Slashdot Mirror
Zero-Day Vulnerabilities In Firefox Extensions
An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.
I don't trust them, plus they use more memory (I only have 1/2 gig), and they make the machine run slower. The only extensions I have are NoScript and ImageZoom and FlashVideoDownloader. I try to keep it to a minimum to avoid security problems, memory waste, and slowdown
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
: (
FF is my favorite web browser because they always made sure to be more secure then IE. I guess when it comes to add-ons and extensions, its always a crap shoot, but I always thought FF was better at handling security for extensions then IE, I guess
I will have to go back to using linx now because I trust nothing else...
Life will be boring
This is why Microsoft should turn off Activex Controls altogether.........oh wait........
What does it mean anyway? That you're infected in zero days?
The trouble is, although Firefox is FOSS, most extensions are not.
Or you could, you know, remove those extensions?
Isn't the point that they have been seen now, if those holes where in closed binary addons (like coolaris preview) then they would never have been seen.
IranAir Flight 655 never forget!
Or use a clean firefox without extensions.
Of course, without extensions there isn't much that sets firefox apart from chrome except for the license. Some purists will prefer firefox for that reason but it's pretty much a coin toss.
the pun is mightier than the sword
Apparently, yes. To paraphrase Wikipedia, it means that the attack occurs on the 0th day that the vendor is aware of the problem... which is a significant because it means the vendor has not even had a chance to respond to the vulnerability before it is exploited. Notwithstanding the fact that they could have prevented it, but that's another matter.
A publicly disclosed vulnerability that has no available patch.
Okay, Jack. Let us know how you make out.
There really needs to be Java (or other "managed" language based) based browser (like Lobo). Unfortunately Lobo is not (yet?) ready for prime time.
A quick Google search found this interesting article from August of this year.
I read the article ( ! ) and saw NoScript mentioned; It seems that this can be exploited to whitelist sites within NoScript if FF has other addons installed. Scary stuff.
Finally had enough. Come see us over at https://soylentnews.org/
The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.
The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.
My guitar chord generator.
This will get fixed in Firefox shortly & then it will be even more secure. What's the problem?
Either way, I'm so hooked on the 20 or so extensions that I use, that I'd never go back to anything else. IE is the pits. Chrome's speed just isn't a that big of a deal. Opera is ok, but the users are worse than Mac snobs.
There is a war going on for your mind.
I've always tried to keep a check on my addons for exactly this reason, the more code your running the more chance there is an exploitable bug in there somewhere. While steps can be taken to prevent an exploited addon doing damage, i don't think much can be done to prevent a buggy addon doing exactly what it sets out to do but wrongly.
The good news is that because all the functionality comes from addons they can be disabled and only affect users that want these features, so bob wanting to use his browser as an rssreader doesn't affect me.
IranAir Flight 655 never forget!
I thought you were trolling, and then I read this:
I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior.
Poe’s Law appears to be in full effect today.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Supposed you watched the Firefox commits when they do a security update (or reverse-engineered an IE patch) and discovered how to exploit a fixed vulnerability 2 days after the update. You could call that a 2-day vulnerability, and the small number of days means that a lot of people haven't patched yet.
So a zero-day vulnerability means that nobody's gotten a chance to patch yet, because the security hole is discovered before a patch is available.
Extensions that do not retrieve data (or even untrusted data) should also be reasonably safe from the types of attack discussed in the article (because the attacks discussed in the article all result from executing malicious data).
Nerd rage is the funniest rage.
Geez, I wonder where you could find that sort of information...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
It's lovely and fussy and all things nice. A world facing app like a web-browser should make use of it.
Really with the performance of current desktop computers and even netbooks there's no good reason not to stick
potentially vulnerable parts of your browser in a separate process and block it from accessing anything it does not
absolutely need to deal with.
The real trouble is that most extensions are in javascript and javascript is not a language that emphasises security. The fact that there is no way to perform a "use strict;" (as in Perl) is for starters a way to get access to all the other global variables in other scripts.
I have written a Firefox extension, and the Mozilla Developer API allows you to load any script at runtime, and also gives access to all the possible extensions that are installed, thus giving you an idea of where they can be located on the disk, and then loading those files and manipulating the content on the fly. Because of the lack of strictness in javascript as a language, if a global variable XYZ is in one script, it can be manipulated by any other script as well. Fundamentally it is a problem with Javascript and not with the Mozilla API. The API is excellent and allows you to do a lot of things. Any solution to sandbox each extension will just lead to eventual bloat.
It will also protect you overall, considering the amount of crap you find in web ads, even on supposedly reputable networks.
Unchecked, or merely poorly checked third party code has long been a tender Achilles heel for any system. We beat down Windows 'round these parts with impunity, but often times the fault is with something outside of the code controlled by the Borg. Firefox is not immune obviously, and there should be some system to help prevent "issues" when extensions and plugins are used.
I wouldn't call it perfect, but Google's Android platform has a novel idea - your third party code must register for the privileges it requires to operate, and those privileges are then presented to the user for scrutiny in a very easy to understand manner. Install an Android application, and you get to see what rights you grant that app before it launches the first time. Hmmm, this game wants access to my contacts and the internet? No thank you, lets just delete that before it shares my phone list.
From TFS:
Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension.
Not one of these is true of Chrome extensions -- or at least, it is possible to develop extensions which are not fully trusted.
Don't thank God, thank a doctor!
No you should switch to Chrome. I use FF because of the extensions, honestly I don't consider vanilla FF that much better than IE8. I've already moved all my friends off of FF to Chrome because they weren't interested in using extensions
.. once again that marketing > reality. Firefox has been around since 2003. The situation with extensions has been the same since 2003. Firefox has been enjoying a "Mac effect" where the lack of market share and platform knowledge convinced their users that it's invulnerable to hacks and extensions are safe. Same people who laugh at ActiveX without having a clear idea what the problem is, would claim extensions are totally safe and install them by the dozens. In the last couple of years we have seen increased reporting of security problems with Firefox, and the fans of yesterday explain this with Firefox "becoming bloatware" and hence "becoming insecure". Becoming? Hardly. These issues have been always there. Go back to the first releases and you'll see.
But, if the 'many eyes' were being honest with themselves, they should have cried foul at the insecure way extentions are handled before exploits were even known. It really isn't acceptible to give any random extention that much control over your software IMO.
As should extensions that retrieve data from responsible sites, like those extensions that alter google result pages. Assuming Google doesn't try to attack us, they should be fine.
I use to have an assload of extensions, but I've been really trying to restrict what I have for speed issues, so I'm not that worried.
If corporations are people, aren't stockholders guilty of slavery?
Or use the " -profilemanager" switch on the shortcut that you launch Firefox with. You could then have a profile that loads no extensions that you use when surfing untrustworthy sites. And a profile that does load your extensions when you doing normal surfing. What I actually use it for is I have a profile that loads my development tools (Web Developer Toolbar, Firebug, and DOM Inspector) a profile for just normal surfing, and a profile with no extensions for when I need to be absolutely sure that the add-ons are not the cause of a problem.
The real trouble is that this is the way it’s designed, and it needs to stay this way.
Just like the real trouble with running arbitrary .exe files you download off the net is that .exe files are trusted a whole lot more than arbitrary files you download off the net ought to be.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
they weren't interested in using extensions
Give them AdBlock Plus and let them use it for a while, and I honestly doubt they’ll still feel that way.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I have been talking against the extension model for a long time.
The problem is not with the extension model. It is with the Firefox implementation of the extension model. If done properly, the browser would not be exposing an API to the plugin that is capable of doing naughty things, nor would it be exposing an API for a plugin to alter another plugin. You build a clear but limited line of communication on established browser events, but everything else is concealed from the plugin.
Reply to That ||
Actually, not even the license, really. Just use Chromium, if you care.
Don't thank God, thank a doctor!
Even with those security issues, I would still put money on Firefox being much better at keeping problems off a user's system than IE (for now).
From what I gather, the vulnerabilities in the article all stem from trustworthy sites acting like untrustworthy sites (that is, something malicious gets stuck in a supposedly trusted RSS feed or whatever), so that particular separation probably isn't that important.
The idea of an extension that executes code from every page it visits is pretty scary, I hope none of those exist.
Nerd rage is the funniest rage.
The real trouble is that most extensions are in javascript and javascript is not a language that emphasises security.
I don't really know of many languages that "emphasize security" -- indeed, Javascript is more sandboxed by default than most languages I know.
The fact that there is no way to perform a "use strict;" (as in Perl) is for starters a way to get access to all the other global variables in other scripts.
And the solution to this is obvious -- if you want to isolate scripts, isolate them at the runtime level, as you do for separate tabs/pages.
also gives access to all the possible extensions that are installed... Because of the lack of strictness in javascript as a language, if a global variable XYZ is in one script, it can be manipulated by any other script as well... Fundamentally it is a problem with Javascript and not with the Mozilla API.
Sorry, but that looks to me very much like a fatal flaw in the API. A strict language may allow you to compensate somewhat, but there is no reason a global variable needs to by default be accessible from every script.
allows you to do a lot of things.
So did older versions of Mac OS, which did not have a concept of memory protection -- all programs ran in the same address space. This let you do some interesting things that you can't do as easily on a platform like OS X, but it should be obvious why OS X is more stable and more secure.
Don't thank God, thank a doctor!
A world facing app like a web-browser should make use of it.
Chrome does. Yes, for its extensions.
Don't thank God, thank a doctor!
Um... posting things on slashdot about exploits? The many eyes doesn't mean all security bugs will be fixed before software ships. It means that over time the open nature will mean that the bugs can be found and closed easier.
Any solution to sandbox each extension will just lead to eventual bloat.
How so? Whether the language does or doesn't support certain security features, they still have to implement the security within the browser. It's not a question of if, but how.
The problem is not the loosely typed language, it's that the API doesn't have a proper security model. One good way to implement it is to exactly sandbox each extension within their environment, only allow access to components/objects that are absolutely needed to run the extensions (but having no access to outside resources), and if additional access is required, present user with the security message and let the user decide whether to allow such access (either at install time, run time, selectively, allow user to grant for session/permanently, etc. - details can be adjusted as necessary).
It can't be that hard or "bloated" since many others are already doing this - Blackberry, Android, etc. - can't be too hard for a web browser.
Comment removed based on user account deletion
If Microsoft spent as much time on their own software, as they do trying to belittle others, then they might be able to fix some of the gaping holes in Windows. But, I guess it's better politics to throw mud, than to clean up your own messes.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
This is the second story recently that tosses the term "0-day" around when "new" would suffice. Yes, 0-day sounds cool, and yes, it's a helpful description in, say, the warez scene (do we still call it that?), but in articles about bugs/exploits it just makes you sound stupid.
It's looking like Chrome will have "locked down", minimal privileges extensions. At least, in theory. An extension can request only the privileges it requires (manipulate tabs, manipulate windows, access specific wildcarded urls) and the user is notified of what the extension will be able to access when it is installed.
Unfortunately this price seems to be that extensions are far more limited in Chrome than they are in Firefox since that have limited access to the UI and such. For example, you can do a page action, which is an address bar button that appears in reaction to page contents or whatever, or you can do a browser action which is a toolbar button which is always visible (there's nothing preventing you from making a page action always visible though). But you can have only either one or the other, and only one of that kind or else the extension won't load!
There's also the fact that FireFox doesn't force you to install an always-running background service whose sole purpose is to wake up periodically and check for updates (I think it is, anyway). You'd think these folks had never heard of "cron" or "task scheduler".
monsters of the id, running amok:-( but i sympathize w/ giorgio...easylist is censorship by default.
As web developer you use two profiles. One to launch FF with all these tool bars, but you dont surf the net in this instance. A separte default FF without all these extensions, just the basic NoScript alone will be used for surfing the net.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
*hyperbole may have been applied here.
It can't be that hard or "bloated" since many others are already doing this - Blackberry, Android, etc. - can't be too hard for a web browser.
They run a very minimal type of browser, and do not have extensions, so you're point here is not valid. Blackberry and/or Android are full fledged operating systems where sandboxing is easily implemented whereas browser is just an application and sandboxing an extension while still giving it access to every web page's content is a little harder to implement.
Try chromium-browser
Already tried and that was a long a stupid conversation; I had to drink heavily afterwords
I use the customized CSS from www.floppymoose.com to block ads in Firefox. Works like a charm! I've been using it for about 5 years, and there hasn't been a single security incident associated with this solution.
"I'd much rather be mistaken as a lesbian by a bigot than be mistaken as a bigot by a lesbian."
Hi, I'm the author of infoRSS, and this version 1.1.4.x is an 1 year and 1/2 old version. Since then, the security layer has been well improved thanks to an assessment from an Australian security company. With the latest version (1.2.2) they were not able to find a security issue with it.
>Proprietary software can only be inspected or fixed by the proprietor.
So third-party security researchers never find vulnerabilities in closed-source software?
You have misunderstood my post, my main point was that the extension model like FF's is just plain bad for security, as you increase the amount of people you need to trust from just the browser vendor to third-parties, who may or may not have proper skills in securing their software. We need something else, and my suggestion there would be more inbuilt functionality by the vendor.
>there's nothing insightful about trading away your software freedom to fight security vulnerabilities.
I'm not sure what you mean there. I subscribe to the free software ideal, and I really don't like using a closed-source browser like Opera in principle. However I do recognize the reasons why Opera is not open source software (I might completely agree with them, but anyway), and given Opera's good security record, I have made a personal choice to use it instead of an open-source browser because it seems to me that I can get a lot better security and quite much of the same functionality with it. My post was in no way meant to be any sales speech for Opera.
U+F8FF
That should of course be that I might *not* completely agree with the reasons Opera Software ASA gives for keeping the proprietary model.
U+F8FF
IIRC extensions are XPI files, which can be unzipped in to their component parts, and the source viewed.
Chrome (dev channel) has adblock plus. With subscriptions (easylist), a cute little icon, and gui-driven configuration that is identical to firefox's. I really do not see any area where firefox has a leg up-- even the dev tools rock in chrome. I can inspect an element, toy around with the CSS, and watch the changes apply in real time on the web page (note i am not a web dev).
Umm, so what exactly does cron or Windows Task Manager do ?
Oh, that's right, they run in the background, waking up periodically to see if anything is due to be executed in the crontab / scheduled tasks list.
Is it possible to nominate the parent for dumbest comment of the day ?
So is Firefox going to block these extensions for being unsafe, or are they only blocking the Flash plugin? Is it more to protect us, or more to attack Flash?
Problem is that it sounds like there are a fair few affected and that's only the ones they found. Where as you can go to Chrome which will run faster and likely be more secure.The only thing I need FF for is Quake Live because I can't be bothered to create a Chrome shortcut to fake my agent.
The term zero-day is being used far too often and I consider it a larger threat to my sanity than any FF extension is to my security.
I tried it on a Firefox process that's been running for a while, and the "FUCK FIREFOX!" page and Slashdot put together take roughly 77 MB of "Mem Usage" and 66 MB of "VM Size" under Windows XP. But then I don't run any extensions other than Flashblock, ChatZilla, and Java Quick Start.
I can understand a zero-day exploit: one written within a day of a vulnerability being discovered. But what's a zero-day vulnerability? Presumably the vulnerability existed for days or months already. I'd think the zero-day would denote some duration between two events, like discovery and exploitation, as above.
His point was that the Google updater should take advantage of the preexisting system functionality.
Nerd rage is the funniest rage.
One is far worse than the other. Obviously, adding another task to an already resident part of the operating system that is intended for such use is far better than adding a completely new program, that runs continuously as a new process... both for performance and security. This problem is compounded when you have several pieces of software each with their own unique persistent updater.
Is it possible to nominate the parent for dumbest comment of the day ?
Possible, but he has some notable competition.
Oh, that's right, they run in the background, waking up periodically to see if anything is due to be executed in the crontab / scheduled tasks list.
Yes, they run in the background. A single background process that is capable of launching any number of processes on any given schedule. This means that each individual application does not require its own always-running background process to poll for updates*.
Is it possible to nominate the parent for dumbest comment of the day ?
I bow before your superior intellect. Perhaps one of your mental prowess might also be interested in this concept called "component reuse", it's all the rage.
* (I'm looking at you, java, itunes, adobe, google, various antivirus companies, windows media scheduler... ah, crap, the list is too long)
This only works for extensions that don't include binary components.
You're asking the wrong question or in search of the wrong point. Some vulnerabilities in proprietary software go undiscovered for a long time and no vulnerabilities in proprietary software are fixed by third parties. One's "security record" is irrelevant when that software is uninspectable, immutable, and changes cannot be shared. You cannot know if Opera keeps you safe precisely because you don't know what Opera is doing when it runs. There is simply too much unknown about proprietary software to claim it is more secure. All software has bugs but malicious software works better when distributed such that people are forbidden from inspecting, changing, and sharing their improvements. Even for accidental errors which lead to security problems, programmers make mistakes no matter whether the user's software freedom is respected. It's not a good idea, therefore, to cut yourself off from the freedom to inspect, fix, and share software. If you value your software freedom as you say you do, you can choose to run a free software browser and only install free software add-ons. These steps are impossible with a proprietary web browser. Furthermore, the principles of this discussion are not unique to web browsers; this is true of all computer software.
Digital Citizen
The problem is not with "every web page's content" that can be accessed via the extensions.
The problem is the security layer for the API that those extensions use. This is not rocket science as you make it out to be.
The vulnerability cited in the article for Yoono 6.1.1 was fixed in Yoono 6.2 which was released in August. Just trying to get that word out.