Feeds

Insecure plug-ins pose danger to Firefox users

Add-ons add security threat

Beginner's guide to SSL certificates

Such requests could be intercepted by an attacker, if the victim used a wireless network or an untrusted wired network, he said. In particular, an attacker that had access to or control over the local domain name service (DNS) server could easily subvert the patch process. The attacker could then respond to the update request with a malicious add-on that could monitor the victim's internet connection and steal sensitive information.

The Mozilla Foundation acknowledged the issue, but stressed that any updates downloaded from its servers user SSL and are checked against a hash.

"We strongly recommend that add-on developers require SSL for updates to prevent the attack described above," Window Snyder, chief security officer for Mozilla, stated in a post to the group's developer blog.

The Mozilla Foundation released on Wednesday a patch for both version 1.5 and version 2.0 of the browser, fixing a critical memory corruption flaw.

Ironically, an amateur developer coding up a plug-in for Firefox will be much less likely to have to worry about the issue than a large company. Because most smaller developers use the Mozilla Foundation's Add-ons download site, they are more likely to be secure.

Google, for example, not only uses an unsecured connection to check for and download updates, but also suppresses any notification that an update is being installed, Soghoian said. The company has already created a patch and will automatically be updating Google Toolbar users soon, a representative said.

"We were notified of a potential vulnerability in some updates for Firefox extensions," the representative said in a statement sent to SecurityFocus. "A fix was developed for the Google extensions and users will be automatically updated with the patch shortly. We have received no reports that this vulnerability was exploited."

Soghoian, who spent last summer interning at Google, hopes that the search giant will also reconsider its decision to update users without notification. Firefox users now need to take a critical look at the third-party add-ons installed on their browser, and having as much information as possible helps, Soghoian said.

"As a matter of general policy, vendors really should not have their software silently install updates without asking the user's permission - it is asking for trouble," he stated in his advisory.

The Mozilla development team is currently considering ways that they could prevent insecure updates in the next version of the browser, Firefox 3.0, the group said on its blog.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.