Firefox Extension Malware Raises Security Questions

Mozilla's diligent cleanup rather than catching malicious add-ons before they reach the public has rankled some in the security community.

Thomas Claburn, Editor at Large, Enterprise Mobility

May 26, 2009

2 Min Read

Mozilla's commitment to secure software products is coming into question after a recent malware product software incident.

Earlier this month, the lack of security oversight in the Mozilla Firefox add-on community became apparent when Adblock Plus developer Wladimir Palant criticized Giorgio Maone, creator of the JavaScript-blocking extension NoScript, for altering NoScript to interfere with Adblock Plus.

Though Maone subsequently apologized, the issue of evil extensions has not gone away. Last week, security researcher Duarte Silva proposed the portmanteau "maldon," not to be confused with the salt brand, to describe ffspy, his proof-of-concept malicious add-on for Firefox.

Mozilla insists that it's committed to safeguarding user security, privacy, and control.

Following the Adblock-NoScript controversy, Mozilla add-ons lead Nick Nguyen said in an e-mail, "Moving forward we're paying special attention to ensure changes of this sort are caught through things like monitoring the community and remaining accessible so we can react quickly when problems arise. In the case of NoScript, as soon as the problem was identified and elevated, corrective action was taken. We can also retroactively block any add-ons that we find malicious."

But Mozilla's commitment is more along the lines of diligent cleanup rather than catching malicious add-ons before they reach the public. To date, its approach has worked well enough. The question is whether something more proactive, such as a security review of code submitted to AMO (, might become necessary as malware authors experiment with malicious add-ons or try to subvert trusted developers.

Attempts to do the latter have been reported by several Firefox add-on developers already.

Silva insists that developing a distinct malicious add-on isn't even necessary "because Firefox isn't able to verify if an add-on is compromised or not." He used NoScript as an example, but the point is that many add-ons could be vulnerable to being altered to hijack information.

Silva's PoC involves editing NoScript's XUL overlay file, a form of XML used by Mozilla to describe interface layouts. In conjunction with other JavaScript files, the altered add-on can be made to intercept HTTP requests and to report data posted through HTML forms, such as a user name and password, to a remote server.

As malware, this PoC isn't particularly dangerous because any attacker with sufficient access to alter an overlay file can already do pretty much anything to the system in question. But it does demonstrate another avenue for harm following a security breach.

In a blog post last Thursday about Silva's PoC code, security researcher Rafal Los urged Mozilla to re-examine its plug-in security architecture. "What really matters is that the attack surface of Firefox is laid bare through the plug-in/extension architecture, which in my humble opinion is fundamentally flawed from a security perspective," he said.

InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights