Firefox extension vulnerabilities

Browser extensions, or add-ons, typically provide extra functionality, beyond that which the browser provides, but that comes with a price: increased vulnerability potential. The recent disclosure of five separate vulnerabilities in Firefox extensions serves as a reminder that extensions occupy a privileged position within the browser. That position makes flaws in extensions particularly dangerous, as they generally will allow an attacker's code to run with all the privileges of the user running the browser.

The vulnerabilities were disclosed by Nick Freeman and Roberto Suggi Liverani of Security-Assessment.com, a New Zealand-based web and network security firm. In doing research for a DEFCON presentation [PDF], they found flaws in the following Firefox extensions: Feed Sidebar, ScribeFire, WizzRSS, CoolPreviews, and Update Scanner. The flaws were found between February and June of this year, and the presentation lists three more that have yet to be disclosed.

All five of the flaws have something in common: in one way or another, they take content from a remote site and handle it incorrectly within the privileged Mozilla "chrome" context. For example, the Feed Sidebar extension incorrectly handles the RSS <description> tags, such that a malicious site could do cross-site scripting (XSS) or HTML injection into the chrome trusted zone. That would allow the remote site to potentially perform any action the browser could: access the filesystem, retrieve web site passwords, execute programs, and so on.

The presentation has several proof-of-concept examples; the one associated with Feed Sidebar steals all of the login credentials and sends them off to a remote site. Another example using the ScribeFire extension sets up a reverse VNC session so that an attacker could view the desktop of the browser user. Yet another uses XSS to send a copy of /etc/passwd off to a remote site. These are all very potent exploits that could be used to seriously compromise users' privacy and security.

There are certainly more of these problems out there (beyond even the three undisclosed, thus presumably unpatched, vulnerabilities). Part of the problem is that the "Mozilla extension security model is nonexistent", according to Freeman and Liverani's presentation. All extensions are treated as completely trusted code by Firefox. In addition, there are no security boundaries between the extensions, so one can quietly modify another. They also note that other Mozilla applications that allow extensions (e.g. Thunderbird) are also susceptible to these kinds of vulnerabilities.

Many Firefox extensions are available through addons.mozilla.org (AMO), but the researchers point out that extension developers, and the AMO reviewers, are not necessarily security experts, so bugs like these may slip through. They also note that the NoScript extension, with its XSS protection, may be giving a false sense of security. NoScript whitelists chrome: URLs, which means that it provides no protection against malicious or buggy extensions.

In many ways, it should come as no surprise that there are bugs—and security holes—in Firefox extensions, but it is a problem that has largely flown under the radar. Malicious extensions, downloaded from sites other than AMO, are a fairly well-understood vector for attack—at least to users who are somewhat security-conscious. Extensions that have, or appear to have, the "blessing" of AMO are a bit of a different story. Many users, even those who pay attention to security issues, may well expect that those extensions are rigorously vetted, which seems not to be the case.

There is no reason to believe that these vulnerabilities were anything other than "standard" programming errors, but those with a malicious intent probably could sneak vulnerabilities into AMO extensions—perhaps they have already done so. The presentation lists two plausible scenarios for how malware authors might get vulnerabilities introduced into extensions, particularly popular or recommended extensions.

This research gives us yet another attack vector to be worried about, but there is also some useful information on what to look for in extensions that could lead to these kinds of flaws. With luck, that will help reduce the number of extensions with holes. That still leaves us with the worry about malicious extension authors. Without a more rigorous review of extensions—even that won't find every flaw—there is little that can be done. It is a problem that will likely be with us for quite some time.