Student details flaw in Firefox add-ons

By

As users await the latest Mozilla Firefox patches, expected to be released today, absent will likely be a fix for a new remote vulnerability in browser extensions reported by a University of Indiana graduate student.

Student details flaw in Firefox add-ons
Christopher Soghoian said on his blog today that a flaw exists in the "upgrade mechanism" used in Firefox extensions, or add-ons that lend additional functionality to the browser - namely third-party toolbars.

"The vulnerability is made possible through the use of a man-in-the-middle attack, a fairly old computer security technique," Soghoian wrote today.

"Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong."

In lieu of a fix, Soghoian suggests users remove or disable Firefox extensions except those downloaded from the official Mozilla add-ons site.

Mike Shaver, Mozilla's director of ecosystem development, told SCMagazine.com in a statement that the users of Mozilla-hosted add-ons are not at risk. He instead pinned the blame on the third-party providers.

"Users of add-ons that are insecurely hosted/updated are vulnerable to remote code execution if their network is compromised," he said. "We strongly encourage the providers of such add-ons to remedy their hosting situation promptly to minimize the exposure to the users of their software."

Soghoian added that many of the third-parties who provide the extensions, such as Yahoo, Google and Facebook, were notified of the bug but have yet to release a patch.

Meanwhile, Mozilla is expected to push out the latest updates for Firefox today.

The fixes also mark the last release for version 1.5, for which support ends today, according to the Mozilla Developer Center site. Firefox 1.5.0.12 contains a component that can automatically upgrade users to version 2.0 of the alternative browser.

The company suggested that all users download the latest version to "benefit from features that make search, communication and online security more effective."

The updates will be detailed here.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Log In

  |  Forgot your password?