SEO Blog > Firefox Extensions are Cool but Do These Extensions Have Vulnerabilities

Firefox Extensions are Cool but Do These Extensions Have Vulnerabilities

Posted • April 13, 2010 • Comments Off

First time visiting Search Engine Optimizician? You might want to subscribe to the RSS feed for updates on this topic.

I just Love My Firefox Extensions but Will They Come Back and Bite Me in the Arse?

dba2 Firefox Extensions are Cool but Do These Extensions Have Vulnerabilities
I have been telling you about all the really cool ad-ons for Firefox lately but, I ran across some information on TechRepublic today that just might have me apply a little pressure on the brake pedal.

This particular video informs us about the vulnerabilities in the Firefox extensions.

Bill Detwiler does a great job of explaining the things we should be aware of, how to check them out, and how to avoid them all together.

There is also a blooper reel at the end of the video that is worth watching.
(Post from Search Engine Optimizician.)
Firefox extension vulnerabilities may increase malware risk by Bill Detwiler.

techrepublic Firefox Extensions are Cool but Do These Extensions Have Vulnerabilities
I have also included a video transcription.

TR Dojo: Firefox extension vulnerabilities and malware

Bill Detwiler: Firefox extensions are a great way to customize and improve your browsing experience. But, they can also be a security risk.

I’m Bill Detwiler, and during today’s episode of TR Dojo, I’ll explain how these handy additions can be both a benefit and a hazard.

Before we talk about their potential danger, it’s probably a good idea to explain the difference between Firefox add-ons, plugins, and extensions.

Basically, add-ons are all the Firefox enhancements that users can install, and there are three types of add-ons — extensions (such as NoScript and Adblock), plugins (such as QuickTime or Flash), and themes (which change the look of the browser).

For the purpose of this video, we’ll be focusing on just extensions.

At last year’s DEF CON 17, security consultants Roberto Suggi Liverani and Nick Freeman delivered a presentation on how an attacker could use Firefox extensions to install malware.

In a subsequent interview with TechRepublic blogger Michael Kassner, the two men explained how this could happen.

First and foremost the two say Mozilla ‘s extension security model is weak, and they provide several examples.

To begin with, extension code is fully trusted by Firefox. Therefore any vulnerability in that code could result in the entire system being compromised.

Second, there are no security boundaries between extensions, meaning that one extension could silently modify another.

Third, the C++ Cross-Platform Component Object Model (or XPCOM) components are subject to memory corruption.

Fourth, extension vulnerabilities are platform independent.

Fifth, there are no security policies to allow/deny Firefox access to internal API, XPCOM components, and the like.

And lastly, any Mozilla application with the extensions system (such as Thunderbird) is also vulnerable.

Second on the Suggi Liverani and Freeman’s of extension vulnerabilities is the human factor. They claim that many end users have a false sense of security about extensions because they are being downloaded from Mozilla. Furthermore, those who develop extensions often do so as a hobby and may not necessarily be aware of how dangerous a vulnerable extension can be.

And lastly, the pair believes Mozilla should improve the security assessment for new extensions.

To prove their point, Suggi Liverani and Freeman cite three
examples of compromised extensions:

FormSpy — which in 2006 was designed to install the downloader-AXM Trojan.

Firestarterfox — which in 2008 was designed to hijack search request and route them through a Russain website.

And the Vietnamese Language Pack — which shipped in 2008 and included adware.

So how do you protect yourself from extension vulnerabilities?

Unfortunately, the best defense seems to be avoiding extensions all together. You can do this in a corporate environment by configuring Firefox to run only in Safe-Mode, which will prevent users from being able to install extensions. But even this is a double-edged sword and this will also prevent you from running NoScript a very popular extension that helps protect users from unsafe Web sites.

For developers, the pair recommends following the Open Web Application Security Project (OWASP) developer guide and checking the code of similar extension for ideas on how to avoid the vulnerabilities.

For security professionals, they suggested adhering to the (OWASP) testing guide and watching for information on new threats.

If you’re an end user, the pair provide several tips:

First, don’t automatically trust extensions.

Check Bugzilla for new information about extension-security issues.

Make sure extensions are up-to-date.

And as I mentioned earlier, consider running Firefox in Safe Mode.

Lastly, remember that extensions require user interaction to be installed. So if you find an extension that you really want to use, carefully research it before clicking install.

For more information on Firefox extension vulnerabilities and technical details of how they can be exploited, check out Michael Kassner’s interview with Suggi Liverani and Freeman. I also encourage you to read the pair’s DEF CON 17 presentation on the subject.

It’s also important to note that according to Mozilla, all add-on files are scanned for malware when uploaded to their site. The files are also put through a Code Validation Tool that looks for possible code quality issues. Lastly, in February 2010, the organization published a lengthy description of the add-on review process, including steps they’re taking to improve security.

I’ll link to the Mozilla article, Kassner’s interview, and Suggi Liverani and Freeman’s presentation in the TR Dojo blog.

As always, for more teachings on your path to becoming an IT Ninja, visit trdojo.techrepublic.com, or you can follow me on Twitter at twitter.com/billdetwiler.

Thanks for visiting the TR Dojo.