Browser

Some Firefox extensions may be exploited to install malware

Yet another exploit avenue has been found. Some Firefox extensions have issues that provide bad guys a way to install malware.

Roberto Suggi Liverani and Nick Freeman, security consultants with security-assessment.com have discovered that poorly-written Firefox extensions can be exploited to install malware on a victim's computer. It seems Mozilla does not have any security requirements for extensions. That's a problem, as their flagship Web browser Firefox implicitly trusts extension software.

I first learned about the problem when I read the two researchers' Defcon 17 presentation, "Abusing Firefox Extensions" (pdf). The possibility of vulnerabilities in extensions concerned me, having just finished the article, "10 Firefox extensions that enhance security". I certainly did not want to promote extensions that are vulnerable.

To the best of my knowledge, the extensions in my article are not buggy. Because I am in the process of writing an article with 10 more security extensions, I will be checking with Mr. Suggi Liverani and Mr. Freeman to make sure all the extensions I refer are beyond reproach.

Confusion about add-ons

Mozilla and extension developers tend to confuse terms by generically calling extensions, add-ons. They are add-ons, but it is important to know that plug-ins are add-ons as well. The main difference being, plug-ins are automatically installed. This article is about extensions, but you can learn about plug-ins and their problems in "Firefox Plug-ins: What are they?"

What are extensions

Developers at Mozilla work hard to keep code for the Firefox Web browser to a minimum. That is a good thing. It reduces complexity, bugs, and allows Firefox to load quickly. The flip side of a minimal foot print is leaving users wanting additional features to make surfing easier and more enjoyable. Enter extensions -- they give Firefox increased extensibility or the ability for users to add features of their choosing.

What Mr. Suggi Liverani and Mr. Freeman found

The researcher's presentation was exemplary, explaining in detail how weak extensions are exploited. The presentation also gave several examples of questionable extensions and how they are exploited. Two of the better-known extensions examined were CoolPreviews and FireFTP.

After reading the presentation, I was confused about a few things. On the off chance, I sent both gentlemen an e-mail message containing a list of questions. They were kind enough to answer the questions, and I would like to pass that information on:

Question 1: How did you discover vulnerabilities in Firefox extensions?

We were auditing a large web application which included a tailored-Firefox extension. That was the first time and we suddenly realized we had to include the extension in the testing scope. Also, we were playing with other extensions (Skype and InfoRSS) and we felt there could be bugs in those extensions as well.

Question 2: Could you please explain how the exploit works?

There are many ways a vulnerable-Firefox extension can be exploited. This really depends on the nature of the vulnerability. An input-based vulnerability such as Cross Site Scripting has significant consequences in extensions, especially when malicious code can be executed from the chrome:// zone.

Question 3: You mention that Chrome plays a big role in this exploit. What is Chrome and what part does it play?

In our presentations, we refer to Chrome as the chrome:// zone where the extension's code runs (chrome privileges are trusted by Firefox). Chrome privileges allow extensions to do basically anything with the OS by querying/interacting with Firefox core functionality provided by XPCOM libraries/interfaces.

Question 4: Could you explain the comment: "Any input rendered in Chrome is an XSS injection point"?

What we mean is that if you have in injection point in the chrome:// zone, then it is game over. The injection can include arbitrary browser-based content which has chrome privileges. This allows exploitation of Firefox extensions as shown in the following slide.

Question 5: Your presentation mentions that NoScript is rendered useless by this exploit, could you explain how?

NoScript is a security extension and protects the user when browsing untrusted content (e.g. Internet). The misconception is that NoScript can protect you from vulnerable extensions. The chrome:// URI scheme is whitelisted in NoScript, as most extension code needs to run with chrome privileges to provide functionality. For example, an extension that shows the content of your C:\ Folder needs chrome privileges to interact with the file system. NoScript cannot block chrome:// as that will break Firefox and extension functionality.

Question 6: You state that running Firefox in Safe-mode is the only sure-fire cure at this time. Why can't extensions just be removed?

Extensions can be removed. That line is more a security policy in a corporate/company environment where Firefox is used. An administrator should set Firefox in Safe Mode so users cannot install extensions. This needs to be weighed on a per-case basis, as using Safe Mode means you can't run NoScript, so normal browsing becomes less secure.

Recommendations

Mr. Suggi Liverani and Mr. Freeman have come up with the following recommendations for developers, security professionals, and end-users:

Developers Security professionals
  • Adhere to the OWASP testing guide.
  • Watch publications for new ideas on just-released extensions.
End-users
  • Don't trust extensions.
  • Check Bugzilla for new information about extension-security issues.
  • Make sure extensions are up-to-date.
  • Consider Safe Mode, as it disables all extensions.
Final thoughts

The fact that Firefox extensions are vulnerable, was not on my radar. Not until I read about the work being done by Mr. Suggi Liverani and Mr. Freeman. The researchers are in contact with Mozilla, and Mozilla has acknowledged this problem. If Mozilla's past performance is any indication, there should some sort of solution shortly.

I would like to thank Roberto Suggi Liverani and Nick Freeman for their effort and willingness to explain the intricacies of extension vulnerabilities.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

73 comments
jes
jes

Are the exploits mentioned equally dangerous for mac, windows and linux? On page 28 of the presentation FireFTP version 1.1.4 is mentioned, but as far as I can tell the latest version for Mac OSX is 1.0.6. Has that been fixed? Or is this issue only relevant for Windows?! Sorry about my ignorance.

Ocie3
Ocie3

Quote: [i]"Yet another exploit avenue has been found. Some Firefox extensions have issues that provide bad guys a way to install malware."[/i] Thank-you for an excellent article that brings this aspect of using Firefox to our attention. Since I began considering security matters almost "full time" in June 2008, I have sometimes wondered whether Firefox add-ons might have vulnerabilities. But, until now, I have not found anything about the matter, aside from occasional suspicions voiced on a few non-vendor "security support" forums such as Major Geeks and Spyware Beware (among others). We have known for quite a while that downloaded I.E. ActiveX controls can be dangerous, and Browser Helper Objects can be compromised, too. So it should not come as a surprise that Firefox add-ons are no less vulnerable than I.E. add-ons.

roydv
roydv

Thanks for a really excellent piece of journalism. Now we need a solution. Is there any possibility that Mr. Suggi Liverani and Mr. Freeman are prepared to compile and publish a updated list of approved extensions?

Craig_B
Craig_B

When it comes to security, it's always the weakest link. It doesn't matter if your front door is like Fort Knox when your side window is left open.

davidsonb
davidsonb

Great article. Thank you! I'm looking forward to Mozilla's solution, though I don't expect it to occur soon - this seems complicated. Another help in this situation would be a trusted source for add-ons. Instead of every system admin reinventing the wheel with their own testing, one group could rigorously test and re-publish at their site, or provide a digital certificate back to the maker to include with the add-on. I don't know the details of how a cert could be used, but it seems plausible. --Brian

specialfx63
specialfx63

Same for me. It wasn't on my "suspicion list" at all. I run 11 extensions on all of my FireFox installations, but 6 of the extensions are security related. I'll have to do some digging to make sure they're all secure. I'll certainly check out your list. Thanks Michael!

zerg1961
zerg1961

A really useful article, as was your previous on top ten security extension, thanks you so much for alerting me to something I was wondering about, and have now had my suspicions confirmed. Thankyou

george.hickey
george.hickey

I've been using Firefox since it came out (and Mozilla for years before that) and was never one for adding extensions although that had been changing more recently. NoScript is the one extension I always add to any new install of Firefox and I think I might go back to just leaving it at that. I will certainly be a lot more careful about what extensions I consider using. Thanks again for the heads up!

seanferd
seanferd

Of course, extensions are in the "install at your own risk" category, just like any others. (MS Office crashes from add-ons, anyone?) I'm just surprised I've never run into an analysis before. Thank you, S-A.com and Michael for your work and bringing it to public attention.

Ocie3
Ocie3

When I looked at the Security-Assessment web site on Monday evening, I saw that the Security Advisories section of the rightmost column on their home page listed a different series of vulnerabilities. One was for an extension, four were vulnerabilities in specific Firefox features [i]per se[/i], such as finding add-on updates. However, all of the vulnerabilities had been fixed, because S-A has a policy of contacting the software developer (Mozilla, for Firefox) to advise them of their findings, and give them a chance of rectifying the vulnerability before S-A publishes it. Which is to say that although the risk of a vulnerability is probably greater for most extensions, whether also for plug-ins, there is some risk of one or more vulnerabilities in Firefox itself. So running just Firefox without any add-ons, or with only a few that we should be able to trust (e.g., NoScript), probably reduces the risks but it does not eliminate the risks.

Michael Kassner
Michael Kassner

A good idea. I read your post awhile ago and found it an interesting possibility. I doubt most people would go through the trouble though.

Michael Kassner
Michael Kassner

I am sorry, I do not know the answer. I will query the researchers about your concerns.

Michael Kassner
Michael Kassner

I never cease to be amazed at how the weak link is always found, too.

RudHud
RudHud

It strikes me that you might have missed a simple security step anyone can take right now: disable, but don't uninstall, any extensions you don't absolutely need. When there's a fix, you can enable them, hopefully with all their preferences intact.

Michael Kassner
Michael Kassner

As well. I try to only obtain extensions from Mozilla. Their next version is supposedly going to address some of these issues along with the plug-in problems.

Michael Kassner
Michael Kassner

As I learn more about what extensions are having issues, I will post it here.

Michael Kassner
Michael Kassner

The fun never ceases. I owe a great deal to Roberto. He was great to work with.

TNT
TNT

I too had suspicions, and even wonder sometimes about software vendor's update services. For instance, could a virus change the update web site used by Adobe Updater to instead connect to a malware site that would install more malware? A guy could really get paranoid...

JCitizen
JCitizen

but I don't think the PSI utility informs the user, only the business edition warns of vulnerabilities and helps with updates/patches.

Ocie3
Ocie3

I forgot to mention that Secunia PSI has a "Secure Browsing" tab, on which it displays a section for each web browser that it has identified as installed on the user's computer. So, PSI displays sections for I.E. and for Firefox, respectively, when I look at it. (PSI runs in the background all of the time that my computer is running.) In each section, PSI shows each component of the respective browser and has a small scale graphic that reflects the severity of any vulnerability that has been reported for that component, including ActiveX controls, BHOs, plug-ins (including Adobe Reader and Flash Player), extensions, themes, etc.. Of course, it only reports for components that are installed and reportedly contain a vulnerability (and its severity). I have found that Secunia PSI is a satisfactory guide to being aware of software updates and of unresolved security vulnerabilities not only in browsers, but for other software as well.

Michael Kassner
Michael Kassner

Yet, you have to realize that you are IT-educated and this is not an issue. What about the millions that are not. They don't want to be bothered. That is why Roberto mentioned that safe-mode may be the best option for them and enterprise settings.

grax
grax

It would be helpful to know what the issues are. I have used FireFTP, one of the extensions that is claimed to be risky. I've never had a problem but that's until today.... I notice that your thread has been stopped at 60 once again! The TechRepublic anti-security bias seems to be ever-present,especially when one considers that a recent (pointless) swipe at Linux by Jason Hiner has an ongoing screaming match that's reached 571. A total waste of bandwidth. Sadly, I'm getting to the point where these forums have no valuable input - except your own contributions Michael.

JCitizen
JCitizen

I should send add-on suggestions to Secunia; but never had. Perhaps they do check some of the popular ones? I notice Symantec DOES check them, as I get Norton popups saying this or that is a safe application. Perhaps Symantec has a list of dos and don'ts.

JCitizen
JCitizen

who thought this malware war was "fun". I know you just being sarcastic, but I actually do relish the battle.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

There was a tech republic article on this exact topic. The consensus was that if the update process used certificates to sign the update then they were fine, but if not then there was the possibility to install malware instead of the update. Bill

Michael Kassner
Michael Kassner

My two favorite TPV free applications are TrueCrypt and Secunia PSI. I cannot say enough about them and their high-level of quality. That said, it appears that Secunia may be missing some of the issues that the researchers are finding. I suspect that it is because the information from security-assessment researcher is relatively new.

Ocie3
Ocie3

If you look at the NoScript whitelist, you will see an entry: chrome: shown in white, because you cannot delete it, as well as some others. As stated in the answer to Question 5: [i]".... The chrome:// URI scheme is whitelisted in NoScript, as most extension code needs to run with chrome privileges to provide functionality. ...."[/i]

JCitizen
JCitizen

Every little tid-bit helps; I love the details! I think you know how much I appreciate all your continuing efforts here Michael. I don't always say it because I don't want to wear it out; but is always implicit to all my communications here.

Michael Kassner
Michael Kassner

Firefox Chrome is in the inner workings of Firefox code. I tried to find out more about it, but failed miserably.

JCitizen
JCitizen

since I don't know the difference. I assumed it was a plug-in or such, to help interact with Google chrome. I actually know nothing about it. You know how assume can get one in trouble, except I'm the only @ss being made here! HA!=)

Michael Kassner
Michael Kassner

I have been careful to make the distinction between Chrome the Web browser and Chrome part of Firefox.

JCitizen
JCitizen

would be to decide which is more important, Chrome or FireFox. Since Chrome doesn't work on x64 Vista restricted accounts, I'd block all Chrome installations.

Michael Kassner
Michael Kassner

If you go to slide 28-29 you will see the exploit. FireFTP fixed the problem (slide 21 and kudos to them) in February of this year. I appreciate your loyalty, if you have any topics you would like to see discussed, please let me know.

JCitizen
JCitizen

to the table. It also lets me know if some measure of QOS is being used. Also whether the community thinks the file is safe, and offers to view the zip file before unpacking. Sometimes I can't get some security software to update properly when a new kernel is downloading; so I use FDM to get it from the usual sources, I trust, to get it onto my hard drive without waiting all afternoon. For those of you not out in the desert, you may have better service, and no need for this kind of utility. (edited) Also I find the user reviews at CNET much more useful than any other site or singular pundit on the thousands of software utilities available on the net. I believe a lot of Firefox tools/add-ons are included in those reviews.

Michael Kassner
Michael Kassner

It takes people like the two researchers from security-assessment.com to find the problems.

Ocie3
Ocie3

to me that any "review", whether from CNET or anyone else, of a Firefox add-on (an extension, plug-in or theme) includes an examination to determine whether it has any security vulnerabilities. The typical reviewer also cannot do that for Firefox itself, or any other program. The best reviewers will search the Internet before they write their review, so they might [i]find[/i] a report about security vulnerabilities and exploits in the software that they are reviewing. Personally, I use the PDF Download extension because it "extends" the native Firefox file download features very well. But I do not know whether it is free of security vulnerabilities. I do not use any other "download manager".

JCitizen
JCitizen

so you don't have to worry about vulnerabilities inherent with it either! I discourage Software Informer however; File Hippo's update scanner is vastly superior, and won't get you in trouble. I don't know if FDM still downloads with it, but I suspect that is how the open-source team, that coded it, gets paid. If I weren't so broke right now, I'd donate to them regularly.

JCitizen
JCitizen

that has an execution file of any kind. If it doesn't have a definition, it remains silent. So I don't see the popups every time I try a new add-on. I'm talking about NIS 2010. FDM is another one, but it is hard to get FireFox to relinquish download authority to it now that it has been closed, post Microsoft controversy. FDM did have an extension for FF, but it dissapeared after this feature was closed. Funny - 'cause I never removed or disabled it. [b]F[/b]ree [b]D[/b]ownload [b]M[/b]anager has a community that seems more extensive than Mozilla's user reviews, on the safety of add-ons. Perhaps CNET would be another good place to check FF files, as they have probably the best user reviews and extensive software coverage bar-none.

JCitizen
JCitizen

Just too many over educated under employed people in the Baltics, Russia, and China. This seems to be where the majority of crime rings originate from. Some of the best coders still come from America though. I just saw some Conficker arrests on the news this morning! Yep, in the US!

Michael Kassner
Michael Kassner

Sarcasm. I almost think my main emotion most of the time is being amazed at the abilities and drive of the cybercriminals. Wish we could channel that away from the dark side. Edit: Spelling

JCitizen
JCitizen

I use them on my machines, you'd think I'd remember! Thanks again seanferd!

seanferd
seanferd

Is that why it couldn't be changed? There's an app for that, too. (Sysinternals RegDelNull). Otherwise, any offline reg editor will do it.

JCitizen
JCitizen

he is an extension hound, and maybe this is a prime example of just what your article addresses! The attack is from the bad extension itself! Or a vulnerability of that extension. I still suspect the mysterious HTTP registry entry left over may be a foot in the door to restore the attack later. He has way too many extensions and I keep advising him to dump a lot of them. Cool Iris is one of them I just don't trust; but I can't directly condemn them, just that I smell it; I seem to have an affinity for sniffing out trouble with lesser known applications. Maybe I've developed a gut instinct.

Michael Kassner
Michael Kassner

I am at a loss. The updates are coming from the extension developer's network. Strange, are you sure that is how it was shown. What extension was it?

JCitizen
JCitizen

It happened at opening, like you would expect it. You probably know what I mean when I talk about the extension popup that happens automatically opon first opening of FireFox. The one that lets you know you have updates. I could have mis-interpreted his description, but this is what I remember. I had warned him before about fake update alerts, but I must admit I would have been fooled with this one too! Do you suggest he ckeck his email with Internet Explorer before opening FireFox every morning? This to assure he is actually needing updates of course?

JCitizen
JCitizen

CCleaner pointed to this as the only post attack remnant.

Michael Kassner
Michael Kassner

J, a registry key entry changed? Firefox is so easy to install, I would try it.

JCitizen
JCitizen

My client noticed that their was a permanent HTTP change to his registry,that could not be corrected after his last attack; would totally reinstalling FireFox possibly correct this?

JCitizen
JCitizen

one of my clients received what looked like a legitimate update, and ended up installing four kinds of malware. Of course we have all heard of this but the notification looked just like the official add-on notification according to him. Fortunately he has my in-depth defenses, and after a brief battle with the malware, the defenses won. He had to do a registry cleanup afterward! It was a pretty bad attack. It took almost every one of his firewall,AV, and AS solutions to take care of each factor of the attack!

Michael Kassner
Michael Kassner

I am not sure what MS is doing to counter that scenario.

Michael Kassner
Michael Kassner

I wrote about that as it pertains to UAC. UAC recognizes the digital signatures from MS. MS is trying very hard to get TPV developers to add digital signatures to their code as well.

Curious00000001
Curious00000001

Of course if your computer is already compromised then the update service could still be modified. Unless you are reviewing and validating every update on your box there is always potential that this is happening. Even then you have to wonder...