Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerabilities In Firefox Extensions

Posted by kdawson on from the wild-in-the-playground dept.

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

16 of 208 comments (clear)

  1. Yep that's why I avoid extensions by commodore64_love · · Score: 2, Informative

    I don't trust them, plus they use more memory (I only have 1/2 gig), and they make the machine run slower. The only extensions I have are NoScript and ImageZoom and FlashVideoDownloader. I try to keep it to a minimum to avoid security problems, memory waste, and slowdown

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    1. Re:Yep that's why I avoid extensions by clone53421 · · Score: 2, Informative

      BULLSHIT.

      Just to save anyone else the trouble...

      That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.

      GTFO with your FUD.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    2. Re:Yep that's why I avoid extensions by Carewolf · · Score: 2, Informative

      That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.
      GTFO with your FUD.

      Check again. Try looking at how much memory firefox is allocating and not how much of it the operating system is currently keeping in memory. Most operating systems are smarter then the applications and flush any excess stupidity to the swap-file, so the inefficiency doesn't take up valuable physical memory. A clean firefox with about:blank is using 145Mbyte here, where the operating system is currently electing to start with 38 of them in memory.

      And btw. stop swearing at people when you are wrong.

    3. Re:Yep that's why I avoid extensions by plague3106 · · Score: 2, Informative

      Doesn't IE8 have all that built in now (F12 key)?

    4. Re:Yep that's why I avoid extensions by gerardolm · · Score: 2, Informative

      "To try Ad Muncher free for 30 days, please visit our download page." Yeah, right.

    5. Re:Yep that's why I avoid extensions by gerardolm · · Score: 3, Informative

      Oh, advertising on /.'s comments?

      Partnership Program

      The Ad Muncher partnership program allows you to refer people to an address like:

                  http://youraccountname.admuncher.com/

      and receive 20% of all purchases later made by those people. For more information please visit the partnership program website.

      "foropera" is just his partner alias. Sad.

    6. Re:Yep that's why I avoid extensions by gerardolm · · Score: 2, Informative

      Stop advertising, To anyone interested on buying Ad Muncher, just buy it through admuncher.com and not his link.

  2. Re:How did the "many eyes" miss this? by Jalfro · · Score: 1, Informative

    The trouble is, although Firefox is FOSS, most extensions are not.

  3. Re:Chrome time by Anonymous Coward · · Score: 1, Informative

    Or you could, you know, remove those extensions?

  4. Re:Chrome time by Basje · · Score: 2, Informative

    Or use a clean firefox without extensions.

    Of course, without extensions there isn't much that sets firefox apart from chrome except for the license. Some purists will prefer firefox for that reason but it's pretty much a coin toss.

    --
    the pun is mightier than the sword
  5. Re:Zero Day by taoye · · Score: 2, Informative

    Apparently, yes. To paraphrase Wikipedia, it means that the attack occurs on the 0th day that the vendor is aware of the problem... which is a significant because it means the vendor has not even had a chance to respond to the vulnerability before it is exploited. Notwithstanding the fact that they could have prevented it, but that's another matter.

  6. Re:I have to say, I am depressed... by farlukar · · Score: 5, Informative

    I will have to go back to using linx now because I trust nothing else...

    If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

    --
    Ceci n'est pas une .sig
  7. Re:Lobo? by owlstead · · Score: 2, Informative

    I'm very much in favor of that. I would even like to help building a Java based browser (e.g. with a OSGi based plug-in system). But the thing is that these extensions use all kinds of technologies, but not C/C++ (as far as I could see). So if the browser was managed code you would have the same issues. Managed code helps against many bugs, but not against all.

  8. Re:0-day? by CountZer0 · · Score: 2, Informative

    True. A zero-day vulnerability is one that is found the same date the program is released. So unless these extensions are all brand new, these are not 0-day incidents.

  9. Re:Chrome time by jgtg32a · · Score: 2, Informative

    Try chromium-browser

  10. New version by dernotte · · Score: 2, Informative

    Hi, I'm the author of infoRSS, and this version 1.1.4.x is an 1 year and 1/2 old version. Since then, the security layer has been well improved thanks to an assessment from an Australian security company. With the latest version (1.2.2) they were not able to find a security issue with it.