Hijacking Firefox Via Insecure Add-Ons 87
An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.
fud? (Score:4, Interesting)
don't automatically update (Score:2, Interesting)
Firefox extensions are insecure (Score:3, Interesting)
Yes, one should be careful about the extensions, and use them carefully. And one should be careful about using WiFi in coffee shops and hotels. I am far more worried about our salesmen plugging in their lap top in some hotel network in Bangkok, pick up an infection and coming to corporate HQ and plug that laptop in our intranet, behind the firewall, in the trusted network. I have asked my sysadmin to set up a separate network for laptops that might be used outside our intranet that is not part of the trusted intra net.
Re:fud? (Score:4, Interesting)
But using HTTPS wouldn't solve this problem either, because Verisign will sell a certificate to anyone with money. What should be happening is that developers sign their packages like they do for DEB and RPM package distros. That way you always know that you're getting your updates from the same person, no matter what your internet connection.
Welcome to the wonderful world of Bloatware (Score:3, Interesting)
You derided Opera's minuscule userbase.
You vied for the top dog spot.
Well, now you're on your way to getting there. You're gaining markt share. With growing market share come the demands of progressively dumber users - it's just the nature of the technology market. FF's code needs a good clean-up.
Re:fud? (Score:3, Interesting)
That would be the big difference here between firefox and explorer.
The real problem is when website authors make network dependencies with this kind of crap and scorn open standards. While many firefox extensions are nifty they are entirely optional. This is in stark contrast to the current trend in requiring flash or other plugins for every stupid little thing.
Quicktime buttons are another fun one.
Re:Firefox extensions are insecure (Score:3, Interesting)
Uh... not true at all. Firefox extensions can contain (and run) executable code.
As the Greasemokey security vulnerability [oreillynet.com] demonstrated, web pages can "script" Firefox extensions.
ActiveX = executable code + scripting from the web browser. Firefox extensions introduce the same risks as ActiveX.
(addons.mozilla.org is having problems right now, otherwise I'd point out some extensions that have .EXEs in them. I looked into it before and one extension that had them added support for 3rd party download managers - don't recall the name...)