Mobile // Mobile Applications
News
5/26/2009
02:35 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Firefox Extension Malware Raises Security Questions

Mozilla's diligent cleanup rather than catching malicious add-ons before they reach the public has rankled some in the security community.

Mozilla's commitment to secure software products is coming into question after a recent malware product software incident.

Earlier this month, the lack of security oversight in the Mozilla Firefox add-on community became apparent when Adblock Plus developer Wladimir Palant criticized Giorgio Maone, creator of the JavaScript-blocking extension NoScript, for altering NoScript to interfere with Adblock Plus.

Though Maone subsequently apologized, the issue of evil extensions has not gone away. Last week, security researcher Duarte Silva proposed the portmanteau "maldon," not to be confused with the salt brand, to describe ffspy, his proof-of-concept malicious add-on for Firefox.

Mozilla insists that it's committed to safeguarding user security, privacy, and control.

Following the Adblock-NoScript controversy, Mozilla add-ons lead Nick Nguyen said in an e-mail, "Moving forward we're paying special attention to ensure changes of this sort are caught through things like monitoring the community and remaining accessible so we can react quickly when problems arise. In the case of NoScript, as soon as the problem was identified and elevated, corrective action was taken. We can also retroactively block any add-ons that we find malicious."

But Mozilla's commitment is more along the lines of diligent cleanup rather than catching malicious add-ons before they reach the public. To date, its approach has worked well enough. The question is whether something more proactive, such as a security review of code submitted to AMO (addons.mozilla.org), might become necessary as malware authors experiment with malicious add-ons or try to subvert trusted developers.

Attempts to do the latter have been reported by several Firefox add-on developers already.

Silva insists that developing a distinct malicious add-on isn't even necessary "because Firefox isn't able to verify if an add-on is compromised or not." He used NoScript as an example, but the point is that many add-ons could be vulnerable to being altered to hijack information.

Silva's PoC involves editing NoScript's XUL overlay file, a form of XML used by Mozilla to describe interface layouts. In conjunction with other JavaScript files, the altered add-on can be made to intercept HTTP requests and to report data posted through HTML forms, such as a user name and password, to a remote server.

As malware, this PoC isn't particularly dangerous because any attacker with sufficient access to alter an overlay file can already do pretty much anything to the system in question. But it does demonstrate another avenue for harm following a security breach.

In a blog post last Thursday about Silva's PoC code, security researcher Rafal Los urged Mozilla to re-examine its plug-in security architecture. "What really matters is that the attack surface of Firefox is laid bare through the plug-in/extension architecture, which in my humble opinion is fundamentally flawed from a security perspective," he said.


InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.