Zero-Day Vulnerabilities In Firefox Extensions
An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.
Wow, what Firefox lacks in quantity they make up for in quality. These are huge - what's more, it is nothing short of negligent for the Firefox dev team to have designed the security model this way.
I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior.
Time to switch to chrome until the holes are patched.
I would give everything i own for a little bit more.
Could we please stop using "Zero Day"? It's silly. Doesn't fit /. imho. Or is /. becoming Fox News of IT?
Where is your multi-eyed God now OSS fanboys? Hmmmm???
FUCK FIREFOX!
Dang that Microsoft!!! Why can't they just make more secure software????
Yeah...I know this wasn't Microsoft, but aren't the rules here at /. that we are somehow supposed to blame Microsoft for everything?
Get a Mac!
(note: I don't own a Mac and run IE almost exclusively)
-JJS