Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerabilities In Firefox Extensions

Posted by kdawson on from the wild-in-the-playground dept.

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

1 of 208 comments (clear)

  1. Re:I have to say, I am depressed... by farlukar · · Score: 5, Informative

    I will have to go back to using linx now because I trust nothing else...

    If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

    --
    Ceci n'est pas une .sig