Student details flaw in Firefox add-ons

By

As users await the latest Mozilla Firefox patches, expected to be released today, absent will likely be a fix for a new remote vulnerability in browser extensions reported by a University of Indiana graduate student.

Student details flaw in Firefox add-ons
Christopher Soghoian said on his blog today that a flaw exists in the "upgrade mechanism" used in Firefox extensions, or add-ons that lend additional functionality to the browser - namely third-party toolbars.

"The vulnerability is made possible through the use of a man-in-the-middle attack, a fairly old computer security technique," Soghoian wrote today.

"Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong."

In lieu of a fix, Soghoian suggests users remove or disable Firefox extensions except those downloaded from the official Mozilla add-ons site.

Mike Shaver, Mozilla's director of ecosystem development, told SCMagazine.com in a statement that the users of Mozilla-hosted add-ons are not at risk. He instead pinned the blame on the third-party providers.

"Users of add-ons that are insecurely hosted/updated are vulnerable to remote code execution if their network is compromised," he said. "We strongly encourage the providers of such add-ons to remedy their hosting situation promptly to minimize the exposure to the users of their software."

Soghoian added that many of the third-parties who provide the extensions, such as Yahoo, Google and Facebook, were notified of the bug but have yet to release a patch.

Meanwhile, Mozilla is expected to push out the latest updates for Firefox today.

The fixes also mark the last release for version 1.5, for which support ends today, according to the Mozilla Developer Center site. Firefox 1.5.0.12 contains a component that can automatically upgrade users to version 2.0 of the alternative browser.

The company suggested that all users download the latest version to "benefit from features that make search, communication and online security more effective."

The updates will be detailed here.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
addonsdetailsfirefoxflawinloomingpatchreleasesecuritystudentwith

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?