Slashdot Mirror
Zero-Day Vulnerabilities In Firefox Extensions
An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.
I don't trust them, plus they use more memory (I only have 1/2 gig), and they make the machine run slower. The only extensions I have are NoScript and ImageZoom and FlashVideoDownloader. I try to keep it to a minimum to avoid security problems, memory waste, and slowdown
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
This is why Microsoft should turn off Activex Controls altogether.........oh wait........
Isn't the point that they have been seen now, if those holes where in closed binary addons (like coolaris preview) then they would never have been seen.
IranAir Flight 655 never forget!
Or use a clean firefox without extensions.
Of course, without extensions there isn't much that sets firefox apart from chrome except for the license. Some purists will prefer firefox for that reason but it's pretty much a coin toss.
the pun is mightier than the sword
Apparently, yes. To paraphrase Wikipedia, it means that the attack occurs on the 0th day that the vendor is aware of the problem... which is a significant because it means the vendor has not even had a chance to respond to the vulnerability before it is exploited. Notwithstanding the fact that they could have prevented it, but that's another matter.
If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.
Ceci n'est pas une
The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.
The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.
My guitar chord generator.
I thought you were trolling, and then I read this:
I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior.
Poe’s Law appears to be in full effect today.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I'm very much in favor of that. I would even like to help building a Java based browser (e.g. with a OSGi based plug-in system). But the thing is that these extensions use all kinds of technologies, but not C/C++ (as far as I could see). So if the browser was managed code you would have the same issues. Managed code helps against many bugs, but not against all.
It will also protect you overall, considering the amount of crap you find in web ads, even on supposedly reputable networks.
If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.
Yeah, but how do I know that the snapshot is clean? Or for that matter how do I know that my virtual machine hasn't been compromised?
They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!
And who are you to be posting these things to make us feel like we can be secure? The sig of yours is French, no? But your user name looks Arabic. You could be a French secret agent with an Arabic code name - or, an Islamic Jihadist, hiding in France acting like a friendly internet user "helping" folks to "secure" their browsing habits all along undermining their computers so you and your agents can break in, compromise their machines, do your nefarious activities, and all the while, the poor sap who follows your advice gets arrested by the FBI while you take off with the hot secret agent babes from Russia.
No sir! I know what you're doing here!
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
You can’t possibly be serious...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!
So, you have hardwired your brain into your computer and are using it as a Firefox extension? This makes my head spin.
This is the second story recently that tosses the term "0-day" around when "new" would suffice. Yes, 0-day sounds cool, and yes, it's a helpful description in, say, the warez scene (do we still call it that?), but in articles about bugs/exploits it just makes you sound stupid.
Try chromium-browser
I use the customized CSS from www.floppymoose.com to block ads in Firefox. Works like a charm! I've been using it for about 5 years, and there hasn't been a single security incident associated with this solution.
"I'd much rather be mistaken as a lesbian by a bigot than be mistaken as a bigot by a lesbian."
Hi, I'm the author of infoRSS, and this version 1.1.4.x is an 1 year and 1/2 old version. Since then, the security layer has been well improved thanks to an assessment from an Australian security company. With the latest version (1.2.2) they were not able to find a security issue with it.