Popular Firefox Add-Ons Open Millions To New Attack

An anonymous reader writes: Security researchers claim that NoScript and other popular Firefox add-on extensions are exposing millions of end users to a new type of vulnerability which, if exploited, can allow an attacker to execute malicious code and steal sensitive data. The vulnerability resides in the way Firefox extensions interact with each other. From a report on SlashGear, "The problem is that these extensions do not run sandboxed and are able to actually access data or functions from other extensions that are also enabled. This could mean, for example, that a malware masquerading as an add-on can access the functionality of one add-on to get access to system files or the ability of another add-on to redirect users to a certain web page, usually a phishing scam page. In the eyes of Mozilla's automated security checks, the devious add-on is blameless as it does nothing out of the ordinary." Firefox's VP of Product acknowledged the existence of the aforementioned vulnerability. "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative -- our project to introduce multi-process architecture to Firefox later this year -- we will start to sandbox Firefox extensions so that they cannot share code."

Pointing fingers.

So it's the way Firefox sandboxes add-ons?.. the article makes it sound like NoScript & friends are the ones directly opening "millions to new attack.." when it just Firefox. So a malicious add-on has to be approved by Firefox's team and then downloaded by some sorry victim?
I don't think your average NoScript user is incompetent enough to download and install your "FreeToolbarFreeExtensionFree2016" add-on. I guess it makes a better story to paint NoScript and other vulnerable add-ons as the bad guys instead of Firefox itself.

QUICK! STOP USING NOSCRIPT!

So we can shove the whitelisted ads we extorted money from with AdBlock down your throat!

That's pretty much what popped into my head the second I saw NoScript mentioned in the lead.

Re:This article is alarmist rubbish.

The low level extension mechanism is THE thing that separates FF from other browsers. The only thing left, really. If they eliminate it, there will be no reason left to use FF, and what little market share they have remaining will evaporate.

On the other hand, it will please their advertiser sponsors, because it will become much harder for a FF user to retain privacy from the data harvesters.