Christopher Soghoian said on his blog today that a flaw exists in the "upgrade mechanism" used in Firefox extensions, or add-ons that lend additional functionality to the browser - namely third-party toolbars.
"The vulnerability is made possible through the use of a man-in-the-middle attack, a fairly old computer security technique," Soghoian wrote today.
"Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong."
In lieu of a fix, Soghoian suggests users remove or disable Firefox extensions except those downloaded from the official Mozilla add-ons site.
Mike Shaver, Mozilla's director of ecosystem development, told SCMagazine.com in a statement that the users of Mozilla-hosted add-ons are not at risk. He instead pinned the blame on the third-party providers.
"Users of add-ons that are insecurely hosted/updated are vulnerable to remote code execution if their network is compromised," he said. "We strongly encourage the providers of such add-ons to remedy their hosting situation promptly to minimize the exposure to the users of their software."
Soghoian added that many of the third-parties who provide the extensions, such as Yahoo, Google and Facebook, were notified of the bug but have yet to release a patch.
Meanwhile, Mozilla is expected to push out the latest updates for Firefox today.
The fixes also mark the last release for version 1.5, for which support ends today, according to the Mozilla Developer Center site. Firefox 220.127.116.11 contains a component that can automatically upgrade users to version 2.0 of the alternative browser.
The company suggested that all users download the latest version to "benefit from features that make search, communication and online security more effective."
The updates will be detailed here.
Student details flaw in Firefox add-ons
By Dan Kaplan on May 30, 2007 5:35PM