(Updated) Remote vulnerability in high-profile Firefox extensions

Today is Firefox Patch Day but even after you install the latest security updates from Mozilla, those browser extensions you use and love could put you at risk of code execution attacks.

According to independent researcher Christopher Soghoian (of boarding pass hacker fame), there's a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions that let an attacker covertly install malware that run within the Firefox browser.

In a detailed advisory, Soghoian lists the following high-profile add-ons as vulnerable:

• Google Toolbar
• Google Browser Sync
• Yahoo Toolbar
• Del.icio.us Extension
• Facebook Toolbar
• AOL Toolbar
• Ask.com Toolbar
• LinkedIn Browser Toolbar
• Netcraft Anti-Phishing Toolbar
• PhishTank SiteChecker

The vast majority of add-ons hosted at Mozilla's official repository (https://addons.mozilla.org) are not vulnerable but because those extension upgrades listed above are done from sites that cannot be trusted, millions of Firefox users are sitting ducks for man-in-the-middle attacks, Soghoian said. (See QuickTime movie demo of the attack).

Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong. While Firefox does at least prompt the user when updates are available, some commercial extensions (including those made by Google) have disabled this, and thus silently update their extensions without giving the user any say in the matter. A DNS based man in the middle attack will not work against a SSL enabled webserver. This is because SSL certificates certify an association between a specific domain name and an ip address. An attempted man in the middle attack against a SSL enabled Firefox update server will result in the browser rejecting the connection to the masquerading update server, as the ip address in the SSL certificate, and the ip address returned by the DNS server will not match.

Soghoian warns that Firefox users are most vulnerable when using a public or unencrypted wireless network, a wireless or wired router that's been hacked through a drive-by pharming attack or when using a 'network hub' in an office/school setting. In the advisory, Soghoian recommends that Firefox users uninstall all extensions that have not been downloaded from the official Mozilla site. Users of the Google Pack suite of software are most likely vulnerable, as this includes the Google Toolbar for Firefox, he said. Read the full advisory for technical details and the disturbing responses from some big-name vendors. More from Ryan Singel at Threat Level and Brian Krebs at Security Fix. [UPDATE #1: May 30, 2007 @ 3:53 PM] A response from Yahoo's del.icio.us in the Talkback section:

I'm the product manager for the del.icio.us extensions, and I just wanted to say that our new 1.5 extension was never vulnerable to this attack, and we patched the older 1.2 release as soon as we heard about the issue at the beginning of May. Current 1.2 users should have received notification when launching Firefox and will get the signed version of the extension when accepting the update. As of early May, all official del.icio.us extensions are signed and hosted on addons.mozilla.org and are served over SSL as a result.

[UPDATE #2: May 30, 2007 @ 5:13 PM] Mozilla security chief Window Snyder has joined Soghoian in recommending that add-on developers require SSL for updates. Snyder also says that the next major Firefox revision will look at ways to block this attack vector:

For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels and investigating ways to universally improve updates for add-ons. There are a number of options being considered, all of which are designed to make it easy to write secure add-ons.