Zero-Day Vulnerabilities In Firefox Extensions 208
An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.
Re:Yep that's why I avoid extensions (Score:2, Insightful)
I completely agree, and I have been talking against the extension model for a long time. They are one of the main reasons why I use Opera instead of FF, as then I have only one vendor to introduce vulnerabilities, and it's the vendor I need to trust in any case to use the browser. Opera's inbuilt functionalities fortunately enable me to do the things for which I'd need to use extensions on FF.
Re:How did the "many eyes" miss this? (Score:3, Insightful)
Isn't the point that they have been seen now, if those holes where in closed binary addons (like coolaris preview) then they would never have been seen.
It's about trust (Score:5, Insightful)
The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.
The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.
Thus proving... (Score:1, Insightful)
.. once again that marketing > reality. Firefox has been around since 2003. The situation with extensions has been the same since 2003. Firefox has been enjoying a "Mac effect" where the lack of market share and platform knowledge convinced their users that it's invulnerable to hacks and extensions are safe. Same people who laugh at ActiveX without having a clear idea what the problem is, would claim extensions are totally safe and install them by the dozens. In the last couple of years we have seen increased reporting of security problems with Firefox, and the fans of yesterday explain this with Firefox "becoming bloatware" and hence "becoming insecure". Becoming? Hardly. These issues have been always there. Go back to the first releases and you'll see.
Re:Yep that's why I avoid extensions (Score:1, Insightful)
Only half a gigabyte? Here's a quarter, kid. Buy yourself some more memory.
Re:It's about trust (Score:4, Insightful)
I'm in the 'supposed to know crowd' and I had this misconception for a long time. If I failed so quickly in this aspect, what hope is there for "ma and pa" and the rest of the fam'? Which makes the question simply -
What is easier to fix? Firefox's security model or most of the world's perception?
Re:It's about trust (Score:3, Insightful)
0-day? (Score:2, Insightful)
Re:0-day? (Score:1, Insightful)
Ah, irony. The GPP is wholly correct. You thought s/he was talking about a zero-day attack, which is one that is found within a day of a vulnerability being discovered. The GPP, however, correctly observed that a zero-day vulnerability, if such a notion is meaningful, implies one that is discovered the same day that the software is released.
The article title refers to zero-day vulnerabilities. The GPP is entirely correct to point out that that is untrue -- or, I would say, altogether meaningless.
Further, the article offers no examples of zero-day exploits, so it is not a case of simple misunderstanding. Net-security.org has consciously chosen to use a term that is at best a lie, at worst incoherent. Some individuals -- including the submitter, and yourself -- have chosen to perpetuate the confusion.