Mozilla's diligent cleanup rather than catching malicious add-ons before they reach the public has rankled some in the security community.
Mozilla's commitment to secure software products is coming into question after a recent malware product software incident.
Though Maone subsequently apologized, the issue of evil extensions has not gone away. Last week, security researcher Duarte Silva proposed the portmanteau "maldon," not to be confused with the salt brand, to describe ffspy, his proof-of-concept malicious add-on for Firefox.
Mozilla insists that it's committed to safeguarding user security, privacy, and control.
Following the Adblock-NoScript controversy, Mozilla add-ons lead Nick Nguyen said in an e-mail, "Moving forward we're paying special attention to ensure changes of this sort are caught through things like monitoring the community and remaining accessible so we can react quickly when problems arise. In the case of NoScript, as soon as the problem was identified and elevated, corrective action was taken. We can also retroactively block any add-ons that we find malicious."
But Mozilla's commitment is more along the lines of diligent cleanup rather than catching malicious add-ons before they reach the public. To date, its approach has worked well enough. The question is whether something more proactive, such as a security review of code submitted to AMO (addons.mozilla.org), might become necessary as malware authors experiment with malicious add-ons or try to subvert trusted developers.
Attempts to do the latter have been reported by several Firefox add-on developers already.
Silva insists that developing a distinct malicious add-on isn't even necessary "because Firefox isn't able to verify if an add-on is compromised or not." He used NoScript as an example, but the point is that many add-ons could be vulnerable to being altered to hijack information.
As malware, this PoC isn't particularly dangerous because any attacker with sufficient access to alter an overlay file can already do pretty much anything to the system in question. But it does demonstrate another avenue for harm following a security breach.
In a blog post last Thursday about Silva's PoC code, security researcher Rafal Los urged Mozilla to re-examine its plug-in security architecture. "What really matters is that the attack surface of Firefox is laid bare through the plug-in/extension architecture, which in my humble opinion is fundamentally flawed from a security perspective," he said.
InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.