Forgot your password?
Bug Security Mozilla Technology

Zero-Day Vulnerabilities In Firefox Extensions 208

Posted by kdawson
from the wild-in-the-playground dept.
An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.
This discussion has been archived. No new comments can be posted.

Zero-Day Vulnerabilities In Firefox Extensions

Comments Filter:
  • by LS1 Brains (1054672) on Friday November 20, 2009 @11:49AM (#30171752)
    Unchecked, or merely poorly checked third party code has long been a tender Achilles heel for any system. We beat down Windows 'round these parts with impunity, but often times the fault is with something outside of the code controlled by the Borg. Firefox is not immune obviously, and there should be some system to help prevent "issues" when extensions and plugins are used.

    I wouldn't call it perfect, but Google's Android platform has a novel idea - your third party code must register for the privileges it requires to operate, and those privileges are then presented to the user for scrutiny in a very easy to understand manner. Install an Android application, and you get to see what rights you grant that app before it launches the first time. Hmmm, this game wants access to my contacts and the internet? No thank you, lets just delete that before it shares my phone list.
  • by cmiller173 (641510) on Friday November 20, 2009 @11:51AM (#30171782)
    As a web developer I used the Web Developer Toolbar, Firebug, and DOM Inspector extensions daily. I could not be as productive without them.
  • by Anonymous Coward on Friday November 20, 2009 @12:16PM (#30172112)

    Ad blocking shouldn't be done at the browser. It should be handled at the DNS level, or by a firewall or proxy.

    You can run your own DNS server and return for requests to known ad servers. You can do the same with your /etc/hosts file, too. This even works on Windows!

    Use your firewall to prevent connections to known ad hosts.

    Use a filtering proxy to strip out ads, Flash, ActiveX controls, and all sorts of other shit.

    There are several community-collected lists of hostnames that are commonly used for serving ads, so you don't even have to build or maintain such a list yourself.

    Do it those ways so it can easily apply to all browsers, mail clients, and other applications you might be using.

    It's just fucking stupid to use a browser plugin to perform filtering that should be performed outside of the browser.

  • by jcdill (6422) on Friday November 20, 2009 @01:49PM (#30173716)

    I use the customized CSS from to block ads in Firefox. Works like a charm! I've been using it for about 5 years, and there hasn't been a single security incident associated with this solution.

  • Re:It's about trust (Score:1, Interesting)

    by Anonymous Coward on Saturday November 21, 2009 @05:16AM (#30182926)

    Users need to be aware that installing a plugin is tantamount to installing an application.

    The browser does tell people this, and even forces them to look at the notice for a minimum of 5 seconds or so. Extensions are also rated on Mozilla's site, so people have a basic idea of what kind of issues the extension might have and whether it's even useful or not.

    What difference does this make to the casual user? People don't read notices, and will install anything.

    Extensions should be required to list the resources they use. A mass downloader, URL re-writer, or color picking tool obviously doesn't need the same level of control as a tool for hacking HTTP headers.

Suburbia is where the developer bulldozes out the trees, then names the streets after them. -- Bill Vaughn