Zero-Day Vulnerabilities In Firefox Extensions 208
An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.
Yep that's why I avoid extensions (Score:3, Informative)
Re:How did the "many eyes" miss this? (Score:1, Informative)
Re:Chrome time (Score:1, Informative)
Or you could, you know, remove those extensions?
Re:Chrome time (Score:3, Informative)
Or use a clean firefox without extensions.
Of course, without extensions there isn't much that sets firefox apart from chrome except for the license. Some purists will prefer firefox for that reason but it's pretty much a coin toss.
Re:Zero Day (Score:2, Informative)
Re:I have to say, I am depressed... (Score:5, Informative)
If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.
Re:Lobo? (Score:3, Informative)
I'm very much in favor of that. I would even like to help building a Java based browser (e.g. with a OSGi based plug-in system). But the thing is that these extensions use all kinds of technologies, but not C/C++ (as far as I could see). So if the browser was managed code you would have the same issues. Managed code helps against many bugs, but not against all.
Re:Yep that's why I avoid extensions (Score:3, Informative)
BULLSHIT.
Just to save anyone else the trouble...
That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.
GTFO with your FUD.
Re:0-day? (Score:2, Informative)
True. A zero-day vulnerability is one that is found the same date the program is released. So unless these extensions are all brand new, these are not 0-day incidents.
Re:Yep that's why I avoid extensions (Score:3, Informative)
Check again. Try looking at how much memory firefox is allocating and not how much of it the operating system is currently keeping in memory. Most operating systems are smarter then the applications and flush any excess stupidity to the swap-file, so the inefficiency doesn't take up valuable physical memory. A clean firefox with about:blank is using 145Mbyte here, where the operating system is currently electing to start with 38 of them in memory.
And btw. stop swearing at people when you are wrong.
Re:Chrome time (Score:3, Informative)
New version (Score:2, Informative)
Re:Yep that's why I avoid extensions (Score:2, Informative)
Doesn't IE8 have all that built in now (F12 key)?
Re:Yep that's why I avoid extensions (Score:2, Informative)
"To try Ad Muncher free for 30 days, please visit our download page." Yeah, right.
Re:Yep that's why I avoid extensions (Score:3, Informative)
Oh, advertising on /.'s comments?
Partnership Program
The Ad Muncher partnership program allows you to refer people to an address like:
http://youraccountname.admuncher.com/ [admuncher.com]
and receive 20% of all purchases later made by those people. For more information please visit the partnership program website.
"foropera" is just his partner alias. Sad.
Re:Yep that's why I avoid extensions (Score:2, Informative)
Stop advertising, To anyone interested on buying Ad Muncher, just buy it through admuncher.com and not his link.