A major security
flaw in various
third-party extensions has given Firefox a bit
of a black eye even though the browser is not vulnerable. A number
of other issues in the browser itself caused a security release
which kept Firefox in the news. Unfortunately, after the release,
even more vulnerabilities were reported. One would have to guess that it has not
been the best week or so for the Firefox security team.
A large number of extensions - including toolbars for Google, Yahoo, Facebook
and others - are susceptible to a man-in-the-middle attack that allows
arbitrary code execution within the browser. The vulnerability exploits
the update mechanism built into the extensions by providing malicious code
as an update. An attacker that can control the DNS answers received by a
victim can redirect the update queries from the extensions to a server under
the attacker's control. The code provided gets installed, silently in many
cases; it will then run as part of the browser with all of the capabilities
of an extension.
Situations where one may not be able to trust the DNS answers received
are far more common than people realize. Using a public
or unencrypted wireless network is probably the most common vulnerable
situation, but home routers that have been subverted either
through a vulnerability or
because the owner never changed the default password can also leave an
opening for an attack. Because the extensions typically check for updates
frequently, there are lots of opportunities to provide them with bad code.
There are any number of nasty things that a browser extension can do:
keystroke logging, email reading, spamming, bank transfers, subscribing
to LWN.net, etc. This is truly a situation that one wants
to avoid. Vendors of these extensions have in many cases (with Google being
specifically called out in the vulnerability announcement) bypassed the
default Firefox prompt that would at least alert users that new code was
being installed. Users running those extensions have no defense and need to
delete them from the browser while awaiting a fix from the vendor.
The open source extensions that are available at
https://addons.mozilla.org are not
vulnerable because of the use of SSL to prevent an attacker's host
masquerading as the update server. The SSL certificate presented by
the attacker's server will not pass muster with the browser so the malicious
update will not be installed. This is the fix that the vulnerable
extensions will have to implement. It is not particularly technically
difficult, more of a logistics headache to roll out new code to millions
of users. It may also require some infrastructure improvements to be able
to support encrypted connections for that many users.
Millions of users at risk for all manner of browser mayhem may make the
fixes in the most recent
by comparison but there are some serious issues there as well. The most
important fix, rated as critical by Mozilla, fixes potentially
flaw that allows cross-site scripting using the
having a high impact.
A few days after the release, Michal Zalewski was up to his usual tricks by
reporting two vulnerabilities
in Firefox, one that he rates as a major vulnerability, the other as
the browser behave badly which is yet another reason to look into the
Thor Larholm also
had some bad news for the Firefox team shortly after the release when
he reported that a patch
that went into the 126.96.36.199 release only partially fixed the problem
for Windows platforms while doing nothing to prevent the problem for
Linux and other UNIX versions. The directory traversal vulnerability allows
any local files accessible to the browser user with the name known by
the attacker to be read via the resource:// URL handler.
The information in the file could then be transmitted to any site visited.
We can probably expect an update from the Firefox team for this particular
problem relatively soon.
to post comments)