          The first four I need, but the last five I'm trying out. What's the chance of any of those being malware?
                          First you need to understand the question you are asking. Firefox extensions are essentially patches to the base Firefox code. When you install a Firefox extension, you are really installing an application which uses Firefox as its system library. The real question you need to ask is, do you trust the developer of the extension to install software on your computer which has not been vetted by either Ubuntu or Mozilla?

                          Assuming you do trust the extension the next question you should ask is, what assurances do you have that the code you download is exactly the same code which was originally released by the extension developer? In other words, how do you know for a fact that the code was not intercepted at some point and tampered with? If you feel assured because you only get your extensions from the official Firefox site, then maybe you should read the article again: They aren't protecting you (yet).

                          This is why code signing is so critically important. It is the only possible way to know for a fact that what you download is the same as what the developer released. It provides a level of accountability which must be part of the overall security picture for responsible admins.
                          Welcome newbies!
                          Verify the ISO
                          Kubuntu's documentation

                          Comment


                            #14
                            Re: Firefox: Add-on security vulnerability announcement

                            I already had some idea of the scope of the question, but you answer very well. I do think that the addons like Web Developer and Firebug which come highly recommended and used by a large number of web developers, have some measure of safety because of that user base. It is no doubt the new and perhaps frivolous ones, without a large user base, which are suspect. Also, your point about code signing is a good one.

                            Regarding trusting the Firefox site, well that is indeed the problem. WordPress has a similar situation in my mind. A myriad of themes are uploaded to their site and many (if not most) are poorly written by someone you've never heard of - and might never again. I understand this kind of system can encourage developers to contribute to the project, but just what constitutes a "developer" is not clear. They might have interests that are not good for the end user and be better described by some other word.

                            I think the problem stems from some perceived need to have a lot of choice. Personally, I'd rather have them offer only 10 good ones than 10 good ones mixed with 1000 dubious entries. That would be safer.

                            Comment


                              #15
                              Re: Firefox: Add-on security vulnerability announcement

                              There were problems with scripts in greasemonkey stealing cookies in the past: http://userscripts.org/topics/704
                              But that's repaired.
                              This certainly isn't the first time there are security problems with an add-on. Though it never was this worse.
                              The add-on SpellBound https://addons.mozilla.org/en-US/fir...s/display/9207 hijacked your startpage without any warning, and it was impossible to change it back. Mozilla only took down the latest version after being warned, and that took some time. But no warning was put on their site. I think that's a bad thing, because most people think "oh, it's the Firefox' site, so it's safe".
                              If this forces them to finally take security on add-ons serious, that would be a good thing.
                              It's a pity for new add-ons, that's true, but internet just isn't safe.
                              I use Firefox as my primary browsers and I have a lot of add-ons in use for building sites. It's really important they are safe. And not only for me, of course.

                              If people want to install experimental add-ons they still can, but you have to search via Google or something like that. A really good add-on is mentioned in blogs etc. even before it's on Mozilla's site. You can then install it on the page of the builder. At least it's completely clear it isn't approved by Mozilla and doesn't give a false feeling of security.

                              Comment

                              Working...
                              X