Forgot your password?
typodupeerror
Bug Security Mozilla Technology

Zero-Day Vulnerabilities In Firefox Extensions 208

Posted by kdawson
from the wild-in-the-playground dept.
An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.
This discussion has been archived. No new comments can be posted.

Zero-Day Vulnerabilities In Firefox Extensions

Comments Filter:
  • by commodore64_love (1445365) on Friday November 20, 2009 @10:16AM (#30171318) Journal
    I don't trust them, plus they use more memory (I only have 1/2 gig), and they make the machine run slower. The only extensions I have are NoScript and ImageZoom and FlashVideoDownloader. I try to keep it to a minimum to avoid security problems, memory waste, and slowdown
    • Re: (Score:2, Insightful)

      by amazeofdeath (1102843)

      I completely agree, and I have been talking against the extension model for a long time. They are one of the main reasons why I use Opera instead of FF, as then I have only one vendor to introduce vulnerabilities, and it's the vendor I need to trust in any case to use the browser. Opera's inbuilt functionalities fortunately enable me to do the things for which I'd need to use extensions on FF.

      • The ad blocking functionality is limited in Opera, though. While its image-blocking setup works just fine, you can only block scripts based on the URL of the page being viewed, not by the URLs of each of the scripts themselves.

        That said, I do use Opera at work since it's more responsive than Firefox.

      • You are correct that Opera's single vendor model is "safer" but the lack of extensions is a problem. If I see a youtube video I like, Opera has no way to grab it. Neither does it have an easy way to zoom-in on tiny photos. It's one of the reasons I've stayed with Firefox so I have the addon option if I need it.

        • by sconeu (64226)

          That's what the widget model is for. There are a couple of widgets for grabbing video.

          • ....Which seems to bring the whole extension problem right back into the equation, doesnt it? Is there some technical difference between "widget" and "extension" that makes one inherently less secure than the other?
            • by fbjon (692006)
              Yes there is a major difference, the widgets are essentially small dynamic webpages just like any other page. Quote [opera.com]:

              Opera Widgets are cross-platform and cross-device applications made with Web technologies;

              Thus, no problem.

      • I have been talking against the extension model for a long time.

        The problem is not with the extension model. It is with the Firefox implementation of the extension model. If done properly, the browser would not be exposing an API to the plugin that is capable of doing naughty things, nor would it be exposing an API for a plugin to alter another plugin. You build a clear but limited line of communication on established browser events, but everything else is concealed from the plugin.

    • It will also protect you overall, considering the amount of crap you find in web ads, even on supposedly reputable networks.

    • Re: (Score:3, Interesting)

      by cmiller173 (641510)
      As a web developer I used the Web Developer Toolbar, Firebug, and DOM Inspector extensions daily. I could not be as productive without them.
      • As web developer you use two profiles. One to launch FF with all these tool bars, but you dont surf the net in this instance. A separte default FF without all these extensions, just the basic NoScript alone will be used for surfing the net.
      • Re: (Score:2, Informative)

        by plague3106 (71849)

        Doesn't IE8 have all that built in now (F12 key)?

    • A “minimum”, to me, would really be:

          Adblock Plus
          Download Statusbar
          Video DownloadHelper
          IE Tab
          Screengrab
          Tab Mix Plus

      I don’t know how much bloat I’m adding by having them, but they all provide functionality that I really prefer not to do without. The only one that I’d be willing to waive is Screengrab, but it’s damn handy to have.

      • >> Tab Mix Plus Thats probably adding most of the bloat. Would be nice if they didnt duplicate functionality with so many built in firefox features (tab undo, restore session, etc)
    • Memory waste? You mean like NoScript, which out of principle can’t work?
      (NoScript blocks JavaScript, except for those sites where you enabled it because you needed it. Which happen to be exactly the sites that XSS attackers target! And don’t try to argue that you just don’t go to those sites. Because following that logic, you would have to stop receiving any data packet from the net. Because someone could crack the TCP/IP stack, the HTTP module, the HTML and CSS parser, the image loader, e

  • : (
    FF is my favorite web browser because they always made sure to be more secure then IE. I guess when it comes to add-ons and extensions, its always a crap shoot, but I always thought FF was better at handling security for extensions then IE, I guess
    I will have to go back to using linx now because I trust nothing else...
    Life will be boring

    • by farlukar (225243) on Friday November 20, 2009 @10:33AM (#30171540) Homepage Journal

      I will have to go back to using linx now because I trust nothing else...

      If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

      • Re: (Score:3, Funny)

        by NoYob (1630681)

        I will have to go back to using linx now because I trust nothing else...

        If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

        Yeah, but how do I know that the snapshot is clean? Or for that matter how do I know that my virtual machine hasn't been compromised?

        They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

        And who are you to be posting these things to make us feel like we can be secure? The sig of yours is French, no? But your user name looks Arabic. You could be a French secret agent with an Arabic code name - or, an Islamic Jihadist, hiding in France acting like a frien

        • Re: (Score:2, Funny)

          by unix1 (1667411)

          They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

          So, you have hardwired your brain into your computer and are using it as a Firefox extension? This makes my head spin.

      • by owlstead (636356)

        Better yet, create a special user or two, one for anonymous browsing and one for your security relevant tasks (banking etc). The first one should be automatically reset after use (I use an Ubuntu guest account for that), the other one should have an encrypted home folder. At least make sure your browser is up to date if you use farlukar's scheme.

      • As it that would help if you’re paranoid.

        You haven’t read about the Russian cracks where they got out of the virtual machine, by attacking it itself, and then wrapped a very thin VM around the entire outside OS, right between it and the metal.

        In (Ex-)Soviet Russia, program virtualizes YOU!

      • Already done my friend, you are telling me nothing new...but for the endless clients i have installed
        their machines for them (like my grandma) and cant use that app (too hard)...i always felt some level of security adding FF to their installs so they could have a bit more confidence surfing the web.

      • by icepick72 (834363)
        Yes, if they're that paranoid then do due diligence and stuff Firefox into that same virtual machine that IE is running inside for the same reason - then put Google Chrome on your PC computer.
    • Linux is boring? Sacrilege! You get to read all those obscure docs and get into flamewars with developers. How is that not fun? ;-)

      Which reminds me, what Linux needs is something like what I had on my old Amiga PC: A graphical way of interacting with the CLI so I don't have to remember all those obscure commands like "sudo -s -t /whatever"

         

    • by jd (1658)

      There's really no excuse for Firefox to allow at least some of the more common security flaws - or at least allowing those flaws to cause problems.

      First, sandboxing of extensions should limit what problems can be caused.

      Second, a lot of errors are caused by the overflowing of buffers - a problem that could be limited by the use of stretchy buffers or bounds-checking malloc implementations. Or not allowing direct access to the heap.

      Third, Firefox (and indeed all programs) should run on the principle of least

      • First, sandboxing of extensions should limit what problems can be caused.

        While also limiting what functionality can be created.

  • by Anonymous Coward on Friday November 20, 2009 @10:25AM (#30171436)

    This is why Microsoft should turn off Activex Controls altogether.........oh wait........

  • by jhol13 (1087781)

    There really needs to be Java (or other "managed" language based) based browser (like Lobo). Unfortunately Lobo is not (yet?) ready for prime time.

    • by Meneth (872868)
      Garbage collection does not protect against most security breaches.
      • by owlstead (636356)

        Garbage collection does not protect against *any* security breaches. It may even introduce a few security issues (e.g. files not closed since the destructor is not called in time). The lack of pointer arithmetic and addition of bounds checking, on the other hand, certainly does protect against many security breaches. It also enables a better component based design where one component cannot change the behavior of other components. E.g. in Lobo it seems that there is an API that enables plugins. If this API

    • Re: (Score:3, Informative)

      by owlstead (636356)

      I'm very much in favor of that. I would even like to help building a Java based browser (e.g. with a OSGi based plug-in system). But the thing is that these extensions use all kinds of technologies, but not C/C++ (as far as I could see). So if the browser was managed code you would have the same issues. Managed code helps against many bugs, but not against all.

  • A quick Google search found this interesting article [lwn.net] from August of this year.

  • I read the article ( ! ) and saw NoScript mentioned; It seems that this can be exploited to whitelist sites within NoScript if FF has other addons installed. Scary stuff.
  • It's about trust (Score:5, Insightful)

    by TheCoders (955280) on Friday November 20, 2009 @10:36AM (#30171586) Homepage

    The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.

    The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.

    • by jadin (65295) on Friday November 20, 2009 @11:13AM (#30172070) Homepage

      I'm in the 'supposed to know crowd' and I had this misconception for a long time. If I failed so quickly in this aspect, what hope is there for "ma and pa" and the rest of the fam'? Which makes the question simply -

      What is easier to fix? Firefox's security model or most of the world's perception?

      • Well, probably the world's perception - adding a small warning would probably be pretty easy, and effective. The whole point and flexibility of Firefox is the fact that an add-on, which is mostly Javascript, can essentially rewrite the browser, as the browser is basically written in Javascript (as I understand).

        That's the reason they don't call them plugins or "browser helper objects". They're not subordinate and can arbitrarily replace bits of the browser. The browser can't sandbox it or check it, you need

    • Re: (Score:3, Insightful)

      by wd5gnr (1682238)
      I think the fact that extensions appear on the Mozilla add on site could give some users the impression that they are "trusted" in some way. By default, FF won't install except from there (and maybe one or two other sites). But as far as I know, there's no real check. I mean I'm sure if you put up a extension that wiped your hard drive, enough people would complain and comment that it would get yanked. But something more subtle, maybe not.
  • This will get fixed in Firefox shortly & then it will be even more secure. What's the problem?

    Either way, I'm so hooked on the 20 or so extensions that I use, that I'd never go back to anything else. IE is the pits. Chrome's speed just isn't a that big of a deal. Opera is ok, but the users are worse than Mac snobs.

  • I've always tried to keep a check on my addons for exactly this reason, the more code your running the more chance there is an exploitable bug in there somewhere. While steps can be taken to prevent an exploited addon doing damage, i don't think much can be done to prevent a buggy addon doing exactly what it sets out to do but wrongly.

    The good news is that because all the functionality comes from addons they can be disabled and only affect users that want these features, so bob wanting to use his browser as

  • It's lovely and fussy and all things nice. A world facing app like a web-browser should make use of it.

    Really with the performance of current desktop computers and even netbooks there's no good reason not to stick
    potentially vulnerable parts of your browser in a separate process and block it from accessing anything it does not
    absolutely need to deal with.

  • If Microsoft spent as much time on their own software, as they do trying to belittle others, then they might be able to fix some of the gaping holes in Windows. But, I guess it's better politics to throw mud, than to clean up your own messes.

  • 0-day? (Score:2, Insightful)

    by Tanaric (868318)
    This is the second story recently that tosses the term "0-day" around when "new" would suffice. Yes, 0-day sounds cool, and yes, it's a helpful description in, say, the warez scene (do we still call it that?), but in articles about bugs/exploits it just makes you sound stupid.
    • Re: (Score:2, Informative)

      by CountZer0 (60549)

      True. A zero-day vulnerability is one that is found the same date the program is released. So unless these extensions are all brand new, these are not 0-day incidents.

  • It's looking like Chrome will have "locked down", minimal privileges extensions. At least, in theory. An extension can request only the privileges it requires (manipulate tabs, manipulate windows, access specific wildcarded urls) and the user is notified of what the extension will be able to access when it is installed.

    Unfortunately this price seems to be that extensions are far more limited in Chrome than they are in Firefox since that have limited access to the UI and such. For example, you can do a pa

  • New version (Score:2, Informative)

    by dernotte (1682854)
    Hi, I'm the author of infoRSS, and this version 1.1.4.x is an 1 year and 1/2 old version. Since then, the security layer has been well improved thanks to an assessment from an Australian security company. With the latest version (1.2.2) they were not able to find a security issue with it.
    • Good to know. Yoono also appears to have released a new version. Sage is still at the version that is reported to have the insecurity (1.4.3).

      • by RJFerret (1279530)

        Sage is still at the version that is reported to have the insecurity (1.4.3).

        I just checked, thankfully I'm still using the 1.4.2 version of Sage, so no worries here!

        • Actually, “and earlier versions” applied to all three extensions, not just Yoono. Am I about to get whooshed?

Did you know that for the price of a 280-Z you can buy two Z-80's? -- P.J. Plauger

Working...