Browser

Video: Firefox extension vulnerabilities may increase malware risk

Bill Detwiler highlights research from security experts who say Firefox extensions can be exploited to install malware.

Firefox extensions are a great way to customize and improve your browsing experience, but these add-ons can also be a security risk. During this episode of TR Dojo, I explain how these handy Firefox additions can be both a benefit and a hazard.

For those who prefer text to video, you can click the Transcript link that appears below the video player window or read Michael Kassner's article, "Some Firefox extensions may be exploited to install malware." In the article, Kassner interviews security researchers Roberto Suggi Liverani and Nick Freeman about the pair's examination of Firefox extension security. I also encourage you to download and read Suggi Liverani and Freeman's Defcon 17 presentation, "Abusing Firefox Extensions" (pdf) or listen to an audio recording of the event (m4b).

For more information on Firefox security and the add-on submission process, check out the following Mozilla resources:

For the latest TR Dojo lessons, sign up for one or more of the following:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

27 comments
Brian Bevan
Brian Bevan

No sound with the video? My system is OKAY!

jackie40d
jackie40d

I am glad I really doo not have a lot of addons and extentions being used I have weather bug and OldFactory original black and the web page designer tool bar OH yeah my Web Site people added a easier way to go to the web site with a tool bar for them

sarrington
sarrington

At 1:16 the video clip shuts off, I cant view the video, anyone know if this is going to be fixed? I am running Linux Ubuntu Mint with Firefox 3.5.3

e_caroline
e_caroline

Thanks for the transcript button. I read the entire transcript while the introduction to the video was running. The video and slideshow presentations of tech issues are too often a huge waste of time for the literate reader... and, I would suggest, a huge waste of time and effort on the publisher's end... if the idea is to transmit information to a literate IT technologist user base. Thanks for allowing an opt out of the flashy presentations.... in favor of means that are efficient.

the_webninja
the_webninja

I am running Ubuntu due to all the Security Risks of Windows and even running Ubuntu with Firefox I encountered some kind of a Problem. Not sure if it is related to this issue described above but it sounds like it might be. I have re-installed Firefox thinking this might solve the Problem but it didn't. What I noticed is happening is whenever I run Firefox it works okay for maybe 15 minutes then everything on the Computer Locks up and Freezes and I can't close anything down unless I power off. A couple times Ubuntu has had to repair the Boot Sector following this type of thing. (Viruses usually attack the Boot Sector). So I switched to using Google Chrome Linux Version and everything works fine. This proves that the Problem IS originating within the Firefox environment. Even though I am not a Rocket Scientist and I can't pinpoint the exact problem yet, the symptoms I have given here should give you a clue. The Google Chrome for Linux runs smooth as silk I might add and actually presents a better appearance than the Firefox in Linux AND Google Chrome can run Silverlight in a Linux environment. (Don't ask me how, but it can. This is a program by Microsoft used to display video content such as Netflix Streaming.) I strongly recommend you try Google Chrome. It is becoming the best friend of the Linux user. :)

swswsw
swswsw

It scares me! I always trust the Firefox. Now I have to pay attention to safely use it.

PhilippeV
PhilippeV

The Mozilla extension model is already specified, and has been opened to other participants than just Mozilla Foundations's browsers which also use the same old NPAPI extension interface (initially created by Netscape). Another model is wanted since ong (and is currently widely discussed by Google for its Chrome browser and by other open-sourcers for Chromium): it has been made to improve greatly the performance of plugins and extensions running in separate processes with stronger isolation. Anyway, the extensions themselves can easily work within Chrome, given that Chrome already islates them by running them in a separate process, even if they create their own threads (something that shuold not be needed if there's already a dedicated process for the isolation, and this is the object of the new specification: reduce the memory footprint of plugins and extensions already running in their own process instanciated and isolated by the main browser's process). The new API, that will replace NPAPI, is supported now by many extension authors and browser authors. As this is an open API, it will be made comaptible with IE, without needing the old ActiveX extension API. It will also improve the isolation and policy of usage for real-time events and scheduled timers, to avoid some other risks that are caused by bogous extensions (notably the risk of stealing all the CPU resources) and to reduce also the risk caused by priviledged critical sections (which can too much easily freeze the PC, or render the GUI completely unresponsive, somthing that still occurs in all browsers, including IE with its unrestricted ActiveX pseudo-isolation, or in Google Chrome despite of the process isolation, or in Firefox and all browsers based on their renderers, and even in Opera because it also depends on the NPAPI for its plugins). Time to drop NPAPI ? Yes, but the newer API will still offer a predefined thunking extension that allows some old extensions to run for some time (but if one of these old extensions die or must be killed, all of them will die along with the common thunking extension, without killing the browser or other process-isolated extensions running with the new API. Anyway: we really need to have extensions with more fine-tuned isolation levels. Most of the extensions that require higher privileges are only those that need support for real-time events : they are audio/video renderers, mostly, or extensions that use their own scripting engine (such as Adobe Flash: one of the most widely used extensions, but also famous for it's causing most of browser freezes). The new API should allow extensions to also request an external support for a scripting engine, instead of havnig to embed their own (scripting engines are extremely critical in terms of security, they shuold be able to share the efforts made in them and widely supported for use by browsers themselves for DHTML, XML requests, DOM, CSS styling exposures.) Chrome has already built a very strong scripting engine that runs in a VM, some other very strong VMs (e.g. the .Net or Java VM, or the newer Parrot VM, as well the the Google's V8 engine which is very fast, but not necessarily as secure as the Java VM) should also be able to support the scripting engines. Browsers shuold then be more layered, and each layer better componentized and isolated. The process isolation is just one thing that Google has promoted with lots of success (other browsers should follow now, and this will occur in Mozilla browsers such as Firefox). Let's hope that Microsoft will also support the new open extension API, and allow extension developers to focus now an a single model, reducing their work for testing and making less bogous extensions that will have been much better tested and designed to run in a much more restricted and safer environment. But for now, the best to do in Firefox is still to uninstall alsmost all extensions, and only use those that are very widely supported adn regularly updated : too many of these extensions, based on the NPAPI are extremely insecure, except a few (which are also the most complex and also have their many bugs, but that have however a good support): - Adobe Flash (many people don't like it because it is too much powerful and is used by too many advertizers, however there are tons of websites using it, and this will continue as long as HTML 5 and CSS 3 will not be finalized and deployed) - Windows Media Player (many people do not even install it, given that most videos on web sites are now playable with the Adobe Flash player only) - RealNetworks player (same remark) - Apple Quicktime (same remark). Note that even when HTML5 and CSS3 will be finalized and deployed, there will still be a need for audio/video renderers. However, they shoul no longer depend on the above plugins, given that audio/video renderers should now be supported natively by the browsers, for most common audio/video standards and media encapsulation formats (MP3 Layer 1, MPEG4, H.264, hopefully Ogg as well), just like with standard static image formats (GIF, JPEG, PNG, hopefully Vorbis as well); some plugins will still be needed for protected audio/video descramblers (in applications like VOD or for music demos), but shuold only have to focus on managing user rights and providing the decryption keys. The encryption/decryption algorithms should be developed separately and pluggable as well, most of them should be developed and integrated by browser authors, instead of by the zillions extension authors that cannot test them so extensively and cannot provide fast enough correction and support, in the case of discovery of bugs and of security holes. But really, now the most severe security holes are not in the browsers, but in the servers : there's lots of efforts to do in server-side extensions and script (notably PHP, SQL engines...), and in website's company organisation and policies (notably for privacy issues and protection of personal data). And here, even if you use the safest browser, the illusion of security fades away because of servers and the large organizations that drive them with abusive policies: the "eTrust" or "Safe Harbour" initiatives or standards like "P3P" are really weak, and it's too much easy to reuse a session from some website user profile and allow it to get access to information that should only be exposed to another user. But the worse are the commercial practices and the way the various companies are sharing and crossing data about anyone, and the way they secure their internal accesses, or how they authenticate those that can provide some additional services to other people (notably the many domain name registrars and DNS hosting providers : they accept too many abusive people with fake identities that will cause lots of damage to many people around the world by running phishings and illegal activities). You won't be able to solve all Internet security issues only within browsers.

tbostwick
tbostwick

Firefox has proven itself to be a very handy tool and perhaps the most well rounded browser of all those on the market. I'd agree that any extension is a security risk, but the user base also does a great job of flagging the "bad" apples and getting them removed - eventually, those extensions fall by the wayside as a new ver of Firefox is released. This is no different than Apple, and the apps store - who has as much to lose/gain by allowing apps to interfere or corrupt other apps - it happens. I'm more concerned about M$ changing system params which have affected Firefox more than any one extension. For Firefox users, some of the best tools in the game are NoScript, FlashBlock and AdBlock - to name a few in the "security" realm - all AddOns and all have been around for quite some time. In regards to the compatibility across other AddOns - that's the way of the world now, either write code that "does" play nice or be fearful that your app will be rated 1-star and never downloaded again - this is the way of the new world in regards to apps and it works.

walrus
walrus

I've never had a virus on my computer and I've been using firefox for years.

briceorbryce
briceorbryce

As an avid user of firefox for a couple of years I have to say they're somewhat safe. Every once in awhile I visit the addons site to see if there's anything worth d/l'ing and it always makes me nervous when I add a new addon, even if it's marked as "recommended".

Bill Detwiler
Bill Detwiler

In the above TR Dojo post, I highlight research from security researchers Roberto Suggi Liverani and Nick Freeman, who say Firefox extensions can be exploited to install malware. How safe do you think Firefox extensions are? Did you change your mind after watching the video? Let me know. Original post and poll: http://blogs.techrepublic.com.com/itdojo/?p=1662

LawrenceFine
LawrenceFine

But I was using IE 8 on Windows Vista....

bspallino
bspallino

I think the problem may be a little closer to home - or maybe you have one these FireFox viri running. I used chrome, no problem, so went back and ran it again in FireFox - again no problem.

tbostwick
tbostwick

And as someone who's worked on thousands of machines, from Win to Mac, Ubuntu to Debian boxes - Firefox is the browser of choice and not in one of those cases of a needed PC repair was the root cause tied to a Firefox AddOn - not one. Registry problems, bad drivers, improper uninstllations, and users not running firewalls or A/V when needed still is at the top of the list by far if you're running Windows.

Ianpc04
Ianpc04

I found an alternate web browser that uses similar features like fire fox kmelon which is updated pretty regularly and it has the ability to run as different web browser depending on your preference. also it has may features that block potential code from running alltogeather so you end up much better off. options like java , disabling frame disabling http redirect , flash etc , if your interested in a faster running browser that has all these features check it out.. http://kmeleon.sourceforge.net/ ever since i switched i havent gone back.

bspallino
bspallino

Bill, I'm a big fan of you and the Dojo and look forward to it coming out. But you've really tarnished your image, in my eyes, and your creditability, with this one.. Sensei, why, oh why, would you open this ?lesson? with a Microsoft Ad? Was it not going to be apparent enough to all of us that this little bit on Firefox just might have had some MS involvement? Despite its obviously cynical foray into Open Source with CodePlex and its ?contributions? to Linux, Microsoft remains an active enemy of Open Source where it competes on its territory and supporters of the O/S community are always skeptical of its motives in this area. As I gaze at the Office 2010 ad just to right of where I type, I have to wonder where TR's journalistic integrity has gone. I know you have to pay the bills, but Jeez! As a side note, I?d like to know to what extent these vulnerabilities extend to the Linux OS? Not touching upon this is the biggest faux pas made; that, and the fact that the ?sniff? of this is that this vulnerability has something to do FireFox itself and not stressing (although you hinted at it) that most of these extensions (and I?d venture to say, all of the bad ones) are community contributed, and not a direct part of the Mozilla project itself. This is concept that is extremely foreign to the vanilla Microsoft crowd. When an on-air journalist begins to plug a product (or knock another one) there is generally a disclaimer. Example, when Leo Laporte plugs NOD32, he never fails to mention that they?re a sponsor. He does the same thing when he rips Norton Anti-virus. Should you not have prefaced your remarks with a similar qualification? I think a follow on touching on some of these points would be in order. Bill

valduboisvert
valduboisvert

I've been using Firefox for years both in windows and linux. Roughly I had 3 successful malware attacks in 8 years and on my wife laptop 2 in 4 years. All cases where under windows though. And I have no idea if I can blame the add-ons for what happened. I would be curious to find out how many attacks had some IE user in a similar time frame, one who's a heavy internet user like us. Overall firefox has a faster response to fixing bugs and/or releasing security updates and this is what it matters. There is a high probability exploits will always be there. And firefox team is doing a darn good job at fixing them. As for the add-ons generally speaking I believe the software design model needs some more work. Judging by some open discussions I read when chrome was released for the first time, even Chrome's add-ons can be theoretically exploited in a similar way. So I for one I am very careful what add-ons I install regardless of the browser.

bboyd
bboyd

Thats when its no longer safe. Oh wait that is not what your asking! The extension system can be abused like any feature. But less so than IE's weakness in the same place, just because its called Add-ons.

bspallino
bspallino

I've been using Chrome for about two weeks. It's a great browser as well - I finally made it my default browser (although neither Chrome nor FireFox will run my VMware console? Curious.)

bckerr
bckerr

First off, he did say that the vulnerabilities were related to 3rd party extensions and not Mozilla itself. Second, he is just bringing to light the vulnerabilities that exist because of badly written extensions or by people who do it for a hobby. Not because they want to tarnish Firefox in any way. For TR Dojo to come out and let us know that these extensions written by 3rd parties can be potentially harmful, is a great benefit to us Firefox users. I don't think saying what he did about the vulnerabilities in Firefox have any bearing to IE, Chrome or Safari. They all have their own vulnerabilities too.

raykaville
raykaville

I have to vehemently disagree with your comment about "...firefox has a faster response to fixing bugs ... firefox team is doing a darn good job at fixing them." Aside from being the same giant memory hog on this XP machine, it's been eight years since the nuisance popup was installed in FF and those darn good engineers have not been able to fix it. Any compiled page causes it to pop up and annoy the user. Doesn't have to be something to do with sensitive information, it just pops up everywhere. https://bugzilla.mozilla.org/show_bug.cgi?id=160144 Huge numbers of people have pleaded and begged only to be argued with and slapped down or simply ignored. It's a long story, but suffice it to say it's an easy fix to put in a option to turn it off and they can't do it. They are very good at excuses though. A couple of forced "upgrades" back they even managed to "fix" the "reload image" command so it no longer works. All the non-displayed attachments I was able to at least manually view in can no longer be seen and now there's no way to call them. The third party extension "DownThemAll" still collects them to the drive, but I have to save everything in order to find out what I'm saving. Not holding my breath to see how long it takes them to fix that one. If ever. Nope. I don't know what things they've fixed for you, but they have never resolved anything for me or the hundreds of people who've been complaining since 2002. As far as extensions, the few that I have added work great. The trick is don't add anything you don't really need. 'Fancy' costs processing and memory. Also, research the pieces you want to add on. There are usually a bunch of comments by people that will tell you whether it's something you really want to mess with.

Bigbrim
Bigbrim

I also have been using Firefox for many years. knocking on my bald head, I've never had a problem. I use only a choice few add-ons for my users. Virtually any browser is vulnerable and the built-in Firefox XPCOM components are no exception. Firefox does a fabulous job releasing security updates & fixing any bugs. Although not fullproof, users must select a well known & proven add-on as many of these are quickly updated too. I've also used Opera as well, but Firefox is a favorite.

bspallino
bspallino

I've not had that problem other than having to reload the Flash plugin again. Can you give an example? I'd hate to recommend it to client's if they're going to have issues. Thanks in advance!

bckerr
bckerr

I enjoy Chrome's speed and sleek feel, but it fails to load several pages I have been to so far. Which to me, will make using it 4th on my list, if it can't load webpages correctly, why bother using it.

e_caroline
e_caroline

Some of the problems you experience in trying to download copyrighted pics are based in the sites you visit. It isn't Firefox that is betraying you.. it is that people who own the copyright have put barriers in your way to make it difficult to pirate their artwork. Since the pic lands on your machine where you can look at it.. it is possible to skim a copy for yourself using software that allows you to save a copy of stuff for which you have no valid license. Firefox adheres to the standards for webpage languages better than IE does.. and among those features is roadblocks to make piracy more difficult. A web page author can disallow the easy copying of their artwork. I have seen it often on sites featuring intellectual property. This doesn't prevent piracy.. it just prevents the easy, unthinking piracy of art works... you have to deliberately work to get the stuff that is not yours.

e_caroline
e_caroline

This seems like a valid warning rather than a bug. I've used both Firefox and Yahoo mail for well over decade.... no complaints. The "memory hog" accusations are leftovers from the ancient past.... and have been long since resolved... many, many incarnations of Firefox in the past. To be perfectly blunt.. and having provided a ton of user support to people, both newbie and sophisticate... I am thinking it is user error of some sort. or misunderstanding of the warning....on your part that is the cause of your complaints. Or perhaps an effort to run XP on a Tandy 1000. Whatever that source of your complaints... I really think that you are in error blaming the Firefox developers for the difficulties you experience..

Editor's Picks