Unwary Users Make Firefox Easy Prey - InformationWeek
05:55 PM
[Cybersecurity] New Methods for Managing the Skills Shortage
Jun 06, 2017
In this webinar, security experts discuss methods for doing better security with fewer people, inc ...Read More>>

Unwary Users Make Firefox Easy Prey

Installing the wrong extension could turn Firefox into a sitting duck. For security experts, version control -- and a watchful eye over whyat's on users' systems -- are just as important here as anyplace else.

As spyware, viruses and Trojan horses continue to find their way through Internet Explorer's overstressed defenses, many users inside and outside the corporate world have moved to Mozilla's Firefox Web browser. But Firefox fans got a dose of reality last month when some serious security flaws were found in the alternative browser, as well as in a popular add-in.

The add-in, called Greasemonkey, is designed to let users customize the way Web sites behave when viewed. It wasn't designed to let malicious Web developers see and read the contents of a user's disk--but that's exactly what the flaw permitted. To their credit, Greasemonkey developers published a partial fix for the flaw just a little more than a week after its disclosure, a more adroit response than the ones that typically come out of Redmond.

Of course, any software extension can be an avenue for security vulnerabilities, and Firefox extensions are no exception. Recently, a defect was uncovered in a rather innocuous Firefox function for setting an image as wallpaper on the user's system. With a properly crafted image file, a malicious Web developer could exploit the flaw to run any type of code, just by getting the user to set that image as wallpaper with the proper context menu. Mozilla has updated the software to fix this particular flaw.

Firefox's flaws by nature are serious, especially in a corporate environment, where the biggest threat to data security remains a lack of user caution. Both of the recently exposed vulnerabilities can allow an intrusion by exploiting the simple desire of most users to "make it mine," personalizing the way their systems look and act.

Internet Explorer, by virtue of its immense installed base, remains the preferred target of black hats. And Microsoft, thanks to its slow adoption of some security fixes, hasn't done the best job of addressing users' and administrators' fears. But network administrators operate at their own peril if they let users stampede to alternatives such as Firefox with the mistaken impression that those are magically "safe."

If you're deploying Firefox--or any user-extensible software, for that matter--in your network, you must maintain version control and a watchful eye over the application of updates and patches. If you're the security expert, you should know more about what's on your user's systems than the hackers.


Get more information on the Greasemonkey vulnerability

Read the ISS listing on the Firefox wallpaper vulnerability

Browse a comprehensive list of Firefox vulnerabilities

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll