Firefox Extension Malware Raises Security Questions - InformationWeek
IoT
IoT
Mobile // Mobile Applications
News
5/26/2009
02:35 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Firefox Extension Malware Raises Security Questions

Mozilla's diligent cleanup rather than catching malicious add-ons before they reach the public has rankled some in the security community.

Mozilla's commitment to secure software products is coming into question after a recent malware product software incident.

Earlier this month, the lack of security oversight in the Mozilla Firefox add-on community became apparent when Adblock Plus developer Wladimir Palant criticized Giorgio Maone, creator of the JavaScript-blocking extension NoScript, for altering NoScript to interfere with Adblock Plus.

Though Maone subsequently apologized, the issue of evil extensions has not gone away. Last week, security researcher Duarte Silva proposed the portmanteau "maldon," not to be confused with the salt brand, to describe ffspy, his proof-of-concept malicious add-on for Firefox.

Mozilla insists that it's committed to safeguarding user security, privacy, and control.

Following the Adblock-NoScript controversy, Mozilla add-ons lead Nick Nguyen said in an e-mail, "Moving forward we're paying special attention to ensure changes of this sort are caught through things like monitoring the community and remaining accessible so we can react quickly when problems arise. In the case of NoScript, as soon as the problem was identified and elevated, corrective action was taken. We can also retroactively block any add-ons that we find malicious."

But Mozilla's commitment is more along the lines of diligent cleanup rather than catching malicious add-ons before they reach the public. To date, its approach has worked well enough. The question is whether something more proactive, such as a security review of code submitted to AMO (addons.mozilla.org), might become necessary as malware authors experiment with malicious add-ons or try to subvert trusted developers.

Attempts to do the latter have been reported by several Firefox add-on developers already.

Silva insists that developing a distinct malicious add-on isn't even necessary "because Firefox isn't able to verify if an add-on is compromised or not." He used NoScript as an example, but the point is that many add-ons could be vulnerable to being altered to hijack information.

Silva's PoC involves editing NoScript's XUL overlay file, a form of XML used by Mozilla to describe interface layouts. In conjunction with other JavaScript files, the altered add-on can be made to intercept HTTP requests and to report data posted through HTML forms, such as a user name and password, to a remote server.

As malware, this PoC isn't particularly dangerous because any attacker with sufficient access to alter an overlay file can already do pretty much anything to the system in question. But it does demonstrate another avenue for harm following a security breach.

In a blog post last Thursday about Silva's PoC code, security researcher Rafal Los urged Mozilla to re-examine its plug-in security architecture. "What really matters is that the attack surface of Firefox is laid bare through the plug-in/extension architecture, which in my humble opinion is fundamentally flawed from a security perspective," he said.


InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll