Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerabilities In Firefox Extensions

Posted by kdawson on from the wild-in-the-playground dept.

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

3 of 208 comments (clear)

  1. Chrome time by jaggeh · · Score: 0, Troll

    Time to switch to chrome until the holes are patched.

    --
    I would give everything i own for a little bit more.
  2. Zero Day by siyavash · · Score: 0, Troll

    Could we please stop using "Zero Day"? It's silly. Doesn't fit /. imho. Or is /. becoming Fox News of IT?

  3. How did the "many eyes" miss this? by Anonymous Coward · · Score: 0, Troll

    Where is your multi-eyed God now OSS fanboys? Hmmmm???