Enterprise Software

Watch your Firefox extensions


Christopher Soghoian, the researcher who attracted the attention of the FBI last year by releasing a tool that could be used to generate fake boarding passes, is at it again. Well, at hunting down weaknesses in security that is.

This time, Christopher has identified an exploitable vulnerability in the upgrade mechanism found in a number of notable Mozilla Firefox extensions. Essentially, it has to do with the fact that some of the most widely used extensions, including those from Google, Yahoo and AOL, do not use secure connections when performing an auto-update.

To its credit, Firefox does at least prompt the user first when updates are detected as available. However, some commercial extensions, including those made by Google, have disabled this.

This makes it possible for a "man-in-the-middle" attack to be executed against the hapless user. In the case of a successful attack, an attempt by the extension to locate latter versions of itself could be redirected to a hostile site. A malicious extension masquerading as the real deal would then be automatically downloaded in the background, and run without the user noticing anything at all.

Such an attack will not work against a SSL enabled web server.

Detractors might argue that Firefox extensions only run within the browser itself, and not as a superuser. Hence, any potential damage should be limited. Even in such a case however, it would still be possible for the malicious extension to actively spy on the browsing activities of the victim, as well as any number of shenanigans involving network access such as sending spam and performing port scans.

To fix the problem, ensure that all your extensions are downloaded from the official Firefox Add-ons website (https://addons.mozilla.org). If in doubt, simply delete the extension, and download it from the Add-ons site again.

For additional information, check out the full disclosure on Christopher's blog.

Now that you have run through your extensions list, were you vulnerable to this security hole?  Also, speaking of extensions, what are your installed extensions?  Join the discussion.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

18 comments
Mond0
Mond0

A little more digging found this: A response from Yahoo?s del.icio.us I?m the product manager for the del.icio.us extensions, and I just wanted to say that our new 1.5 extension was never vulnerable to this attack, and we patched the older 1.2 release as soon as we heard about the issue at the beginning of May. Current 1.2 users should have received notification when launching Firefox and will get the signed version of the extension when accepting the update. As of early May, all official del.icio.us extensions are signed and hosted on addons.mozilla.org and are served over SSL as a result. Mozilla security chief For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels and investigating ways to universally improve updates for add-ons. There are a number of options being considered, all of which are designed to make it easy to write secure add-ons. Read more here: http://blogs.zdnet.com/security/?p=245

paulmah
paulmah

Its good to hear that the Firefox team has plans afoot to handle extensions even more securely. Though, I would hardly blame them for this "security vulnerability" which is frankly, not quite their fault.

Mond0
Mond0

(that'll get some attention!) I understand your point, Paulmah. You see it as if your company manufactured revolvers and it's the users fault that someone gets shot, eh? On the other hand, what if the gap between the cylinder and muzzel is too wide and someone comes along and says "We can increase the side ejected shrapnel if we use softer lead!" Now where does the fault lie? As for myself, I feel it's more like global warming. Why it's happening is beside the point. How are we planning to deal with it? It doesn't matter if cars and factories caused it of if it's a natural cycle, what's important is that we do something now to protect our future. Dealing with the aftermath instead of being proactive would be a mistake. Thank goodness for the everyday heroes out there! (NOTE: these are only metaphors to illustrate my point)

Mond0
Mond0

Or as they say, "Let the buyer beware." We, the end users and supporters, should already be practicing safe computing. There needs to be some controls in place limiting the damage that can be done. If I go out and get something (bullets or software) that will hurt me or others, I'm at least partialy responsible for my actions. But, if I make sure that these things cannot be used (inadvertently or otherwise) then I'm at least doing my part to limit the damage until the manufacturer(s) can affect a fix. So, yes, I believe that we're on the same page here.

paulmah
paulmah

You lost me a bit here with the metaphors I'm afraid..! But I think we do have a common agreement here. That this vulnerability does need to be fixed, be it by the Mozilla team, or by the poorly behaving addons yes? :)

tech
tech

Well, that is nice to know. I will have to inform my class, my site, and others about the dangers. I am mostly have my students go around and install FireFox as much as possible, just for the mere fact for protection that IE doesn't offer. However, I only have one extension that is not listed on add ons from FireFox and that's the Facebook add on. If you hear any word that it might cause trouble, please inform immediately.

paulmah
paulmah

According to Christopher, he lists the following as being potentially vulnerability. - Google Toolbar - Google Browser Sync - Yahoo Toolbar - Del.icio.us Extension - Facebook Toolbar - AOL Toolbar - Ask.com Toolbar - LinkedIn Browser Toolbar - Netcraft Anti-Phishing Toolbar - PhishTank SiteChecker a number of others, mainly commercial extensions...

Mond0
Mond0

I was going to say something to tech@... about Facebook since I'm wary of all "Social Networking" sites. But the inclusion of PhishTank SiteChecker has me puzzled. This is currently available from the official Firefox Add-Ons site: https://addons.mozilla.org/en-US/firefox/addon/3840 Has anyone notified Mozilla that there might be a problem with it? After all, it is touted as an anti-malware tool and people (like me) are going to trust Mozilla to have checked this out beforehand. One explaination could be that the site Christopher is linking to is bad. The site he is sending people to is NOT http://www.phishtank.com/ (the site listed at Firefox) but, instead phishtanksitechecker[dot]com which CallinID flags as yellow because the owner doesn't match up (they're OpenDNS). As always... caveat emptor!

paulmah
paulmah

Saw your statement about backing up your PC every 12 hours. How do you do it? Do you use a batch script or a special software?

tech
tech

I would have to agree with most social websites. I would never use anything that MySpaces uses. However, I did email Facebook and informed them about the situation. I was pleased to get a response and they said they are going to check it out and get back to me. For the mean time, I have uninstalled the extension. I do believe though, that Facebook is more secure than any other social networking. I still see the risk and I have now taken extra procaution to ensure the safety of my computer. Even though my computer is backed up every 12 hours, I still felt that I needed to be secure since I have very valuable information on my computer. -Lucas

Tony Hopkinson
Tony Hopkinson

Tool bars always give me the shudders anyway. It would be nice to see the FF boys plug the hole where an extensions can defeat the upgrade check. To be quite honest just doing that would make it extension non grata.

Tony Hopkinson
Tony Hopkinson

are a no no for me. Nothing to do with what the devloper wants, they are working for me. At best an option to allow silent installs, for a product and unphishable URL.

paulmah
paulmah

I think it would be a matter of balancing between being inflexible and giving too much freedom. Being too draconian about the rules might just turn some developers off. But in this case, I agree it doesn't take much to enforce HTTPS for update checks at least - since Mozilla does host addons for free!

Mond0
Mond0

First: nothing is perfect and we must remain ever vigilant. To allow oneself to become comfortable in the perceived security of anything, digital or real life, leaves you open to attack. Thank goodness for the White Hats out there! As for the Add-Ons I run, I get them from the official Firefox Add-ons website (except for SiteAdvisor). Anyone that doesn't is letting someone else grab them by the browser! Foxmarks is the first one I usually install McAfee SiteAdvisor CallingID Link Advisor NoScript Download Statusbar MSTS-Dictionary

paulmah
paulmah

Let me see, I have the following extensions: - Adblock Plus (Sshhhh!) - Adsense Notifier (For my personal blog) - DOM Inspector (I do web too) - Web Developer (Yup, as well as PHP programming) - Google Toolbar (This is one of those that does plain HTTP) - PDF Download (Don't you hates it when PDF opens in Firefox?) For myself, I am not so worried about falling to this vulnerability as I almost always open a VPN back to my personal server anyway. Also, I use mobile HSDPA (1.8mbps) wireless access more than public WLAN.

neil.matthews
neil.matthews

You seem to be saying that if your security has been compromised, your security could be compromised. Have I read that right? This issue could only happen if you already had a security breach?

paulmah
paulmah

Because of the potential of this vulnerability for exploitation, it is best to address it early and be safe.

paulmah
paulmah

Were you vulnerable to this security hole? Also, speaking of extensions, what are your installed extensions?

Editor's Picks