(Updated) Remote vulnerability in high-profile Firefox extensions

(Updated) Remote vulnerability in high-profile Firefox extensions

Summary: Even after you install the latest security updates from Mozilla, those browser extensions you use and love could put you at risk of code execution attacks.

TOPICS: Browser, Security
Today is Firefox Patch Day but even after you install the latest security updates from Mozilla, those browser extensions you use and love could put you at risk of code execution attacks. Google toolbar for Firefox

According to independent researcher Christopher Soghoian (of boarding pass hacker fame), there's a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions that let an attacker covertly install malware that run within the Firefox browser.

In a detailed advisory, Soghoian lists the following high-profile add-ons as vulnerable:
  • Google Toolbar
  • Google Browser Sync
  • Yahoo Toolbar
  • Del.icio.us Extension
  • Facebook Toolbar
  • AOL Toolbar
  • Ask.com Toolbar
  • LinkedIn Browser Toolbar
  • Netcraft Anti-Phishing Toolbar
  • PhishTank SiteChecker
The vast majority of add-ons hosted at Mozilla's official repository (https://addons.mozilla.org) are not vulnerable but because those extension upgrades listed above are done from sites that cannot be trusted, millions of Firefox users are sitting ducks for man-in-the-middle attacks, Soghoian said. (See QuickTime movie demo of the attack).
Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong. While Firefox does at least prompt the user when updates are available, some commercial extensions (including those made by Google) have disabled this, and thus silently update their extensions without giving the user any say in the matter. A DNS based man in the middle attack will not work against a SSL enabled webserver. This is because SSL certificates certify an association between a specific domain name and an ip address. An attempted man in the middle attack against a SSL enabled Firefox update server will result in the browser rejecting the connection to the masquerading update server, as the ip address in the SSL certificate, and the ip address returned by the DNS server will not match.
Soghoian warns that Firefox users are most vulnerable when using a public or unencrypted wireless network, a wireless or wired router that's been hacked through a drive-by pharming attack or when using a 'network hub' in an office/school setting. In the advisory, Soghoian recommends that Firefox users uninstall all extensions that have not been downloaded from the official Mozilla site. Users of the Google Pack suite of software are most likely vulnerable, as this includes the Google Toolbar for Firefox, he said. Read the full advisory for technical details and the disturbing responses from some big-name vendors. More from Ryan Singel at Threat Level and Brian Krebs at Security Fix. [UPDATE #1: May 30, 2007 @ 3:53 PM] A response from Yahoo's del.icio.us in the Talkback section:
I'm the product manager for the del.icio.us extensions, and I just wanted to say that our new 1.5 extension was never vulnerable to this attack, and we patched the older 1.2 release as soon as we heard about the issue at the beginning of May. Current 1.2 users should have received notification when launching Firefox and will get the signed version of the extension when accepting the update. As of early May, all official del.icio.us extensions are signed and hosted on addons.mozilla.org and are served over SSL as a result.
[UPDATE #2: May 30, 2007 @ 5:13 PM] Mozilla security chief Window Snyder has joined Soghoian in recommending that add-on developers require SSL for updates. Snyder also says that the next major Firefox revision will look at ways to block this attack vector:
For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels and investigating ways to universally improve updates for add-ons. There are a number of options being considered, all of which are designed to make it easy to write secure add-ons.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • That was

    a more detailed description of a vulnerability than I have seen for anything on Zdnet in a long time. (if ever)
    Why can't a description such as that be given for the products of Apple, Microsoft, etc?
    I mean that was pretty specific.
    • Specifics Appreciated

      Actually, Ryan is very often specific in his vulnerabilities, whether it be about Apple, Microsoft, or whatever. It's something I've come to appreciate when reading his columns. When it comes to security and vulnerabilities, the more specific the better.
      • And I have seen that

        HOWEVER my point was more that if Ryan can spend the ,what, 5 - 10 minutes to come up with that information then why can't others?
        I just didn't word it the way that I wanted to.
        To get a specific if you use this part in this way then this may happen due to this specific flaw is not common place around here. We are more likely to get told there is a vulnerability and that they plan on fixing it than we are the specifics.
    • no need for toolbars

      Why does anyone using Firefox need ANY add on toolbars ?

      Any links you want can be put into the multi-search icon ( I have 10 search engines there ) or as a link in the personal toolbar.
  • just M$ scare tactics

    I bet nobody will suffer any harm if theyy use Firefox with extensions.
    Linux Geek
    • Idiot

      No one even mentioned Microsoft. You certainly have your panties in a wad over this. You're a boken record playing an obnoxious tune.
      • Shut up, fool.

        Hallowed are the Ori
        • Damn, that was meant for the Linux Geek idiot, not you.

          Hallowed are the Ori
    • Microsoft

      Do you paid by the post or weekly to make linux users look like morons, LG??
      or are you trying vainly to be mike cox??
      • I think he is a typical Linux

        user / fan.
        • nope

          far as i can tell i am more a 'typical' linux user (assuming there is such a thing)than lg is and i think lg is an idiot if the posts are serious... failed humourist/bad shill is my bet
    • Why would Microsoft need to scare anyone

      Most people who use Firefox are running Windows in the first place.
    • MS doesn't need to deploy those scare tactics.

      Guys like you scare them away beating MS to the punch. In order to be a sucessful advocate, you need to learn communication skills. I would suggest you go back to grade school.
      • MS doesn't need to deploy those scare tactics

        Which planet have you been on for the last few weeks? It what they use all the time, patent violations seems to be the latest ploy
        • They don't

          Just listening to a bunch of OSS jihadists will scare normal people away. Do stay on topic. Patents are another issue. He was saying MS was talking trash and the extensions are fine.
    • RE: Remote vulnerability in high-profile Firefox extensions

      Completely they be capable of answer about this is go arrange a moment ago akin to so as to also do equal develop
      <a href="http://www.phenobestin.com/s-4-adipex.aspx">Adipex diet pills</a> / <a href="http://www.phenobestin.com/s-7-phentermine.aspx">buy phentermine</a>
      cheap phentermine 37.5
  • Gosh, Firefox extensions have been outed for being vulnerable...

    Any "new" news Ryan?
    • Commercial Extensions.

      You failed to notice that the extensions under the control of the Mozilla Foundation are OK. The problem is with the commercial extensions. It comes down to a trusted repository, like all malware out there.

      Since [B]those extension upgrades listed above are done from sites that cannot be trusted,[/B], it would seem that downloading from untrusted sites is not a very good idea. It's a good thing that downloading from untrusted sites is only a FireFox problem, otherwise, things could get out of hand.

      Imagine if I imbedded malware into a cool screensaver and someone downloaded and installed it. Purely hypothetical mind you.

      • So, by your reasoning, Google cannot be trusted then!

        Mind you, a lot of people already knew that...
  • Seems Firefox has made some great strides

    out of obscurity. It's now quickly becoming overly bloated, slow and you can't run any add-ons w/o creating major security holes. <br><br>
    Makes IE look all the more sleek, fast and secure.