Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerabilities In Firefox Extensions

Posted by kdawson on from the wild-in-the-playground dept.

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

3 of 208 comments (clear)

  1. It's about trust by TheCoders · · Score: 5, Insightful

    The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.

    The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.

    --
    My guitar chord generator.
    1. Re:It's about trust by jadin · · Score: 3, Insightful

      I'm in the 'supposed to know crowd' and I had this misconception for a long time. If I failed so quickly in this aspect, what hope is there for "ma and pa" and the rest of the fam'? Which makes the question simply -

      What is easier to fix? Firefox's security model or most of the world's perception?

    2. Re:It's about trust by wd5gnr · · Score: 3, Insightful

      I think the fact that extensions appear on the Mozilla add on site could give some users the impression that they are "trusted" in some way. By default, FF won't install except from there (and maybe one or two other sites). But as far as I know, there's no real check. I mean I'm sure if you put up a extension that wiped your hard drive, enough people would complain and comment that it would get yanked. But something more subtle, maybe not.