Zero-Day Vulnerabilities In Firefox Extensions

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

Yep that's why I avoid extensions

[commodore64_love]

I don't trust them, plus they use more memory (I only have 1/2 gig), and they make the machine run slower. The only extensions I have are NoScript and ImageZoom and FlashVideoDownloader. I try to keep it to a minimum to avoid security problems, memory waste, and slowdown

Re:Yep that's why I avoid extensions

[amazeofdeath]

I completely agree, and I have been talking against the extension model for a long time. They are one of the main reasons why I use Opera instead of FF, as then I have only one vendor to introduce vulnerabilities, and it's the vendor I need to trust in any case to use the browser. Opera's inbuilt functionalities fortunately enable me to do the things for which I'd need to use extensions on FF.

Re:Yep that's why I avoid extensions

[Neil+Hodges]

The ad blocking functionality is limited in Opera, though. While its image-blocking setup works just fine, you can only block scripts based on the URL of the page being viewed, not by the URLs of each of the scripts themselves.

That said, I do use Opera at work since it's more responsive than Firefox.

Re:Yep that's why I avoid extensions

[commodore64_love]

You are correct that Opera's single vendor model is "safer" but the lack of extensions is a problem. If I see a youtube video I like, Opera has no way to grab it. Neither does it have an easy way to zoom-in on tiny photos. It's one of the reasons I've stayed with Firefox so I have the addon option if I need it.

Re:Yep that's why I avoid extensions

[amazeofdeath]

I might be misunderstanding your meaning, but if you mean things like Google's text ads, you can block them by adding "http://pagead2.*" to the blocked sites list. Sure, it's more work than with Adblock.

Re:Yep that's why I avoid extensions

[amazeofdeath]

>If I see a youtube video I like, Opera has no way to grab it.

You can grab it from Opera's cache. Not convenient, but doable (personally I have done it a couple of times; I have cache off normally, so I turn disc cache on, watch the vid, and then take the file from cache).

>Neither does it have an easy way to zoom-in on tiny photos.

Pressing "8" gives you incremental zoom ("6" puts it back to no zoom). Probably not exactly what you wanted, as it zooms the whole site, but again, a work-around.

Re:Yep that's why I avoid extensions

Neither does it have an easy way to zoom-in on tiny photos.

Huh? I zoom in and out of photos and web sites all the time using + and - keys. Maybe you're using Oprah?

Re:Yep that's why I avoid extensions

[cmiller173]

As a web developer I used the Web Developer Toolbar, Firebug, and DOM Inspector extensions daily. I could not be as productive without them.

Re:Yep that's why I avoid extensions

[clone53421]

BULLSHIT.

Just to save anyone else the trouble...

That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.

GTFO with your FUD.

Re:Yep that's why I avoid extensions

[sopssa]

While Opera has the full-scale ad blocking tools in itself, I've found Ad Muncher to be a lot better on it, and it works with all the other browsers you have installed and gives more options too.

Re:Yep that's why I avoid extensions

Only half a gigabyte? Here's a quarter, kid. Buy yourself some more memory.

Re:Yep that's why I avoid extensions

Can't find string terminator '"' anywhere before EOF on line 1

Re:Yep that's why I avoid extensions

[sconeu]

That's what the widget model is for. There are a couple of widgets for grabbing video.

Re:Yep that's why I avoid extensions

[clone53421]

A “minimum”, to me, would really be:

    Adblock Plus
    Download Statusbar
    Video DownloadHelper
    IE Tab
    Screengrab
    Tab Mix Plus

I don’t know how much bloat I’m adding by having them, but they all provide functionality that I really prefer not to do without. The only one that I’d be willing to waive is Screengrab, but it’s damn handy to have.

Re:Yep that's why I avoid extensions

[clone53421]

...says the troll from his mother’s basement. If you actually had a job you’d be more in a situation to criticize someone who does.

Re:Yep that's why I avoid extensions

Ad blocking shouldn't be done at the browser. It should be handled at the DNS level, or by a firewall or proxy.

You can run your own DNS server and return 127.0.0.1 for requests to known ad servers. You can do the same with your /etc/hosts file, too. This even works on Windows!

Use your firewall to prevent connections to known ad hosts.

Use a filtering proxy to strip out ads, Flash, ActiveX controls, and all sorts of other shit.

There are several community-collected lists of hostnames that are commonly used for serving ads, so you don't even have to build or maintain such a list yourself.

Do it those ways so it can easily apply to all browsers, mail clients, and other applications you might be using.

It's just fucking stupid to use a browser plugin to perform filtering that should be performed outside of the browser.

Re:Yep that's why I avoid extensions

[clone53421]

Why? Then I have useless queries to 127.0.0.1 which stall and finally give me 404’s.

Better to filter it at the original HTML content, and simply not even request the parts I don’t want to download.

Re:Yep that's why I avoid extensions

[sopssa]

You cant do the same kind of URL filtering on DNS level since the only thing you can filter is the domain/subdomain part. Theres lots of cases where you need to be able to filter more specifically (like if the website is hosting the ads itself, or just to make some more general rules), and Opera+Ad Muncher is perfect for that.

Re:Yep that's why I avoid extensions

[Pieroxy]

(note: I don't own a Mac and run IE almost exclusively)

*Booooom*

Re:Yep that's why I avoid extensions

[Pieroxy]

There was a time when you couldn't get more than half a gig on a machine. Maybe he's using one of these dinosaurs.

Re:Yep that's why I avoid extensions

[Carewolf]

That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.
GTFO with your FUD.

Check again. Try looking at how much memory firefox is allocating and not how much of it the operating system is currently keeping in memory. Most operating systems are smarter then the applications and flush any excess stupidity to the swap-file, so the inefficiency doesn't take up valuable physical memory. A clean firefox with about:blank is using 145Mbyte here, where the operating system is currently electing to start with 38 of them in memory.

And btw. stop swearing at people when you are wrong.

Re:Yep that's why I avoid extensions

That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.

I don't know how you come up with your number of MB, but in my experience, Firefox is always taking up some memory 'off the record'.

Re:Yep that's why I avoid extensions

[Hurricane78]

Memory waste? You mean like NoScript, which out of principle can’t work?
(NoScript blocks JavaScript, except for those sites where you enabled it because you needed it. Which happen to be exactly the sites that XSS attackers target! And don’t try to argue that you just don’t go to those sites. Because following that logic, you would have to stop receiving any data packet from the net. Because someone could crack the TCP/IP stack, the HTTP module, the HTML and CSS parser, the image loader, etc, etc, etc.)

Or like having a graphical user interface running, when you could use plain text.

Face it: If it is worth it, it is worth it! If something is worth that few ms of wait and that some kB/MB or RAM, then it is worth it.
I have 45 extensions. About half of them are development extensions. And some 5 or so are disabled. But every single one is worth it!
You know how I know that? Because I have them installed! (I throw any file off my system that does not get used and is not in my archive.)

Re:Yep that's why I avoid extensions

You don't trust extensions, yet you happily use F l a s h. Brilliant!

Re:Yep that's why I avoid extensions

[digitalchinky]

A slightly opposing point of view.

What's actually "fucking stupid" in my useless opinion are a set of services and black lists that alone soak up a metric shit ton of RAM with a nice chunk of performance sapping on the side - all of which accomplish exactly what a fairly simple set of rules in a tiny little plugin can do without any noticeable slow down.

I'll take my tiny little no fuss ad-block plus extension and ignore everything else because, really, it don't matter squat, it's not affected. Mail clients? I have a server that strips out the junk. What other applications might benefit from running DNS or an enormous host file locally? Let alone proxies, firewalls, and the other stuff you mention - my little $30 dollar wifi/router can take care of all that.

Re:Yep that's why I avoid extensions

[Antiocheian]

It is not always so. At the browser level ad blocking can remove iframes and make the make look cleaner without strange white blocks.

Also, regular expressions can identify in-house ads that can't be removed at the DNS level.

Re:Yep that's why I avoid extensions

[PitaBred]

A filtering proxy is WELL beyond what most people can set up. My parents aren't going to use one. They will be able to set up Adblock, though.

Re:Yep that's why I avoid extensions

[slimjim8094]

Mod parent down - that's a load of horseshit. DNS resolves hostnames, whether it's doubleclick.net or bankofamerica.cz. You break the Internet when that delibrately stops working - even just by yourself. And God help you if you run a webserver on your computer.

A filtering proxy is the way to go. That's what they're for, and a proxy is expected to modify the content.

Re:Yep that's why I avoid extensions

There used to be a windows ad-block proxy that was no harder to install than any other windows software. It noticeably slowed down browsing thought.

Re:Yep that's why I avoid extensions

[clone53421]

That page specifically said that it was RAM, by the way, not virtual memory size. “400 MB of RAM”. Virtual memory / swap size has nothing to do with it. Thus, your comment is completely incorrect and irrelevant. Yet you claim I’m the one who is wrong... *rolleyes*

Measuring the RAM usage makes sense, anyway. If it’s only just finished loading, and it’s still being displayed on the screen, there’s no reason to expect it to be swapped out so soon.

Even so, I checked it again, just to satisfy my curiosity.

This time, it said Firefox used 57 MB of RAM, with the VM usage reported at 49 MB.
Loading it with about:blank instead took 47 MB of RAM, VM usage being 40 MB.

Conclusion: Not significantly different from my first findings.

I don’t know why your installation is taking up so much space. Did you fully close out Firefox before testing it with the blank page, and did you make sure it started with the blank page so it wouldn’t have stuff cached from whatever else your home page might have been? If I closed all my tabs and put about:blank in the address bar right at this moment I’m sure I could get Firefox to use 150 MB to display it as well. That would tell me little to nothing about how much memory the page actually required.

Regarding swearing? He started it, and I wasn’t wrong anyhow.

Re:Yep that's why I avoid extensions

[LordLimecat]

....Which seems to bring the whole extension problem right back into the equation, doesnt it? Is there some technical difference between "widget" and "extension" that makes one inherently less secure than the other?

Re:Yep that's why I avoid extensions

[LordLimecat]

>> Tab Mix Plus Thats probably adding most of the bloat. Would be nice if they didnt duplicate functionality with so many built in firefox features (tab undo, restore session, etc)

Re:Yep that's why I avoid extensions

[farlukar]

But using the flashblock extension I'm perfectly safe!

Re:Yep that's why I avoid extensions

[clone53421]

P.S.

If you really want to bring Firefox to its knees, just save this short bit of test code as a .html file and open it.

Hell, don’t be picky – test it in all your favourite browsers and operating systems. Report back with results. I have no idea how well Chrome would handle it, for instance.

I do know that Firefox has ballooned to 367 MB of virtual memory usage and stands at over 20 minutes of CPU time (no idea where those figures stood before I opened the page, but meh... I’m guessing the VM size was around slightly half of that to begin with). I’m posting this from IE, waiting to see if Firefox ever cries uncle. (No, the nonresponsive script warning doesn’t ever fire.)

<html>
<body onload="var t = setTimeout('test();', 5000);">
<div id="links" style="width:100%;overflow:auto;"></div>
<script type="text/javascript">
var num = 100000;
var out = new Array();
for (var i = 0; i < num; i ++) out[i] = "<a href='javascript:;' title='none' onclick='void(0);'>test</a>";
document.getElementById("links").innerHTML = out.join("");
 
function test() {
    var elements = document.getElementsByTagName("a");
    var t_s, t_e;
 
    t_s = new Date();
    for (var i = 0; i < elements.length; i ++)
        elements[i].title = "element " + i;
    t_e = new Date();
    var t1 = t_e - t_s;
 
    t_s = new Date();
    for (var i = 0, e = elements.length; i < e; i ++)
        elements[i].title = "element " + i;
    t_e = new Date();
    var t2 = t_e - t_s;
 
    var out1 = "test 1: " + t1 + "ms<br />test 2: " + t2 + "ms";
 
    t_s = new Date();
    for (var i = 0; i < elements.length; i ++)
        elements[i].title = "element " + i;
    t_e = new Date();
    var t1 = t_e - t_s;
 
    t_s = new Date();
    for (var i = 0, e = elements.length; i < e; i ++)
        elements[i].title = "element " + i;
    t_e = new Date();
    var t2 = t_e - t_s;
 
    document.getElementById("results").innerHTML = out1 + "<br /><br />Second trial:<br />test 1: " + t1 + "ms<br />test 2: " + t2 + "ms";
}
</script>
<br />
 
<form><input type="button" value="test" onclick="var t = setTimeout('test();', 1000);" /></form>
<div id="results">The test hasn't been run yet.</div>
</body>
</html>

Re:Yep that's why I avoid extensions

[clone53421]

BTW, it clocked out at ~22 minutes of CPU with 420 MB of VM. Running the test by clicking the button only takes on the order of a few seconds, unlike generating the page to begin with, so don’t be worried about it taking forever if you want to see what that does. Not a whole lot... just changes the title on all the link elements. I originally wanted to see whether it was quicker to copy elements.length to a normal variable once rather than referring to it every time in the loop condition.

Re:Yep that's why I avoid extensions

[reub2000]

I'm betting that he has at least one free slot.

Re:Yep that's why I avoid extensions

[plague3106]

Doesn't IE8 have all that built in now (F12 key)?

Re:Yep that's why I avoid extensions

[fbjon]

Yes there is a major difference, the widgets are essentially small dynamic webpages just like any other page. Quote:

Opera Widgets are cross-platform and cross-device applications made with Web technologies;

Thus, no problem.

Re:Yep that's why I avoid extensions

And btw. stop swearing at people when you are wrong.

OK to swear when you are right CSMFSOB?

Re:Yep that's why I avoid extensions

[gerardolm]

"To try Ad Muncher free for 30 days, please visit our download page." Yeah, right.

Re:Yep that's why I avoid extensions

[gerardolm]

Oh, advertising on /.'s comments?

Partnership Program

The Ad Muncher partnership program allows you to refer people to an address like:

            http://youraccountname.admuncher.com/

and receive 20% of all purchases later made by those people. For more information please visit the partnership program website.

"foropera" is just his partner alias. Sad.

Re:Yep that's why I avoid extensions

[gerardolm]

Stop advertising, To anyone interested on buying Ad Muncher, just buy it through admuncher.com and not his link.

Re:Yep that's why I avoid extensions

Dude, you have no idea what you are talking about, and no idea how virtual memory or swap works. Grandparent was right. He was maybe wrong to suggest the original FUDer 'GTFO', but people like him, and me, are sick of this 'Wah Firefox leaks memory' BS.
I've never seen FF use more than 150M of memory, ever. Look:

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
22282 linus 20 0 231m 74m 23m S 1 7.5 1:25.35 firefox

Oh my god! FF is using 231M of swap!!!! Oh wait, I have no swap on this machine. Maybe that's not what it means, eh?

Re:Yep that's why I avoid extensions

[sopssa]

Yeah sure. I have been using Ad Muncher for years and can recommend it as a great piece of software for what I have commented. But since I have an partner account with them already, I can just use that on my links. But if you are really worried about that, just go to www.admuncher.com directly - its the same price.

Re:Yep that's why I avoid extensions

[thetoadwarrior]

That guy pulled that number out of his ass. Perhaps his computer has been compromised. I have about 10 tabs open including that link and FF is using 300 megs. Considering the amount of Javascript running on my pages, Flash content and all the other crap, I think it's doing quite well.

Re:Yep that's why I avoid extensions

How are you getting those memory usage figures though? None of the ordinary ways (ps, top, Windows Task Manager, etc) show you exactly how much memory the application is using because the numbers they present also include all shared libraries loaded and may or may not include the swap you are taking about.

And no, the OS will not just dump a bunch of stuff off to the swap file for no reason. Stuff only goes into swap when you run out of main memory and there is pressure to allocate more. Besides, do people even use disk based swap areas any more? I stopped using swap files when I went over 2 GB of RAM and that was at least 5 years ago. 500 MB is about the maximum you can swap out before your system would grind to a halt from disk thrashing and when you have 2/4/8+ GB of RAM what difference would 500 MB make? Swap files are relics from the 90's, man.

(as a side note, I find it funny and ridiculous when Windows creates a 16 GB page file on my machine with 8 GB of RAM. Yeah, like if I swapped out that much memory the computer would be even remotely usable; it's one of the first things I have to disable on new Windows installs)

Re:Yep that's why I avoid extensions

Stuff only goes into swap when you run out of main memory and there is pressure to allocate more.

Not true. Windows will always allocate pages in swap freeing up more physical memory for things like caching and pages of actively running processes. Many of the services and background processes you are running are doing nothing most of the time and should have their memory paged and create more physical memory for processes which need it.

Yeah, like if I swapped out that much memory the computer would be even remotely usable; it's one of the first things I have to disable on new Windows installs)

Disabling paging on Windows is not the performance booster you think it is. Some processes will allocate many pages of memory on load that they might never use and have no reason to be wasting valuable physical memory. You are only slowing down your system by disabling paging, as you are making less physical memory available to things that really need it.

Re:Yep that's why I avoid extensions

[ushering05401]

Your lack of disclosure of the relationship is the problem. With a proper disclaimer on your original link you may have ended up with a nice bounce today.

Re:Yep that's why I avoid extensions

[machine321]

On my machine (Win7 x64) viewing just this SD article used ~103MB; opening up a new tab with the "fuck firefox" page raised it to a whopping ~104MB. These numbers are from the "peak working set" from Task Manager. So, don't not curse when you're wrong.

Re:Yep that's why I avoid extensions

Nice for you. I have 47 enabled extensions, and I need every single one. If I didn't need extensions I'd be using Chrome. As for slowdown, extensions allow you to automate things, so that's a speedup.

Re:Yep that's why I avoid extensions

[Idiomatick]

Hmm I'm up to 460MB ... but I have about 40tabs open over 3 windows... With like 15addons on or so....

Re:Yep that's why I avoid extensions

[koogunmo]

NoScript has done some shady stuff in the past....

http://adblockplus.org/blog/attention-noscript-users

Re:Yep that's why I avoid extensions

[Hucko]

I can't get past a gb. stupid rambus.

Re:Yep that's why I avoid extensions

[BZ]

I just tried this in the Firefox 3.6 beta. Loads in about 3-4 seconds over here. 3.5 takes a lot longer (not sure how long; I got tired of waiting and killed it).

Re:Yep that's why I avoid extensions

[clone53421]

Maybe it is better in 3.6.

I was testing it in 3.5, and it basically froze the browser for AGES (>20 minutes)... oh, and increasing the loop counter will scale up the time and memory it takes.

Re:Yep that's why I avoid extensions

[AmiMoJo]

That 145MB includes stuff like memory mapped files that are open and system level stuff that FF has no control over (the OS allocates the memory for it as it sees fit). If FF opens a 50MB sqlite database file as memory mapped then it gets 50MB added to it's total memory usage, even though the OS may not have actually loaded a single byte of the file in to memory.

The bottom line is that there is no easy way to determine how much memory an app really uses. The amount of memory isn't the only factor in it's performance either - an app which uses little memory but instead keeps making random disc accesses spread over a large number of files (e.g. browser cache) will not only run slower itself but also bog the system down as other app's data gets flushed from the disk cache.

Chrome time

[jaggeh]

Time to switch to chrome until the holes are patched.

Re:Chrome time

Or you could, you know, remove those extensions?

Re:Chrome time

[Basje]

Or use a clean firefox without extensions.

Of course, without extensions there isn't much that sets firefox apart from chrome except for the license. Some purists will prefer firefox for that reason but it's pretty much a coin toss.

Re:Chrome time

[maxume]

Extensions that do not retrieve data (or even untrusted data) should also be reasonably safe from the types of attack discussed in the article (because the attacks discussed in the article all result from executing malicious data).

Re:Chrome time

[Stan92057]

Which ones? they clearly didn't list all the plug ins that are affected,only the known ones.

Re:Chrome time

[jgtg32a]

No you should switch to Chrome. I use FF because of the extensions, honestly I don't consider vanilla FF that much better than IE8. I've already moved all my friends off of FF to Chrome because they weren't interested in using extensions

Re:Chrome time

[DavidTC]

As should extensions that retrieve data from responsible sites, like those extensions that alter google result pages. Assuming Google doesn't try to attack us, they should be fine.

I use to have an assload of extensions, but I've been really trying to restrict what I have for speed issues, so I'm not that worried.

Re:Chrome time

[cmiller173]

Or use the " -profilemanager" switch on the shortcut that you launch Firefox with. You could then have a profile that loads no extensions that you use when surfing untrustworthy sites. And a profile that does load your extensions when you doing normal surfing. What I actually use it for is I have a profile that loads my development tools (Web Developer Toolbar, Firebug, and DOM Inspector) a profile for just normal surfing, and a profile with no extensions for when I need to be absolutely sure that the add-ons are not the cause of a problem.

Re:Chrome time

[clone53421]

they weren't interested in using extensions

Give them AdBlock Plus and let them use it for a while, and I honestly doubt they’ll still feel that way.

Re:Chrome time

[SanityInAnarchy]

Actually, not even the license, really. Just use Chromium, if you care.

Re:Chrome time

[maxume]

From what I gather, the vulnerabilities in the article all stem from trustworthy sites acting like untrustworthy sites (that is, something malicious gets stuck in a supposedly trusted RSS feed or whatever), so that particular separation probably isn't that important.

The idea of an extension that executes code from every page it visits is pretty scary, I hope none of those exist.

Re:Chrome time

So for Chrome do I run "apt-get install chrome" or what? Do I have to turn on some alternate repository?

Re:Chrome time

[thePowerOfGrayskull]

There's also the fact that FireFox doesn't force you to install an always-running background service whose sole purpose is to wake up periodically and check for updates (I think it is, anyway). You'd think these folks had never heard of "cron" or "task scheduler".

Re:Chrome time

[jgtg32a]

Try chromium-browser

Re:Chrome time

[jgtg32a]

Already tried and that was a long a stupid conversation; I had to drink heavily afterwords

Re:Chrome time

[LordLimecat]

Chrome (dev channel) has adblock plus. With subscriptions (easylist), a cute little icon, and gui-driven configuration that is identical to firefox's. I really do not see any area where firefox has a leg up-- even the dev tools rock in chrome. I can inspect an element, toy around with the CSS, and watch the changes apply in real time on the web page (note i am not a web dev).

Re:Chrome time

[daveime]

Umm, so what exactly does cron or Windows Task Manager do ?

Oh, that's right, they run in the background, waking up periodically to see if anything is due to be executed in the crontab / scheduled tasks list.

Is it possible to nominate the parent for dumbest comment of the day ?

Re:Chrome time

[thetoadwarrior]

Problem is that it sounds like there are a fair few affected and that's only the ones they found. Where as you can go to Chrome which will run faster and likely be more secure.The only thing I need FF for is Quake Live because I can't be bothered to create a Chrome shortcut to fake my agent.

Re:Chrome time

[maxume]

His point was that the Google updater should take advantage of the preexisting system functionality.

Re:Chrome time

[Toonol]

One is far worse than the other. Obviously, adding another task to an already resident part of the operating system that is intended for such use is far better than adding a completely new program, that runs continuously as a new process... both for performance and security. This problem is compounded when you have several pieces of software each with their own unique persistent updater.

Is it possible to nominate the parent for dumbest comment of the day ?

Possible, but he has some notable competition.

Re:Chrome time

[thePowerOfGrayskull]

Oh, that's right, they run in the background, waking up periodically to see if anything is due to be executed in the crontab / scheduled tasks list.

Yes, they run in the background. A single background process that is capable of launching any number of processes on any given schedule. This means that each individual application does not require its own always-running background process to poll for updates*.

Is it possible to nominate the parent for dumbest comment of the day ?

I bow before your superior intellect. Perhaps one of your mental prowess might also be interested in this concept called "component reuse", it's all the rage.

* (I'm looking at you, java, itunes, adobe, google, various antivirus companies, windows media scheduler... ah, crap, the list is too long)

I have to say, I am depressed...

[hesaigo999ca]

: (
FF is my favorite web browser because they always made sure to be more secure then IE. I guess when it comes to add-ons and extensions, its always a crap shoot, but I always thought FF was better at handling security for extensions then IE, I guess
I will have to go back to using linx now because I trust nothing else...
Life will be boring

Re:I have to say, I am depressed...

Or wget.

LOL

Re:I have to say, I am depressed...

[farlukar]

I will have to go back to using linx now because I trust nothing else...

If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

Re:I have to say, I am depressed...

[NoYob]

I will have to go back to using linx now because I trust nothing else...

If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

Yeah, but how do I know that the snapshot is clean? Or for that matter how do I know that my virtual machine hasn't been compromised?

They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

And who are you to be posting these things to make us feel like we can be secure? The sig of yours is French, no? But your user name looks Arabic. You could be a French secret agent with an Arabic code name - or, an Islamic Jihadist, hiding in France acting like a friendly internet user "helping" folks to "secure" their browsing habits all along undermining their computers so you and your agents can break in, compromise their machines, do your nefarious activities, and all the while, the poor sap who follows your advice gets arrested by the FBI while you take off with the hot secret agent babes from Russia.

No sir! I know what you're doing here!

Re:I have to say, I am depressed...

[commodore64_love]

Linux is boring? Sacrilege! You get to read all those obscure docs and get into flamewars with developers. How is that not fun? ;-)

Which reminds me, what Linux needs is something like what I had on my old Amiga PC: A graphical way of interacting with the CLI so I don't have to remember all those obscure commands like "sudo -s -t /whatever"

   

Re:I have to say, I am depressed...

[jd]

There's really no excuse for Firefox to allow at least some of the more common security flaws - or at least allowing those flaws to cause problems.

First, sandboxing of extensions should limit what problems can be caused.

Second, a lot of errors are caused by the overflowing of buffers - a problem that could be limited by the use of stretchy buffers or bounds-checking malloc implementations. Or not allowing direct access to the heap.

Third, Firefox (and indeed all programs) should run on the principle of least privilege. Where some specific subset of program functionality requires significantly greater privilege than the rest, run the subset as a different thread or process at a different level of privilege. By extension (bad pun, I know), extensions could also be run as a different thread or process with even fewer rights. (OS' that don't allow programs to shed rights might be a problem, though.)

Re:I have to say, I am depressed...

Poe's Law strikes again!

Re:I have to say, I am depressed...

[clone53421]

First, sandboxing of extensions should limit what problems can be caused.

While also limiting what functionality can be created.

Re:I have to say, I am depressed...

[farlukar]

Poe's Law strikes again!

Yes, it's terrible. I don't even know if I am serious or joking anymore.

Re:I have to say, I am depressed...

[clone53421]

You can’t possibly be serious...

Re:I have to say, I am depressed...

[owlstead]

Better yet, create a special user or two, one for anonymous browsing and one for your security relevant tasks (banking etc). The first one should be automatically reset after use (I use an Ubuntu guest account for that), the other one should have an encrypted home folder. At least make sure your browser is up to date if you use farlukar's scheme.

Re:I have to say, I am depressed...

[unix1]

They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

So, you have hardwired your brain into your computer and are using it as a Firefox extension? This makes my head spin.

Re:I have to say, I am depressed...

I prefer to have a generic copy image of XP. I create a new VDI in virtualbox everytime I want to do an online purchase then after the purchase I delete the VDI. My host system is Kubuntu 9.10. I also rebuild the default image once a month just to be on the safe side.

Re:I have to say, I am depressed...

[Hurricane78]

As it that would help if you’re paranoid.

You haven’t read about the Russian cracks where they got out of the virtual machine, by attacking it itself, and then wrapped a very thin VM around the entire outside OS, right between it and the metal.

In (Ex-)Soviet Russia, program virtualizes YOU!

Re:I have to say, I am depressed...

[hesaigo999ca]

Already done my friend, you are telling me nothing new...but for the endless clients i have installed
their machines for them (like my grandma) and cant use that app (too hard)...i always felt some level of security adding FF to their installs so they could have a bit more confidence surfing the web.

Re:I have to say, I am depressed...

[icepick72]

Yes, if they're that paranoid then do due diligence and stuff Firefox into that same virtual machine that IE is running inside for the same reason - then put Google Chrome on your PC computer.

Re:I have to say, I am depressed...

[Nicolay77]

I, on the contrary, am very happy because I use Opera precisely because of its security features.

I can surf any web page they post on reddit or digg without fear of viruses or trojans or endless javascript exploits or whatever.

Re:I have to say, I am depressed...

[Idiomatick]

Windows comes with it's own minigames. Also I'm sure it exists its just horribly maintained and glitchy.

Re:I have to say, I am depressed...

[jd]

Inherent in the idea that Firefox prohibit malicious code breaking into an extension and causing it to reformat /dev/hda1 is the idea that the extension itself cannot reformat /dev/hda1, as it is impossible for Firefox to know what will or will not cause an extension to do something maliciously.

Indeed, if an extension can do anything, it is possible to write an extension that allows an external program to control your computer with the privileges of Firefox AND (this is the important part) it is ALSO possible for a buggy extension to give such control of your computer with those same privileges.

If an extension can do absolutely anything, without any restriction, so can malicious code. The compromise suggestion was to have privileged operations in a distinct process. An extension overall can then still do anything but a given extension component cannot. (You didn't comment on that - not see it or you prefer to find something bad to say?)

Compartmentalizing extensions would, yes, make life much harder for extension writers. It would force them to be disciplined, code properly and not incorporate stupid security flaws. This would eliminate a lot of stupid coders, but I'm having a hard time seeing that as a bad thing.

If that was unacceptable, if you had to have the bad coders, then is sandboxing really so terrible? I honestly can't think of too many things Java application writers can't do, but Java is sandboxed. Forth programmers don't seem to have too many problems either - it's a very popular language for developing very low-level code like BIOSes - and yet also runs entirely in a compartmentalized virtual machine.

Hell, one could argue that any Trusted OS (ie: an OS that runs on top of a very thin security OS that provides all the operations that have security implications) is essentially an OS running in a sandbox. It might be harder to run the latest *ix games or applications under Trusted Solaris than it is under Linux, but unless you can name something you CANNOT run AT ALL, I'm inclined to believe that the limitation you speak of simply does not exist.

So if Firefox sandboxed extensions then it might need to provide some extra functionality via extensions to the existing API. Doesn't sound too horrible and it's certainly not fatal to developers.

So we definitely have multiple ways of improving security without preventing extension writers from doing what they want -- the only thing improving security would impose is HOW extension writers did things. Again, is that a bad thing?

I would rather see the death of bad code than see the death of Firefox because it got a reputation for being worse than IE on security. Particularly if the reputation was not due to Firefox per se but because extension writers were drunk or lobotomized at the time.

Zero Day

[siyavash]

Could we please stop using "Zero Day"? It's silly. Doesn't fit /. imho. Or is /. becoming Fox News of IT?

Re:Zero Day

[Lord+Lode]

What does it mean anyway? That you're infected in zero days?

Re:Zero Day

[taoye]

Apparently, yes. To paraphrase Wikipedia, it means that the attack occurs on the 0th day that the vendor is aware of the problem... which is a significant because it means the vendor has not even had a chance to respond to the vulnerability before it is exploited. Notwithstanding the fact that they could have prevented it, but that's another matter.

Re:Zero Day

[ohampersand]

A publicly disclosed vulnerability that has no available patch.

Re:Zero Day

[Fast+Thick+Pants]

Supposed you watched the Firefox commits when they do a security update (or reverse-engineered an IE patch) and discovered how to exploit a fixed vulnerability 2 days after the update. You could call that a 2-day vulnerability, and the small number of days means that a lot of people haven't patched yet.

So a zero-day vulnerability means that nobody's gotten a chance to patch yet, because the security hole is discovered before a patch is available.

Re:Zero Day

[clone53421]

Geez, I wonder where you could find that sort of information...

The term derives from the age of the exploit. When a vendor becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A “zero day” attack occurs on or before the first or “zeroth” day of vendor awareness, meaning the vendor has not had any opportunity to disseminate a security fix to users of the software.

Re:Zero Day

[thePowerOfGrayskull]

Can we please stop raising the subject of "zero day" every time someone mentions it in a summary? All that follows are countless* replies arguing the meaning of what "zero day" is.

*hyperbole may have been applied here.

How did the "many eyes" miss this?

Where is your multi-eyed God now OSS fanboys? Hmmmm???

Re:How did the "many eyes" miss this?

[Jalfro]

The trouble is, although Firefox is FOSS, most extensions are not.

Re:How did the "many eyes" miss this?

[RiotingPacifist]

Isn't the point that they have been seen now, if those holes where in closed binary addons (like coolaris preview) then they would never have been seen.

Re:How did the "many eyes" miss this?

[middlemen]

The real trouble is that most extensions are in javascript and javascript is not a language that emphasises security. The fact that there is no way to perform a "use strict;" (as in Perl) is for starters a way to get access to all the other global variables in other scripts.

I have written a Firefox extension, and the Mozilla Developer API allows you to load any script at runtime, and also gives access to all the possible extensions that are installed, thus giving you an idea of where they can be located on the disk, and then loading those files and manipulating the content on the fly. Because of the lack of strictness in javascript as a language, if a global variable XYZ is in one script, it can be manipulated by any other script as well. Fundamentally it is a problem with Javascript and not with the Mozilla API. The API is excellent and allows you to do a lot of things. Any solution to sandbox each extension will just lead to eventual bloat.

Re:How did the "many eyes" miss this?

[MozeeToby]

But, if the 'many eyes' were being honest with themselves, they should have cried foul at the insecure way extentions are handled before exploits were even known. It really isn't acceptible to give any random extention that much control over your software IMO.

Re:How did the "many eyes" miss this?

[clone53421]

The real trouble is that this is the way it’s designed, and it needs to stay this way.

Just like the real trouble with running arbitrary .exe files you download off the net is that .exe files are trusted a whole lot more than arbitrary files you download off the net ought to be.

Re:How did the "many eyes" miss this?

[SanityInAnarchy]

The real trouble is that most extensions are in javascript and javascript is not a language that emphasises security.

I don't really know of many languages that "emphasize security" -- indeed, Javascript is more sandboxed by default than most languages I know.

The fact that there is no way to perform a "use strict;" (as in Perl) is for starters a way to get access to all the other global variables in other scripts.

And the solution to this is obvious -- if you want to isolate scripts, isolate them at the runtime level, as you do for separate tabs/pages.

also gives access to all the possible extensions that are installed... Because of the lack of strictness in javascript as a language, if a global variable XYZ is in one script, it can be manipulated by any other script as well... Fundamentally it is a problem with Javascript and not with the Mozilla API.

Sorry, but that looks to me very much like a fatal flaw in the API. A strict language may allow you to compensate somewhat, but there is no reason a global variable needs to by default be accessible from every script.

allows you to do a lot of things.

So did older versions of Mac OS, which did not have a concept of memory protection -- all programs ran in the same address space. This let you do some interesting things that you can't do as easily on a platform like OS X, but it should be obvious why OS X is more stable and more secure.

Re:How did the "many eyes" miss this?

[tthomas48]

Um... posting things on slashdot about exploits? The many eyes doesn't mean all security bugs will be fixed before software ships. It means that over time the open nature will mean that the bugs can be found and closed easier.

Re:How did the "many eyes" miss this?

[unix1]

Any solution to sandbox each extension will just lead to eventual bloat.

How so? Whether the language does or doesn't support certain security features, they still have to implement the security within the browser. It's not a question of if, but how.

The problem is not the loosely typed language, it's that the API doesn't have a proper security model. One good way to implement it is to exactly sandbox each extension within their environment, only allow access to components/objects that are absolutely needed to run the extensions (but having no access to outside resources), and if additional access is required, present user with the security message and let the user decide whether to allow such access (either at install time, run time, selectively, allow user to grant for session/permanently, etc. - details can be adjusted as necessary).

It can't be that hard or "bloated" since many others are already doing this - Blackberry, Android, etc. - can't be too hard for a web browser.

Re:How did the "many eyes" miss this?

[middlemen]

It can't be that hard or "bloated" since many others are already doing this - Blackberry, Android, etc. - can't be too hard for a web browser.

They run a very minimal type of browser, and do not have extensions, so you're point here is not valid. Blackberry and/or Android are full fledged operating systems where sandboxing is easily implemented whereas browser is just an application and sandboxing an extension while still giving it access to every web page's content is a little harder to implement.

Re:How did the "many eyes" miss this?

[LordLimecat]

IIRC extensions are XPI files, which can be unzipped in to their component parts, and the source viewed.

Re:How did the "many eyes" miss this?

[BZ]

This only works for extensions that don't include binary components.

Re:How did the "many eyes" miss this?

[unix1]

The problem is not with "every web page's content" that can be accessed via the extensions.

The problem is the security layer for the API that those extensions use. This is not rocket science as you make it out to be.

Damned Activex Controls!

This is why Microsoft should turn off Activex Controls altogether.........oh wait........

Re:Damned Activex Controls!

[jpmorgan]

What's ironic is that since IE7, addons in IE are run inside IE's low-privilege jail.

Of course, that doesn't stop idiots (*cough*Adobe*cough*) from installing helper services to break their plugins out of the sandbox, and subverting all the added security.

Re:Browser vulnerabilities

I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior

Okay, Jack. Let us know how you make out.

Lobo?

[jhol13]

There really needs to be Java (or other "managed" language based) based browser (like Lobo). Unfortunately Lobo is not (yet?) ready for prime time.

Re:Lobo?

[jaggeh]

Sheriff lobo?

Re:Lobo?

[Meneth]

Garbage collection does not protect against most security breaches.

Re:Lobo?

[owlstead]

I'm very much in favor of that. I would even like to help building a Java based browser (e.g. with a OSGi based plug-in system). But the thing is that these extensions use all kinds of technologies, but not C/C++ (as far as I could see). So if the browser was managed code you would have the same issues. Managed code helps against many bugs, but not against all.

Re:Lobo?

[owlstead]

Garbage collection does not protect against *any* security breaches. It may even introduce a few security issues (e.g. files not closed since the destructor is not called in time). The lack of pointer arithmetic and addition of bounds checking, on the other hand, certainly does protect against many security breaches. It also enables a better component based design where one component cannot change the behavior of other components. E.g. in Lobo it seems that there is an API that enables plugins. If this API is well designed it won't allow plugins to change too much outside their sandbox.

Re:Lobo?

[SafeMode]

managed languages are meant as a convenience, not a crutch. Bad programmers shouldn't be encouraged to write their brain vomit in java any more than in C/C++.

The problem here anyway has nothing to do with language choice as much as an api that puts no restrictions on third party extensions. The question then has to be, how do you restrict what an extension can do when your whole platform is based on the idea that you can use extensions to completely rewrite the application's functionality.

Re:Lobo?

[jpmorgan]

The advantage of managed languages is they make it comparatively easy to build security boundaries. So yes, bad programmers shouldn't be encourged to write bad software, regardless of the language, but people are still going to write software with security flaws no matter what you do. Managed code like Java and .NET makes it easier to protect against flaws introduced by 3rd party extensions.

That being said, you don't HAVE to use managed code to create sandboxes, it just makes it easier. Since Vista windows has provided multiple integrity levels for this purpose (which IE uses) and Linux has chroot.

Re:Lobo?

[owlstead]

managed languages are meant as a convenience, not a crutch. Bad programmers shouldn't be encouraged to write their brain vomit in java any more than in C/C++.

The whole idea that security issues are only created by bad programmers is laughable. Anything that can put a lid on the number of (security) bugs is something that should be considered. Managed languages (no pointer arithmetic, bounds checking, exception handling etc.) are an important tool to accomplish that goal.

You are clearly looking down upon all those bad programmers with disdain. You know all those guys that think they can drive really well? Well, about half of them drive just above average.

The problem here anyway has nothing to do with language choice as much as an api that puts no restrictions on third party extensions. The question then has to be, how do you restrict what an extension can do when your whole platform is based on the idea that you can use extensions to completely rewrite the application's functionality.

Absolutely, there must be something that keeps those plugins in check. One way to do it is to have clear interface, an easy to read language and code reviews. It seems that this is the route that the FF devs have taken. It's a bit shaky and so you cannot trust each and every plugin.

However, it is much better than with a language where the plugins directly share the memory space (as in C/C++ and dynamically linked libs). Now *that* would really be unmanageable.

Re:Lobo?

[jhol13]

The problem here anyway has nothing to do with language choice

I disagree strongly. Although there have been (and will be) holes in Java runtime, it still has the goal of restricting programs from attacks. Something C++ really cannot do.

Re:Lobo?

[jhol13]

Actually, garbage collection does protect against reuse of "freed" pointer attack (after "free" you cannot access the memory).

This is requirement for safe code, though far from being sufficient.

Re:Lobo?

[jhol13]

Linux's chroot would be PITA. It would kill download. Capabilities might help, but Java permissions are far better (you can give an extension no permission for sockets or disk or allow just one directory or ...). Yes, I know, capabilities can almost the same level of control (but not quite).

(I have no clue about Vista, sorry)

Re:Lobo?

[jhol13]

Of course managed code cannot protect from ALL attacks, eg. integer overflow is still possible. But it can from quite a few. No more execute escalation even to user mode, no more overflow outside a buffer, impossible to access freed memory or with a wild pointer, etc.

Much better than FF or IE "track record".

Re:Lobo?

[owlstead]

I stand corrected :) Of course, if you work most of the time in a language that does not have any pointers (only refs, that can be null) you start to forget the obvious things that are part of C/C++ and the other non-managed languages.

Re:Lobo?

[BZ]

I'm not sure what managed language has to do with this. Firefox extensions are written in a managed language. If your managed language code does something dumb (like taking a string from a web page and acting on it in some way that gives the web page the ability to place data of its choosing on your hard drive), you still lose security-wise...

Re:Lobo?

[jhol13]

Maybe "managed" is not enough, maybe "sandbox" is what is needed (depending how you define "managed", of course).

There is something wrong with the sandbox system if the extensions can do what they could according to the article.

With Java you cannot (unless there is bug in Java runtime and in your code).

Re:Lobo?

[BZ]

JavaScript can be executed in a sandbox (e.g. websites) or not (e.g. an application that embeds SpiderMonkey without any sort of sandboxing). Similar with Java: some Java runs in a sandbox and some doesn't (e.g. one can write Java programs that write various files on disk and execute them in a jvm directly).

Extensions in Firefox are not sandboxed. Perhaps they should be; then they would be significantly more limited in what they can do (both good and bad). For example, a sandboxed extension, for any sane definition of sandboxing, couldn't do some of the things Firebug does, much less Chromebug.

Related link with more info on LWN

[owlstead]

A quick Google search found this interesting article from August of this year.

Go NoScript!

[L4t3r4lu5]

I read the article ( ! ) and saw NoScript mentioned; It seems that this can be exploited to whitelist sites within NoScript if FF has other addons installed. Scary stuff.

Re:Go NoScript!

I read the article ( ! ) and saw NoScript mentioned; It seems that this can be exploited to whitelist sites within NoScript if FF has other addons installed. Scary stuff.

You know where's the irony in your statement? NoScript was caught *actually* modifying AdBlock to whitelist NoScript's author sites, for profit. Yes, I know, you feel butt-hurt. That's reality.

Re:Go NoScript!

[clone53421]

Wow, this is a big [citation needed], and if it’s true, were they suitably bitch-slapped for it?

Re:Go NoScript!

[geekboy642]

Citation: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

And there was as much bitch-slapping as ever occurs when any OSS developer does something blindingly stupid. The Internet's huddled masses screamed incoherently at them for a few days, and they realized that they weren't going to get away with it. Many, myself included, vowed to never again let Giorgio Maone's code run on any machine under our control.

Re:Go NoScript!

http://adblockplus.org/blog/attention-noscript-users

[citation provided]

Re:Go NoScript!

There was a story about it on this website called Slashdot, you may have heard of it? Or do you live under a rock or something?

Re:Go NoScript!

[clone53421]

Wow, yeah, he sounds pretty butthurt in that blog entry. *rolleyes*

At least the sites that tell you to disable AdBlock or you won’t be able to access their content are up-front and honest about it, and ultimately leave the decision in the visitor’s hands whether to enable their ads or just never visit again.

Re:Go NoScript!

[clone53421]

It was posted at 18:18 on a Friday evening. I don’t always check Slashdot on the weekends.

Re:Go NoScript!

[icebraining]

Of course it's true, all extension objects are accessible by other extensions. Only web page scripts are sandboxed. Which is nice, because it allows me to control NoScript through Vimperator scripts.

Re:Go NoScript!

[clone53421]

Meh. I really don’t blame it on Mozilla... addons are supposed to have pretty broad privileges. It’s up to you to decide whether you trust the publisher of the addon enough to install their stuff. The same would go for any application.

And I’m sure you’ve noticed that several other people provided citations for the claim, so no worries – saved you the trouble.

Re:Go NoScript!

[clone53421]

Basically, yeah. Addons are supposed to have this sort of privilege, it’s just up to the publisher to use it responsibly. Mozilla tries to enforce certain rules about how the addons should play nice, but they can’t catch everything.

Re:Go NoScript!

http://adblockplus.org/blog/attention-noscript-users - reported on /. here - http://news.slashdot.org/article.pl?sid=09/05/01/236248.

Re:Go NoScript!

forsake the single most useful browser add-on to ever exist because the author made a stupid mistake he immediately backpedaled and apologized for? hope that works out for you. I'll be over here not getting infuriated by soul-stealing js bullshit

Re:Go NoScript!

[geekboy642]

It wasn't a stupid mistake. It was a blatantly malicious hijacking of an uninvolved piece of software, and it should have resulted in his being blacklisted across the entire Mozilla site. Instead, he apologized for infecting thousands of computers, and he's re-welcomed with open arms and zero punishment. What prevents him from doing it again, but being even more sneaky about it? Nothing at all.

Even if his contrition is genuine, which I don't doubt, his actions required severe punishment. I'll live with having to manually turn on and off javascript when necessary.

Re:Go NoScript!

[machine321]

Not really.

http://en.wikipedia.org/wiki/Noscript#AdBlock_Plus

Re:Go NoScript!

[Firehed]

http://en.wikipedia.org/wiki/NoScript#AdBlock_Plus

And yes.

It's about trust

[TheCoders]

The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.

The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.

Re:It's about trust

[jadin]

I'm in the 'supposed to know crowd' and I had this misconception for a long time. If I failed so quickly in this aspect, what hope is there for "ma and pa" and the rest of the fam'? Which makes the question simply -

What is easier to fix? Firefox's security model or most of the world's perception?

Re:It's about trust

[wd5gnr]

I think the fact that extensions appear on the Mozilla add on site could give some users the impression that they are "trusted" in some way. By default, FF won't install except from there (and maybe one or two other sites). But as far as I know, there's no real check. I mean I'm sure if you put up a extension that wiped your hard drive, enough people would complain and comment that it would get yanked. But something more subtle, maybe not.

Re:It's about trust

[slimjim8094]

Well, probably the world's perception - adding a small warning would probably be pretty easy, and effective. The whole point and flexibility of Firefox is the fact that an add-on, which is mostly Javascript, can essentially rewrite the browser, as the browser is basically written in Javascript (as I understand).

That's the reason they don't call them plugins or "browser helper objects". They're not subordinate and can arbitrarily replace bits of the browser. The browser can't sandbox it or check it, you need to trust it.

That's analogous to having a problem where a program can fuck up your home directory and asking "What's easier to fix? The OS or the world's perception?" You can't have a useful OS if a program can't do anything, so you must fix the world's perception.

The fix is the same - trusted repositories. There was a disconnect between what people thought addons.mozilla.org was (completely trusted repos), and what it actually is (likely safe, but you don't know).

Re:It's about trust

The problem is not necessarily with Firefox's security model

Doesn't Chrome run many firefox extensions in a "sandboxed" mode that is much more secure ? If Chrome can do it why can't firefox ?

Re:It's about trust

Users need to be aware that installing a plugin is tantamount to installing an application.

The browser does tell people this, and even forces them to look at the notice for a minimum of 5 seconds or so. Extensions are also rated on Mozilla's site, so people have a basic idea of what kind of issues the extension might have and whether it's even useful or not.

What difference does this make to the casual user? People don't read notices, and will install anything.

Extensions should be required to list the resources they use. A mass downloader, URL re-writer, or color picking tool obviously doesn't need the same level of control as a tool for hacking HTTP headers.

Yawn...

[Jaysyn]

This will get fixed in Firefox shortly & then it will be even more secure. What's the problem?

Either way, I'm so hooked on the 20 or so extensions that I use, that I'd never go back to anything else. IE is the pits. Chrome's speed just isn't a that big of a deal. Opera is ok, but the users are worse than Mac snobs.

Re:Yawn...

The problem is that Firefox's security model for extension is non-existent. If they didn't before, people now know it pays to look for holes in popular extension. We all know there will be plenty of holes to be found, and because of Firefox' shit design all we can do is play catch-up and patch holes after they've been exploited.

color me unsurprised

[RiotingPacifist]

I've always tried to keep a check on my addons for exactly this reason, the more code your running the more chance there is an exploitable bug in there somewhere. While steps can be taken to prevent an exploited addon doing damage, i don't think much can be done to prevent a buggy addon doing exactly what it sets out to do but wrongly.

The good news is that because all the functionality comes from addons they can be disabled and only affect users that want these features, so bob wanting to use his browser as an rssreader doesn't affect me.

Re:Browser vulnerabilities

[clone53421]

I thought you were trolling, and then I read this:

I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior.

Poe’s Law appears to be in full effect today.

Privilege separation

[BlueParrot]

It's lovely and fussy and all things nice. A world facing app like a web-browser should make use of it.

Really with the performance of current desktop computers and even netbooks there's no good reason not to stick
potentially vulnerable parts of your browser in a separate process and block it from accessing anything it does not
absolutely need to deal with.

Adblock will save you memory

[Nicolas+MONNET]

It will also protect you overall, considering the amount of crap you find in web ads, even on supposedly reputable networks.

Re:Adblock will save you memory

[BenoitRen]

Speaking of Adblock Plus, its author, Wladimir Palant, was talking about security vulnerabilities in extensions not even a week back, pointing specifically at RSS feed extensions: http://adblockplus.org/blog/amo-getting-serious-about-add-on-security

Look to Android for the solution

[LS1+Brains]

Unchecked, or merely poorly checked third party code has long been a tender Achilles heel for any system. We beat down Windows 'round these parts with impunity, but often times the fault is with something outside of the code controlled by the Borg. Firefox is not immune obviously, and there should be some system to help prevent "issues" when extensions and plugins are used.

I wouldn't call it perfect, but Google's Android platform has a novel idea - your third party code must register for the privileges it requires to operate, and those privileges are then presented to the user for scrutiny in a very easy to understand manner. Install an Android application, and you get to see what rights you grant that app before it launches the first time. Hmmm, this game wants access to my contacts and the internet? No thank you, lets just delete that before it shares my phone list.

Re:Look to Android for the solution

[what+about]

It is Java again, just on different name because Microsoft has convinced anybody that Java is bad.
- Anybody knows what sandboxing is ?
- Defining privileges for applets or for downloaded applications ? (Java web start)

Anybody see the similarity between C# and Java (really CLR is a JVM, oh boy how much Microsoft has struggled to convince you that CLR is not a JVM)

So, just use Java, you cannot even say that it is slow, after Vista and Windows 7, anything is fast !
Firefox extensions could just be Java applets (yes, with checked hooks on browser events, obviously)
You gain years of experience, a language that checks what you do at compile time and not at runtime, a sandbox...

Why not ?

That actually makes sense.

[SanityInAnarchy]

From TFS:

Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension.

Not one of these is true of Chrome extensions -- or at least, it is possible to develop extensions which are not fully trusted.

Re:That actually makes sense.

[LordLimecat]

An interesting note on this: I currently run Chrome (dev channel) with 3 extensions. A few days ago my extensions went to update, and all of a sudden I had an alert that the youtube extension update was going to change its permission level to grant it access to all websites. I promptly denied the request and uninstalled the extension.

Maybe Im crazy for not expecting this to be the default for all extension systems, but I was impressed.

Thus proving...

.. once again that marketing > reality. Firefox has been around since 2003. The situation with extensions has been the same since 2003. Firefox has been enjoying a "Mac effect" where the lack of market share and platform knowledge convinced their users that it's invulnerable to hacks and extensions are safe. Same people who laugh at ActiveX without having a clear idea what the problem is, would claim extensions are totally safe and install them by the dozens. In the last couple of years we have seen increased reporting of security problems with Firefox, and the fans of yesterday explain this with Firefox "becoming bloatware" and hence "becoming insecure". Becoming? Hardly. These issues have been always there. Go back to the first releases and you'll see.

Re:Thus proving...

[Ash-Fox]

In the last couple of years we have seen increased reporting of security problems with Firefox

Much like with other software in the last couple of years. This isn't unusual or unexpected from any software turning mainstream. What is pretty good is that the majority of these vulnerabilities are fixed very soon after. Except for certain, exploits, like on Windows and Linux, you can retrieve the start parameters of any applications being launched and thus if it's a ftp or http url with login credentials or login session in the URL (like launching the browser from an e-mail application) - Firefox has remained quite resilient (source: secunia).

Compare this to IE where many exploits are found and don't get fixed for years on end... (source: secunia). I personally feel there is a lower risk with Firefox, especially with it's automated update system that doesn't care how genuine your system is and default settings make it fully automatic updates, thus preventing the prolonged use of exploits that work years on a substantial amount of people for years).

the fans of yesterday explain this with Firefox "becoming bloatware" and hence "becoming insecure"

I've noticed you do generalize a lot.

Not the problem

[jDeepbeep]

I have been talking against the extension model for a long time.

The problem is not with the extension model. It is with the Firefox implementation of the extension model. If done properly, the browser would not be exposing an API to the plugin that is capable of doing naughty things, nor would it be exposing an API for a plugin to alter another plugin. You build a clear but limited line of communication on established browser events, but everything else is concealed from the plugin.

Re:Not the problem

I find it disturbing how everyone takes it on faith that you can run code in a sandbox just by defining some APIs "properly".

There is a fundamental tension between making everything convenient and making everything safe, and too many people pretend you can have both. Things like code signing, trusted computing platforms, virtual machines, and various forms of limited privileges are all mechanisms to help enforce limits, but they all fail when one ignores that there is a need for the final human auditing and "curation" of these mechanisms and how they are applied. The only trustworthy system is one compartmentalized such that the transitive closure of all components which can impact each function are worthy of trust up to the minimum standards of the system.

This is closely related to the myopia shown in the Fedora package policy brouhaha yesterday. People have made a number of logical leaps, and the sum total is to jeopardize system security. Does your trust model only have one equivalence class for trusted components or user roles, or are there finer distinctions? Have you made the false assumption that everything is perfect, so there is no value in "redundant" layers of security (otherwise known as defense-in-depth security)? Do you dismiss a traditional security tool as "too complicated", while replacing it with something much more elaborate with a large codebase (impossibly difficult to audit) linked into the system-high enforcement tools?

Reality vs Probability

[ossuary]

Even with those security issues, I would still put money on Firefox being much better at keeping problems off a user's system than IE (for now).

Re:Reality vs Probability

Even with those security issues, I would still put money on Firefox being much better at keeping problems off a user's system than IE (for now).

Some time ago you would be correct, but with IE8 in protected mode on Vista/Win7 registering far fewer vulnerabilities than Firefox in advisories from Secunia and others, it seems the table has been turned on security.

For what it's worth...

[SanityInAnarchy]

A world facing app like a web-browser should make use of it.

Chrome does. Yes, for its extensions.

Comment removed

[account_deleted]

Comment removed based on user account deletion

If Microsoft

[SnarfQuest]

If Microsoft spent as much time on their own software, as they do trying to belittle others, then they might be able to fix some of the gaping holes in Windows. But, I guess it's better politics to throw mud, than to clean up your own messes.

Re:If Microsoft

If Microsoft spent as much time on their own software, as they do trying to belittle others, then they might be able to fix some of the gaping holes in Windows. But, I guess it's better politics to throw mud, than to clean up your own messes.

How on earth do you arrive at this from a story about severe Firefox vulnerabilities that doesn't mention or relate to Microsoft in any way?

The force is strong with this one.

0-day?

[Tanaric]

This is the second story recently that tosses the term "0-day" around when "new" would suffice. Yes, 0-day sounds cool, and yes, it's a helpful description in, say, the warez scene (do we still call it that?), but in articles about bugs/exploits it just makes you sound stupid.

Re:0-day?

[clone53421]

0-day simply means that the vendors are unaware of the exploit until the moment when the attack goes public. It emphasizes the fact that the exploit was not found by the publishers, rather it was found by someone else. “New” does not.

Re:0-day?

[CountZer0]

True. A zero-day vulnerability is one that is found the same date the program is released. So unless these extensions are all brand new, these are not 0-day incidents.

Re:0-day?

Wrong, try again.

Plenty of people have already quoted the correct definition of a 0day attack. It has nothing to do with the date of release and everything to do with the date when the vendor knows the exploit exists. If the attack occurs on day 0 of vendor awareness, they have no opportunity to patch it.

Re:0-day?

Ah, irony. The GPP is wholly correct. You thought s/he was talking about a zero-day attack, which is one that is found within a day of a vulnerability being discovered. The GPP, however, correctly observed that a zero-day vulnerability, if such a notion is meaningful, implies one that is discovered the same day that the software is released.

The article title refers to zero-day vulnerabilities. The GPP is entirely correct to point out that that is untrue -- or, I would say, altogether meaningless.

Further, the article offers no examples of zero-day exploits, so it is not a case of simple misunderstanding. Net-security.org has consciously chosen to use a term that is at best a lie, at worst incoherent. Some individuals -- including the submitter, and yourself -- have chosen to perpetuate the confusion.

Google Chrome

[The+MAZZTer]

It's looking like Chrome will have "locked down", minimal privileges extensions. At least, in theory. An extension can request only the privileges it requires (manipulate tabs, manipulate windows, access specific wildcarded urls) and the user is notified of what the extension will be able to access when it is installed.

Unfortunately this price seems to be that extensions are far more limited in Chrome than they are in Firefox since that have limited access to the UI and such. For example, you can do a page action, which is an address bar button that appears in reaction to page contents or whatever, or you can do a browser action which is a toolbar button which is always visible (there's nothing preventing you from making a page action always visible though). But you can have only either one or the other, and only one of that kind or else the extension won't load!

Dont use them

This why to not use any extension at all. Also they often make firefox feel slow.

reminds me of forbidden planet...

[airdrummer]

monsters of the id, running amok:-( but i sympathize w/ giorgio...easylist is censorship by default.

Use profiles

[140Mandak262Jamuna]

As web developer you use two profiles. One to launch FF with all these tool bars, but you dont surf the net in this instance. A separte default FF without all these extensions, just the basic NoScript alone will be used for surfing the net.

Security through secrecy is not security.

[jbn-o]

Your post has been moderated "insightful" yet there's nothing insightful about trading away your software freedom to fight security vulnerabilities. Proprietary software can only be inspected or fixed by the proprietor. Free software can be inspected and fixed by a lot more people (including yourself if you so choose).

Re:Security through secrecy is not security.

[amazeofdeath]

>Proprietary software can only be inspected or fixed by the proprietor.

So third-party security researchers never find vulnerabilities in closed-source software?

You have misunderstood my post, my main point was that the extension model like FF's is just plain bad for security, as you increase the amount of people you need to trust from just the browser vendor to third-parties, who may or may not have proper skills in securing their software. We need something else, and my suggestion there would be more inbuilt functionality by the vendor.

>there's nothing insightful about trading away your software freedom to fight security vulnerabilities.

I'm not sure what you mean there. I subscribe to the free software ideal, and I really don't like using a closed-source browser like Opera in principle. However I do recognize the reasons why Opera is not open source software (I might completely agree with them, but anyway), and given Opera's good security record, I have made a personal choice to use it instead of an open-source browser because it seems to me that I can get a lot better security and quite much of the same functionality with it. My post was in no way meant to be any sales speech for Opera.

Re:Security through secrecy is not security.

[jbn-o]

So third-party security researchers never find vulnerabilities in closed-source software?

You're asking the wrong question or in search of the wrong point. Some vulnerabilities in proprietary software go undiscovered for a long time and no vulnerabilities in proprietary software are fixed by third parties. One's "security record" is irrelevant when that software is uninspectable, immutable, and changes cannot be shared. You cannot know if Opera keeps you safe precisely because you don't know what Opera is doing when it runs. There is simply too much unknown about proprietary software to claim it is more secure. All software has bugs but malicious software works better when distributed such that people are forbidden from inspecting, changing, and sharing their improvements. Even for accidental errors which lead to security problems, programmers make mistakes no matter whether the user's software freedom is respected. It's not a good idea, therefore, to cut yourself off from the freedom to inspect, fix, and share software. If you value your software freedom as you say you do, you can choose to run a free software browser and only install free software add-ons. These steps are impossible with a proprietary web browser. Furthermore, the principles of this discussion are not unique to web browsers; this is true of all computer software.

Instead of ad-blocker extensions, use CSS

[jcdill]

I use the customized CSS from www.floppymoose.com to block ads in Firefox. Works like a charm! I've been using it for about 5 years, and there hasn't been a single security incident associated with this solution.

New version

[dernotte]

Hi, I'm the author of infoRSS, and this version 1.1.4.x is an 1 year and 1/2 old version. Since then, the security layer has been well improved thanks to an assessment from an Australian security company. With the latest version (1.2.2) they were not able to find a security issue with it.

Re:New version

[clone53421]

Good to know. Yoono also appears to have released a new version. Sage is still at the version that is reported to have the insecurity (1.4.3).

Re:New version

[RJFerret]

Sage is still at the version that is reported to have the insecurity (1.4.3).

I just checked, thankfully I'm still using the 1.4.2 version of Sage, so no worries here!

Re:New version

[clone53421]

Actually, “and earlier versions” applied to all three extensions, not just Yoono. Am I about to get whooshed?

Oops, typo

[amazeofdeath]

That should of course be that I might *not* completely agree with the reasons Opera Software ASA gives for keeping the proprietary model.

SEX

Firefox without extensions is like sex without a partner, yes it will get the job done but it's really boring. Extensions are not going away anytime soon, its half the reason FF is so popular and useful, somebody should write a "security cop" plugin and that somebody should be FF only meaning it should be built into the browser. One of the big reasons we switched to FF from IE is because of security, that is supposed to be the foundation of FF, the developers need to find a solution fast before FF becomes as big a joke as IE.

Extension Blocking

[AmberBlackCat]

So is Firefox going to block these extensions for being unsafe, or are they only blocking the Flash plugin? Is it more to protect us, or more to attack Flash?

Zero day bollocks

[thetoadwarrior]

The term zero-day is being used far too often and I consider it a larger threat to my sanity than any FF extension is to my security.

71000

[tepples]

I tried it on a Firefox process that's been running for a while, and the "FUCK FIREFOX!" page and Slashdot put together take roughly 77 MB of "Mem Usage" and 66 MB of "VM Size" under Windows XP. But then I don't run any extensions other than Flashblock, ChatZilla, and Java Quick Start.

Zero-day exploit you mean?

[noidentity]

I can understand a zero-day exploit: one written within a day of a vulnerability being discovered. But what's a zero-day vulnerability? Presumably the vulnerability existed for days or months already. I'd think the zero-day would denote some duration between two events, like discovery and exploitation, as above.

Yoono extension fixed

[toddpringle]

The vulnerability cited in the article for Yoono 6.1.1 was fixed in Yoono 6.2 which was released in August. Just trying to get that word out.