Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerabilities In Firefox Extensions

Posted by kdawson on from the wild-in-the-playground dept.

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

7 of 208 comments (clear)

  1. Damned Activex Controls! by Anonymous Coward · · Score: 3, Funny

    This is why Microsoft should turn off Activex Controls altogether.........oh wait........

  2. Re:Browser vulnerabilities by Anonymous Coward · · Score: 1, Funny

    I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior

    Okay, Jack. Let us know how you make out.

  3. Re:Browser vulnerabilities by clone53421 · · Score: 2, Funny

    I thought you were trolling, and then I read this:

    I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior.

    Poe’s Law appears to be in full effect today.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  4. Re:I have to say, I am depressed... by NoYob · · Score: 3, Funny

    I will have to go back to using linx now because I trust nothing else...

    If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

    Yeah, but how do I know that the snapshot is clean? Or for that matter how do I know that my virtual machine hasn't been compromised?

    They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

    And who are you to be posting these things to make us feel like we can be secure? The sig of yours is French, no? But your user name looks Arabic. You could be a French secret agent with an Arabic code name - or, an Islamic Jihadist, hiding in France acting like a friendly internet user "helping" folks to "secure" their browsing habits all along undermining their computers so you and your agents can break in, compromise their machines, do your nefarious activities, and all the while, the poor sap who follows your advice gets arrested by the FBI while you take off with the hot secret agent babes from Russia.

    No sir! I know what you're doing here!

    --
    It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
  5. Re:I have to say, I am depressed... by clone53421 · · Score: 2, Funny

    You can’t possibly be serious...

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  6. Re:Yep that's why I avoid extensions by Anonymous Coward · · Score: 1, Funny

    Can't find string terminator '"' anywhere before EOF on line 1

  7. Re:I have to say, I am depressed... by unix1 · · Score: 2, Funny

    They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

    So, you have hardwired your brain into your computer and are using it as a Firefox extension? This makes my head spin.