A New Vector For Hackers -- Firefox Add-Ons

OK, so IE stinks. Netscape isn't much better. I'm not willing to buy a Mac just so I can surf safely...used to have Macs, but just can't justify the cost premium. Now we have problems w/Firefox...where's a guy to go???

I was wondering how this extension help the attacker ;)
http://azurit.elbiahosting.sk/ffsniff/

I agree that if someone hijacks a Wi-Fi hot spot and manipulates DNS requests the game is over for an unknowing user. As you mention that's not only true for the add-ons, that's true for nearly all downloads and requests made from this machine, which can then be manipulated. You could even use Drive-By Pharming to manipulate the DNS settings in an automated fashion.

One remark that I would add is, being able to install a malicious add-on is equal to executing a Trojan. An extension can do a lot more then just nicely format a Web page as Soghoian mentions as well. Read and write local files, read and write the Windows registry and open network sockets are just some of the power an extension has and these on multiple platforms. This could for example be used to bypass two-factor authentication or to do any other sort of mischief.
As mentioned here as well:
http://www.symantec.com/enterprise/security_response/weblog/2006/10/extending_good_and_evil.html

Another thought to keep in mind is, what would happen if someone uploaded a malicious extension update to the real upload server? Be it by hacking into the server or simply by owning the extension. Do you check the source of all downloaded updates or do you manually disable all the updates?

Quote: "where's a guy to go???"

Answer: to Linux or BSD.

Hmmm....I just right-clicked on the Google icon, clicked on customize and dragged to "cut" . The Google icon is now gone from my toolbar. Does that mean Google has been disabled in my Firefox?

Google Toolbar has completely messed up my computer and the worst part is that it won't delete! Any tips? Everytime I remove it from my computer it says it will complete removal upon restart, but never does.

Candid> Read and write local files, read and write the Windows registry and open network sockets are just some of the power an extension has and these on multiple platforms.

In fact, an extension can do anything the user can do, because it can execute arbitrary programs. There is also the password manager; extensions have full access to any saved urls, userids, and passwords, and can transmit them to third parties at will.

While this is an important issue, and I'm glad Brian is pointing it out, there remains a good deal of risk due simply to extensions with vulnerabilities in them. Since extensions often process data from untrusted sources into other actions, people who control web content can exploit vulnerabilities in extensions. In some cases, this leads to arbitrary code execution.

random walk> Answer: to Linux or BSD.

This is 100% wrong. I mean, Linux and BSD are certainly superior choices for the general security problem, but in this case they are no help at all. Extensions are written in Javascript and chrome, which are completely platform independent. The only benefit, extension-wise, to not using Windows in this particular scenario is that an extension that invokes an external program will have to be written slightly differently to complete an attack on any other OS, but this is not difficult, and an attack against an extension can easily be polymorphous enough to handle this.

You can run Firefox in "Safe-mode" without any extensions/add-ons if you are worried about this. This shortcut is installed by default next to the regular Firefox one, at least on Windows. I use Firefox like this when I'm working on things that I really don't want hijacked, as the add-ons are more likely to be hijackable than Firefox itself.

I think this gets to a point that Microsoft got right before it got it horribly wrong. The ActiveX debacle happened for two reasons: 1) Microsoft purposely un-sandboxed IE to let it serve as a Windows-centric development platform to compete with Java
2) Microsoft assumed (this being the mid-to-late 90s, when public-key encryption was just being adopted by mainstream businesses) that some sensible code/executable-signing mechanism would come forth so that people could sign code based on trust networks. The trust networks part turned out to be waaaaay more difficult that MS presumed. So ActiveX controls basically can be installed untrammeled.

Firefox, though thankfully less deeply embedded into the OS is now running into the same problem. Either the Internet develops a trusted authority to manage installation of things that can see any sort of personal (i.e. useful) data or all code has to be complete sandbox for seeing any useful data, or you'll end up with the same attack vector.

The problem seems to be that the trust network concept became subject to a closed-standard control battle that other parts of the Internet were born early enough to miss (e.g. DNS, TCP/IP, etc. - all basically open standards). This needs to be run by IETF or someone similar, not by Verisign/Microsoft or Google/CA or whatever. The fact that the descendent of DomainKeys has moved towards adoption is fairly promising, but we're still a long way from where we need to be.

Eric E, while you make some good points, I don't understand why you're suggesting that the code signing problem is difficult or involves proprietary methods.

Extensions are already in jar files. There's an established method for signing jar files. Problem solved, no?

As far as the PKI goes, well, if mozilla.org is going to be the authority, they'll have to do the actual signing. They already act as a gatekeeper, however, so this is just an augmentation of their existing procedures.

DC> Everytime I remove it from my computer it says it will complete removal upon restart, but never does.

Try quitting Firefox, locating the directory in your Mozilla profile directory that contains the Google toolbar extension, and moving this directory elsewhere.

Okay, so I've been using Firefox thinking it's a much safer alternative to IE. Is that still the case? If I'm accessing sensitive information, such as online banking, which browser is safest? Are there steps I can take with Firefox in the mean-time (remove add-ons?) and if so, how do I do it? Please help!

You'll save yourself hundreds of dollars in grief by just getting a Mac and not have to worry about whether these add-ons and other evil things will destroy your computer. I finally caved and bought an iMac - yeah, it was more expensive - but I figure the ridiculous experience I had with a Windows XP laptop and a desktop PC I bought a few years back justified the extra $300 I spent. My time is too precious to spend it de-bugging and troubleshooting evil malware on a machine.

@22202:
>>Now we have problems w/Firefox...where's a guy to go???

Evidently, one should minimize the number of Firefox add-ons running, and also disable their auto-updating. (I long ago disabled Firefox's checking for all updates.)
http://www.mozilla.org/support/firefox/options#advanced

Mark Odell> also disable their auto-updating

If you think that the threat of a MITM attack against the update process is greater than the threat of a vulnerability in one of your extensions being exploited, then disabling auto-updates for Firefox and extensions makes sense.

I don't agree with that part of the assessment, personally, at least for most people. There's a lot of code in extensions, and DNS-based MITM attacks remain relatively rare. Of course there are numerous reasons one shouldn't perform any system maintenance while connected to an untrusted wireless access point. I recommend all system maintenance be conducted over a wired connection. But for someone who is minimalist about installing extensions and who follows a regular manual update regimen, while keeping an eye on published vulnerabilities, disabling auto-updates might be okay.

One reason I bought a Mac (Macbook with Core Duo) was the permissions issue with Windows -- Microsoft is just too free with letting anyone install software on your computer.

But while Mac will prompt you for permission to load software, how do you know the software that's loading is legitimate?

It's safer, but there's still a big problem with trusting these Add-Ons.

In Firefox/Tools/Options/Advanced/Update, does unchecking the boxes for "Installed Extensions" and "Search Engines" and selecting the button for "Ask me what to do" provide any safety from this vulnerability?

antibozo,
Good point on the .jar signing mechanism. I'm not intimately familiar with that mechanism, but isn't the problem basically that most small publishers sign either with nothing or with a self-generated cert? From what I've seen, this occurs because a) it's hard to actually get the whole certifying authority thing straight when you're just an individual developer, and b) the certs are pretty expensive. Has .jar signing solved this in some way I don't know about?

I'm the product manager for the del.icio.us extensions, and I just wanted to say that our new 1.5 extension was never vulnerable to this attack, and we patched the older 1.2 release as soon as we heard about the issue at the beginning of May. Current 1.2 users should have received notification when launching Firefox and will get the signed version of the extension when accepting the update. Also, as of early May, all official del.icio.us extensions are hosted on addons.mozilla.org and are properly signed and served over SSL.

-Nick

Doug Johnson> In Firefox/Tools/Options/Advanced/Update, does unchecking the boxes for "Installed Extensions" and "Search Engines" and selecting the button for "Ask me what to do" provide any safety from this vulnerability?

I would leave the checkboxes checked, but select the "Ask me what to do" radio. At least then you will know when legitimate updates are available. If you want more confidence as to their veracity, check that the new version matches on addons.mozilla.org, and check multiple times over a couple of days before you commit the upgrade.

Eric E, re jar signing, no there's no magic--just an embedded signature file in a defined path in the jar file. Here are two offhand scenarios with manageable cost:

1. addons.mozilla.org signs everything. This obviates the distribution path issue; developers need to get new versions signed by mozilla, but the updates can then be distributed from anywhere.

2. Each extension provides a self-signed certificate and a self-update method that checks the downloaded update using the embedded certificate from the previous install. The trick here would be rollover of certificates if someone skipped an intermediate update but I suspect a workable strategy is possible.

I'd lean toward 1 just because I can imagine some add-on developers not being able to figure out 2.

Anyway, further discussion is warranted, and I'm sure a lot of it's happened already in other venues. But look at how things like Java WebStart handle code signing for reference.

speaking of Firefox - I'm a Mac user, and I just noticed some malware which took over my Firefox browser - something called "drivecleaner.com"

Does anybody have any idea about what's happening? A quick search suggests this is more of a Windows problem, but I'm alarmed to see that Firefox has these vulnerabilities, and I was wondering if I managed to catch a Mac virus.

I'm a Mac user who also runs Firefox, and I just noticed a new malware pop-up "drivecleaner.com"

I did a quick search and it looks like this is more of a Windows problem, but considering this news about Firefox, I was wondering - have I managed to catch a Mac virus?

So, don't add the extensions. Is there anything you can't do without the add-ons? Shouldn't your security system/anti-malware programs block anything unusual? Sacrifice speed for safety.

If you can hijack a hot spot and manipulate DNS, you can vector a lot more attacks than this.

"This is the sort of folkloric knowledge we just assumed everyone who is trying to do this would know,"

It's this sort of bad attitude by security experts that prevents the general development community from adopting secure practices.

Do NOT assume that everyone knows what the right thing to do is.

Its difficult enough to educate developers in a single organization where you can have consistent education efforts, but to ASSUME that every plug-in creator/hobbyist knows all the best security practices is a recipe for disaster.

DA

The Google Toolbar is not bundled with Firefox. At least not with any setup you download from Mozilla.

FUD

MitmWatcher> Thanks for the info on ffsniffer. It should still work. And it should still work on all platforms with just a few tweaks. The only weakness is the email account - you usually need a password, and even if you don't the email address sits there plain as day. They have awfully tight
perms on those folders (directories) and files.

mac user> I don't think you have anything to fear with drivecleaner.com infecting a Mac, but they also do browser exploits. But more to the point, every blocking hosts file out there blocks them (ergo, put a blocking hosts file on your Mac):

http://www.mvps.org/winhelp2002/hosts.htm
http://www.hostsfile.org/hosts.html
http://sysctl.org/cameleon/hosts

The second has a Pseudo Web Server (phttpd), but no Mac owner will volunteer to provide for an automatic launchd startup so you will have to do a sudo nohup ./phttpd & every time you log in. Approximately 25% of the entries in those files are JavaScript, Java, or other web browser exploits which have no respect for any OS (works on all of them).

Brian> Thanks for the heads up. They can't ignore it any more. I am especially unhappy about the PhishTank and Netcraft problems (no I don't have them - but they are supposed to help people). I think people that use Firefox should adopt the motto that "less is more" (less extensions is more secure).

All> Sorry, but Netscape isn't just a little bit better. For the vast majority of people it is a much safer browser than all the rest. It is just that all those wonderful plugins that are available for Firefox that you think you need (and unfortunately IE provided some whether you want them or not) aren't usually available for Netscape. Do you really need all of the plugins you have? But even worse, do you really need your browser to keep all of the information forever? I advise you to toss everything when the browser closes.

Re:
>>>>If you can hijack a hot spot and manipulate DNS, you can vector a lot more attacks than this.
Posted by: DBH<<<<

When you use an open hotspot, or any foreign network actually, it is a very good idea to manually configure your computer (in the TCP/IP properties page) to use trusted third-party DNS servers, like those at openDNS.com, instead of those assigned by the foreign network. These are their free, open DNS servers:

* 208.67.222.222
* 208.67.220.220

For more complete security, also use a proxy server with SSL.

Well, like everything else, the more plumbing you add to the program, the easier it will be to clog it.
I use FF. I have Google.com set as my homepage, (it loads VERY fast), I also primarily use gmail so I do not have to have anything else open. FF has a google search bar built into it, so I guess I do not see the need to download an add on for it.
I try and teach this time and time again, and I will try to teach it here:
Use the K.I.S.S. principle.
Keep It Simple and Stupid
You do not need all of the toolbar add-ons. Do not be a "lazy" surfer.

To late to ask this question?
I just created a limited user and found that I am like a babe in the woods on the internet.
No web site knows me, no passwords, no cookies, even no bookmarks. It would take hours to set up things so they work for me under the other logon. It may be a great thing to do a new computer. Is there anyway to overcome this problem?

Max3a -- Your best bet is to change your normal (admin) account over to a limited account, and continue using that. You need to have at least one administrator account on every Windows PC, so you may need to change the otherwise useless limited account you created over to an admin account before reversing what you've done. Does that make sense?

hallo
pre-pharmacy undergraduate schools

hallo
pre-pharmacy undergraduate schools

hallo
pre-pharmacy undergraduate schools

Cameron Diaz and former boyfriend Justin Timberlake attend the UK premiere of their film Shrek the Third...

Radical Islamic groups in Pakistan hold protests over the UK's knighthood to Salman Rushdie...

Radical Islamic groups in Pakistan hold protests over the UK's knighthood to Salman Rushdie...