3 min read

Unwary Users Make Firefox Easy Prey

Installing the wrong extension could turn Firefox into a sitting duck. For security experts, version control -- and a watchful eye over whyat's on users' systems -- are just as important here as anyplace else.

As spyware, viruses and Trojan horses continue to find their way through Internet Explorer's overstressed defenses, many users inside and outside the corporate world have moved to Mozilla's Firefox Web browser. But Firefox fans got a dose of reality last month when some serious security flaws were found in the alternative browser, as well as in a popular add-in.

The add-in, called Greasemonkey, is designed to let users customize the way Web sites behave when viewed. It wasn't designed to let malicious Web developers see and read the contents of a user's disk--but that's exactly what the flaw permitted. To their credit, Greasemonkey developers published a partial fix for the flaw just a little more than a week after its disclosure, a more adroit response than the ones that typically come out of Redmond.

Of course, any software extension can be an avenue for security vulnerabilities, and Firefox extensions are no exception. Recently, a defect was uncovered in a rather innocuous Firefox function for setting an image as wallpaper on the user's system. With a properly crafted image file, a malicious Web developer could exploit the flaw to run any type of code, just by getting the user to set that image as wallpaper with the proper context menu. Mozilla has updated the software to fix this particular flaw.

Firefox's flaws by nature are serious, especially in a corporate environment, where the biggest threat to data security remains a lack of user caution. Both of the recently exposed vulnerabilities can allow an intrusion by exploiting the simple desire of most users to "make it mine," personalizing the way their systems look and act.

Internet Explorer, by virtue of its immense installed base, remains the preferred target of black hats. And Microsoft, thanks to its slow adoption of some security fixes, hasn't done the best job of addressing users' and administrators' fears. But network administrators operate at their own peril if they let users stampede to alternatives such as Firefox with the mistaken impression that those are magically "safe."

If you're deploying Firefox--or any user-extensible software, for that matter--in your network, you must maintain version control and a watchful eye over the application of updates and patches. If you're the security expert, you should know more about what's on your user's systems than the hackers.


Get more information on the Greasemonkey vulnerability

Read the ISS listing on the Firefox wallpaper vulnerability

Browse a comprehensive list of Firefox vulnerabilities