Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerabilities In Firefox Extensions

Posted by kdawson on from the wild-in-the-playground dept.

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

7 of 208 comments (clear)

  1. Damned Activex Controls! by Anonymous Coward · · Score: 3, Funny

    This is why Microsoft should turn off Activex Controls altogether.........oh wait........

  2. Re:I have to say, I am depressed... by farlukar · · Score: 5, Informative

    I will have to go back to using linx now because I trust nothing else...

    If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

    --
    Ceci n'est pas une .sig
  3. It's about trust by TheCoders · · Score: 5, Insightful

    The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.

    The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.

    --
    My guitar chord generator.
    1. Re:It's about trust by jadin · · Score: 3, Insightful

      I'm in the 'supposed to know crowd' and I had this misconception for a long time. If I failed so quickly in this aspect, what hope is there for "ma and pa" and the rest of the fam'? Which makes the question simply -

      What is easier to fix? Firefox's security model or most of the world's perception?

    2. Re:It's about trust by wd5gnr · · Score: 3, Insightful

      I think the fact that extensions appear on the Mozilla add on site could give some users the impression that they are "trusted" in some way. By default, FF won't install except from there (and maybe one or two other sites). But as far as I know, there's no real check. I mean I'm sure if you put up a extension that wiped your hard drive, enough people would complain and comment that it would get yanked. But something more subtle, maybe not.

  4. Re:I have to say, I am depressed... by NoYob · · Score: 3, Funny

    I will have to go back to using linx now because I trust nothing else...

    If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

    Yeah, but how do I know that the snapshot is clean? Or for that matter how do I know that my virtual machine hasn't been compromised?

    They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

    And who are you to be posting these things to make us feel like we can be secure? The sig of yours is French, no? But your user name looks Arabic. You could be a French secret agent with an Arabic code name - or, an Islamic Jihadist, hiding in France acting like a friendly internet user "helping" folks to "secure" their browsing habits all along undermining their computers so you and your agents can break in, compromise their machines, do your nefarious activities, and all the while, the poor sap who follows your advice gets arrested by the FBI while you take off with the hot secret agent babes from Russia.

    No sir! I know what you're doing here!

    --
    It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
  5. Re:Yep that's why I avoid extensions by gerardolm · · Score: 3, Informative

    Oh, advertising on /.'s comments?

    Partnership Program

    The Ad Muncher partnership program allows you to refer people to an address like:

                http://youraccountname.admuncher.com/

    and receive 20% of all purchases later made by those people. For more information please visit the partnership program website.

    "foropera" is just his partner alias. Sad.