Thursday, May 31, 2007

FireFox add-ons may open doors to hackers

The majority of Firefox extensions are hosted and updated from Mozilla's own SSL-secured site and are not vulnerable to this attack. However a number of broadly used third-party extensions, including Google Toolbar, Yahoo Toolbar, Extension, Facebook Toolbar, AOL Toolbar, Toolbar, Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker are among the at-risk add-ons that update from their own unsecured servers.

Christopher Soghoian, a Ph.D. student at Indiana University, outlined how "man in the middle" attackers, especially in public wireless networks, could disguise malware as a Firefox extension and surreptitiously plant their code in lieu of a normal update to one of the vulnerable extensions.

"It's sort of a compounding of errors," Soghoian said. "Mozilla didn't tell developers that they should update from a secure link; they erred in assuming everyone would know to do that. But the add-on developers are at fault for not using a secure server."

"It was really frustrating. Firefox was fantastic, but some of the other firms, they either ignored my e-mails or didn't reply," Soghoian said. He fingered Google Inc. as especially uncooperative. Between April 16 and May 24, he sent Google's security team five e-mails but received only one reply, on May 25, that said the group was working on a fix that was to be deployed before today. As of today, however, Google Toolbar was being served from an unsecured URL.

"This was really eye-opening," said Soghoian, who interned with Google's Application Security Team last summer.

"Vendors should be doing everything possible to encourage researchers," he said. "They should be encouraging us to come to them rather than sell the vulnerabilities to iDefense or Tipping Point. Ignoring researchers isn't the best way to encourage an open dialog."

Soghoian recommended that until affected extension vendors release secure updates, users should either remove or disable all Firefox extensions and toolbars that have not been downloaded from the official Mozilla Add-Ons site.

In an e-mail today, Mozilla's director of ecosystem development, Mike Shaver, acknowledged the danger that insecurely hosted and updated add-ons pose, and he urged extension developers to fix the problem.

"We strongly encourage the providers of such add-ons to remedy their hosting situation promptly to minimize the exposure to the users of their software," Shaver said. "Users of add-ons hosted on AMO, including all of the ones we've been working on, are not at risk here."

On another note Mozilla released 6 new patches for FireFox today. The updates bring the current browser to Version, and the 2005 edition to Firefox can be downloaded from the Mozilla Web site for Windows, Mac OS X and Linux; Firefox, meanwhile, is available from a different page. Current users can also update using the Check for Updates command in the help menu.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you