Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

Comments: 208 +-   Zero-Day Vulnerabilities In Firefox Extensions on Friday November 20, @10:14AM

Posted by kdawson on Friday November 20, @10:14AM
from the wild-in-the-playground dept.
bug
security
mozilla
technology
An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.
story

Related Stories

Submission: Zero-Day Vulnerabilities In Firefox Extensions by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Zero-Day Vulnerabilities In Firefox Extensions 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Yep that's why I avoid extensions (Score:3, Informative)

    by commodore64_love (1445365) on Friday November 20, @10:16AM (#30171318)
    I don't trust them, plus they use more memory (I only have 1/2 gig), and they make the machine run slower. The only extensions I have are NoScript and ImageZoom and FlashVideoDownloader. I try to keep it to a minimum to avoid security problems, memory waste, and slowdown

    • Re: (Score:2, Insightful)

      by amazeofdeath (1102843)

      I completely agree, and I have been talking against the extension model for a long time. They are one of the main reasons why I use Opera instead of FF, as then I have only one vendor to introduce vulnerabilities, and it's the vendor I need to trust in any case to use the browser. Opera's inbuilt functionalities fortunately enable me to do the things for which I'd need to use extensions on FF.

      • The ad blocking functionality is limited in Opera, though. While its image-blocking setup works just fine, you can only block scripts based on the URL of the page being viewed, not by the URLs of each of the scripts themselves.

        That said, I do use Opera at work since it's more responsive than Firefox.

          • Re: (Score:3, Informative)

            by gerardolm (1137099)

            Oh, advertising on /.'s comments?

            Partnership Program

            The Ad Muncher partnership program allows you to refer people to an address like:

            http://youraccountname.admuncher.com/ [admuncher.com]

            and receive 20% of all purchases later made by those people. For more information please visit the partnership program website.

            "foropera" is just his partner alias. Sad.

      • You are correct that Opera's single vendor model is "safer" but the lack of extensions is a problem. If I see a youtube video I like, Opera has no way to grab it. Neither does it have an easy way to zoom-in on tiny photos. It's one of the reasons I've stayed with Firefox so I have the addon option if I need it.

        • Re: (Score:2)

          by sconeu (64226)

          That's what the widget model is for. There are a couple of widgets for grabbing video.

      • I have been talking against the extension model for a long time.

        The problem is not with the extension model. It is with the Firefox implementation of the extension model. If done properly, the browser would not be exposing an API to the plugin that is capable of doing naughty things, nor would it be exposing an API for a plugin to alter another plugin. You build a clear but limited line of communication on established browser events, but everything else is concealed from the plugin.

    • It will also protect you overall, considering the amount of crap you find in web ads, even on supposedly reputable networks.

    • Re: (Score:3, Interesting)

      by cmiller173 (641510)
      As a web developer I used the Web Developer Toolbar, Firebug, and DOM Inspector extensions daily. I could not be as productive without them.

    • A “minimum”, to me, would really be:

          Adblock Plus
          Download Statusbar
          Video DownloadHelper
          IE Tab
          Screengrab
          Tab Mix Plus

      I don’t know how much bloat I’m adding by having them, but they all provide functionality that I really prefer not to do without. The only one that I’d be willing to waive is Screengrab, but it’s damn handy to have.

      • Re: (Score:3, Informative)

        by clone53421 (1310749)

        BULLSHIT.

        Just to save anyone else the trouble...

        That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.

        GTFO with your FUD.

        • Re: (Score:3, Informative)

          by Carewolf (581105)

          That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.
          GTFO with your FUD.

          Check again. Try looking at how much memory firefox is allocating and not how much of it the operating system is currently keeping in memory. Most operating systems are smarter then the applications and flush any excess stupidity to the swap-file, so the ineffici

  • : (
    FF is my favorite web browser because they always made sure to be more secure then IE. I guess when it comes to add-ons and extensions, its always a crap shoot, but I always thought FF was better at handling security for extensions then IE, I guess
    I will have to go back to using linx now because I trust nothing else...
    Life will be boring

    • Re:I have to say, I am depressed... (Score:5, Informative)

      by farlukar (225243) on Friday November 20, @10:33AM (#30171540) Homepage Journal

      I will have to go back to using linx now because I trust nothing else...

      If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

      • Re: (Score:3, Funny)

        by NoYob (1630681)

        I will have to go back to using linx now because I trust nothing else...

        If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

        Yeah, but how do I know that the snapshot is clean? Or for that matter how do I know that my virtual machine hasn't been compromised?

        They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

        And who are you to be posting these things to make us feel like we can be secure? The sig of yours is French, no? But your user name looks Arabic. You could be a French secret agent with an Arabic code name - or, an Islamic Jihadist, hiding in France acting like a frien

      • Better yet, create a special user or two, one for anonymous browsing and one for your security relevant tasks (banking etc). The first one should be automatically reset after use (I use an Ubuntu guest account for that), the other one should have an encrypted home folder. At least make sure your browser is up to date if you use farlukar's scheme.

    • Linux is boring? Sacrilege! You get to read all those obscure docs and get into flamewars with developers. How is that not fun? ;-)

      Which reminds me, what Linux needs is something like what I had on my old Amiga PC: A graphical way of interacting with the CLI so I don't have to remember all those obscure commands like "sudo -s -t /whatever"

         

    • Re: (Score:2)

      by jd (1658)

      There's really no excuse for Firefox to allow at least some of the more common security flaws - or at least allowing those flaws to cause problems.

      First, sandboxing of extensions should limit what problems can be caused.

      Second, a lot of errors are caused by the overflowing of buffers - a problem that could be limited by the use of stretchy buffers or bounds-checking malloc implementations. Or not allowing direct access to the heap.

      Third, Firefox (and indeed all programs) should run on the principle of least

      • First, sandboxing of extensions should limit what problems can be caused.

        While also limiting what functionality can be created.

  • Damned Activex Controls! (Score:3, Funny)

    by Anonymous Coward on Friday November 20, @10:25AM (#30171436)

    This is why Microsoft should turn off Activex Controls altogether.........oh wait........

  • There really needs to be Java (or other "managed" language based) based browser (like Lobo). Unfortunately Lobo is not (yet?) ready for prime time.

    • Re: (Score:2)

      by Meneth (872868)
      Garbage collection does not protect against most security breaches.

      • Garbage collection does not protect against *any* security breaches. It may even introduce a few security issues (e.g. files not closed since the destructor is not called in time). The lack of pointer arithmetic and addition of bounds checking, on the other hand, certainly does protect against many security breaches. It also enables a better component based design where one component cannot change the behavior of other components. E.g. in Lobo it seems that there is an API that enables plugins. If this API

    • Re: (Score:3, Informative)

      by owlstead (636356)

      I'm very much in favor of that. I would even like to help building a Java based browser (e.g. with a OSGi based plug-in system). But the thing is that these extensions use all kinds of technologies, but not C/C++ (as far as I could see). So if the browser was managed code you would have the same issues. Managed code helps against many bugs, but not against all.

  • A quick Google search found this interesting article [lwn.net] from August of this year.

  • I read the article ( ! ) and saw NoScript mentioned; It seems that this can be exploited to whitelist sites within NoScript if FF has other addons installed. Scary stuff.

  • It's about trust (Score:5, Insightful)

    by TheCoders (955280) on Friday November 20, @10:36AM (#30171586) Homepage

    The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.

    The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.

    • Re:It's about trust (Score:4, Insightful)

      by jadin (65295) on Friday November 20, @11:13AM (#30172070) Homepage

      I'm in the 'supposed to know crowd' and I had this misconception for a long time. If I failed so quickly in this aspect, what hope is there for "ma and pa" and the rest of the fam'? Which makes the question simply -

      What is easier to fix? Firefox's security model or most of the world's perception?

    • Re: (Score:3, Insightful)

      by wd5gnr (1682238)
      I think the fact that extensions appear on the Mozilla add on site could give some users the impression that they are "trusted" in some way. By default, FF won't install except from there (and maybe one or two other sites). But as far as I know, there's no real check. I mean I'm sure if you put up a extension that wiped your hard drive, enough people would complain and comment that it would get yanked. But something more subtle, maybe not.

  • This will get fixed in Firefox shortly & then it will be even more secure. What's the problem?

    Either way, I'm so hooked on the 20 or so extensions that I use, that I'd never go back to anything else. IE is the pits. Chrome's speed just isn't a that big of a deal. Opera is ok, but the users are worse than Mac snobs.

  • I've always tried to keep a check on my addons for exactly this reason, the more code your running the more chance there is an exploitable bug in there somewhere. While steps can be taken to prevent an exploited addon doing damage, i don't think much can be done to prevent a buggy addon doing exactly what it sets out to do but wrongly.

    The good news is that because all the functionality comes from addons they can be disabled and only affect users that want these features, so bob wanting to use his browser as

  • It's lovely and fussy and all things nice. A world facing app like a web-browser should make use of it.

    Really with the performance of current desktop computers and even netbooks there's no good reason not to stick
    potentially vulnerable parts of your browser in a separate process and block it from accessing anything it does not
    absolutely need to deal with.

    • What does it mean anyway? That you're infected in zero days?

      • Re: (Score:2, Informative)

        by taoye (1456551)
        Apparently, yes. To paraphrase Wikipedia, it means that the attack occurs on the 0th day that the vendor is aware of the problem... which is a significant because it means the vendor has not even had a chance to respond to the vulnerability before it is exploited. Notwithstanding the fact that they could have prevented it, but that's another matter.

      • Supposed you watched the Firefox commits when they do a security update (or reverse-engineered an IE patch) and discovered how to exploit a fixed vulnerability 2 days after the update. You could call that a 2-day vulnerability, and the small number of days means that a lot of people haven't patched yet.

        So a zero-day vulnerability means that nobody's gotten a chance to patch yet, because the security hole is discovered before a patch is available.

      • Geez, I wonder where you could find that sort of information... [lmgtfy.com]

        The term derives from the age of the exploit. When a vendor becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A “zero day” attack occurs on or before the first or “zeroth” day of vendor awareness, meaning the vendor has not had any opportunity to disseminate a security fix to users of the software.

    • Re: (Score:3, Insightful)

      by RiotingPacifist (1228016)

      Isn't the point that they have been seen now, if those holes where in closed binary addons (like coolaris preview) then they would never have been seen.

      • But, if the 'many eyes' were being honest with themselves, they should have cried foul at the insecure way extentions are handled before exploits were even known. It really isn't acceptible to give any random extention that much control over your software IMO.

        • The real trouble is that this is the way it’s designed, and it needs to stay this way.

          Just like the real trouble with running arbitrary .exe files you download off the net is that .exe files are trusted a whole lot more than arbitrary files you download off the net ought to be.

    • Re: (Score:3, Informative)

      by Basje (26968)

      Or use a clean firefox without extensions.

      Of course, without extensions there isn't much that sets firefox apart from chrome except for the license. Some purists will prefer firefox for that reason but it's pretty much a coin toss.

      • Or use the " -profilemanager" switch on the shortcut that you launch Firefox with. You could then have a profile that loads no extensions that you use when surfing untrustworthy sites. And a profile that does load your extensions when you doing normal surfing. What I actually use it for is I have a profile that loads my development tools (Web Developer Toolbar, Firebug, and DOM Inspector) a profile for just normal surfing, and a profile with no extensions for when I need to be absolutely sure that the ad

      • Actually, not even the license, really. Just use Chromium, if you care.

        • Re: (Score:2)

          by DavidTC (10147)

          As should extensions that retrieve data from responsible sites, like those extensions that alter google result pages. Assuming Google doesn't try to attack us, they should be fine.

          I use to have an assload of extensions, but I've been really trying to restrict what I have for speed issues, so I'm not that worried.

    • From TFS:

      Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension.

      Not one of these is true of Chrome extensions -- or at least, it is possible to develop extensions which are not fully trusted.

      • No you should switch to Chrome. I use FF because of the extensions, honestly I don't consider vanilla FF that much better than IE8. I've already moved all my friends off of FF to Chrome because they weren't interested in using extensions

    • Re: (Score:3, Funny)

      by clone53421 (1310749)

      I thought you were trolling, and then I read this:

      I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior.

      Poe’s Law [rationalwiki.com] appears to be in full effect today.

Search
leverage, n.: Even if someone doesn't care what the world thinks about them, they always hope their mother doesn't find out.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.