| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Remote vulnerability in high-profile Firefox extensions | |
|
||
| Time: 13:57 EST/18:57 GMT | News Source: ZDNet | Posted By: Robert Stein | ||
|
Today is Firefox Patch Day but even after you install the latest security updates from Mozilla, those browser extensions you use and love could put you at risk of code execution attacks. According to independent researcher Christopher Soghoian (of boarding pass hacker fame), there’s a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions that let an attacker covertly install malware that run within the Firefox browser. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 164 Last | Next |
The time now is
11:56:48 PM
ET.
Any comment problems? E-mail us |
| #1 By 32132 (142.32.208.234) at 5/30/2007 2:27:36 PM |
|
The good news ... Firefox 1.5 is DEAD, DEAD, DEAD!!!
The bad news ... Firefox 2.0 will be collecting hundreds of severe security patches. |
| #2 By 37047 (216.191.227.68) at 5/30/2007 3:25:02 PM |
|
#1: It looks like only a very, very small percentage of Firefox plugins are affected. Specifically, only those NOT hosted on https://addons.mozilla.org.
From the article: A vulnerability exists in the upgrade mechanism used by a number of high profile Firefox extensions. These include Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions. ... The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about. --------------------------------------------------------------------- The latest version of the Del.icio.us Extension has been fixed as of early May, and the previous version is also fixed. I have no information on any of the other affected plugins. So, of the 2 dozen or so plugins I have installed, only 1 is vulnerable. That makes me still feel safer than when I have to use Internet Exploder. |
| #3 By 32132 (142.32.208.234) at 5/30/2007 4:03:56 PM |
|
#2 IE7 on Vista runs in protected mode, which makes it much, much less vulnerable than Firefox.
#3 So, after 45 days notice, only one of the high profile plugins is safe? That would not make me feel secure. "Unlike the research suggests, McAfee SiteAdvisor is actually worse than any of these other major extensions. It periodically downloads completely unauthenticated code from McAfee's server, which it then executes with the same privileges as your browser. Not only does this backdoor allow McAfee to do whatever they please with your computer, but a hacker can run any malicious code on your system without you ever noticing by simply spoofing the URL http://www.siteadvisor.com/download/safe/safe.js" http://blog.wired.com/27bstroke6/2007/05/google_yahoo_fa.html I am awaiting news of all the other Firefox security holes to be published today. This post was edited by NotParker on Wednesday, May 30, 2007 at 16:06. |
| #4 By 23275 (24.179.4.158) at 5/30/2007 8:02:14 PM |
|
#5, Funny.
At least we haven't heard tech journalists refer to their use of Firefox as an expression of their technical literacy of late. While I don't like to hear of security vulnerabilities in any software, the noise many well established industry journalists were making about the relative superiority of Firefox's security was sickening and made me all but welcome any analysis that was more balanced. I assess that given the use of securable objects in IE 7's Protected Mode on Vista, that IE is the most secure browser available. And to digress somewhat, is anyone else tired of patching QuickTime? Which speaks to how much better the patch process is for end users of Windows Vista. I do hope that The FF/Moz team embraces securable objects and protected mode – it is open and available to them – let’s see if they can set their differences aside and move on this. This post was edited by lketchum on Wednesday, May 30, 2007 at 20:03. |
| #5 By 37047 (216.191.227.68) at 5/31/2007 8:44:07 AM |
| #4, #6: IE7 in secure mode on Vista would mean something if everyone was running Vista. Since the vast majority are still using XP, then the Vista secure model for browsing, while nice, is meaningless in the context of what most people are running. Someday, that will be a valid argument, but not today. On XP, I have more faith in Firefox than I do in IE. There likely wouldn't even BE an IE7 if Microsoft hadn't started to feel the pinch from a significant percentage of IE6 users dropping it like a 5 year old rotten potato and switching to Firefox. |
| #6 By 32132 (66.183.202.89) at 5/31/2007 9:36:37 AM |
| #7 In a few months more people will be running Vista than Firefox. In the meantime, Firefox is still a sieve. |
| #7 By 15406 (216.191.227.68) at 5/31/2007 9:37:55 AM |
|
#7: I'm not sure why MS fanboys would be crapping on Firefox. MS loves Firefox. So much so that they are a champion of Firefox and open source projects in general. Really.
http://port25.technet.com/archive/2007/05/18/business-as-usual.aspx |
| #8 By 15406 (216.191.227.68) at 5/31/2007 10:06:19 AM |
| Looking into this further, this is not a Firefox problem at all. Any app that talks over HTTP is susceptible to a man-in-the-middle attack, regardless of what's being done. It could just as easily be a 3rd-party toolbar in IE, or your favourite program that checks for updates via HTTP. |
| #9 By 37047 (216.191.227.68) at 5/31/2007 11:35:11 AM |
|
#10: Technically, a man-in-the-middle attack can be performed with other protocols as well. RFID can be exploited with this, as well as many wireless protocols, etc. If a malicious person can intercept the packet, and alter it in a meaningful way, it can be exploited. This is why all such software update and information transmitting should be done using a secure and authenticated mechanism, such as SSL, or any number of other secure options. Since these particular addons are vulnerable BECAUSE they do not connect via a secure internet connection, they are vulnerable. This is browser independent, as you indicated. This is a problem with how some apps work. Period.
We will never convince the Microsoft fanboys that anything not made by Microsoft can be any good. So why bother trying. |
| #10 By 15406 (216.191.227.68) at 5/31/2007 11:49:15 AM |
| #11: I expect to hear crickets from here on in. |
| #11 By 37047 (216.191.227.68) at 5/31/2007 12:03:29 PM |
| Yeah, me too. |
| #12 By 23275 (24.179.4.158) at 5/31/2007 12:47:39 PM |
|
<Burp> <Crunch.... sorry, stepped on a cricket - they're not bad, so long as they're dehydrated properly and they make a nice filler in certain breads...>
#12, #13 - You don't get it. I think the position is pretty clear: where Microsoft does decide to compete, they will in most cases, produce a better product - eventually. If nothing else, they have demonstrated an amazing ability to not only respond to markets and change, but to cause and shape the same. Also, it isn't about advocacy at all. Advocacy does not necessarily require much of a pragmatic base - your posts are proof of that as I see it. For me, and other that post here, it is about "use" - why, how, and where. Use of Microsoft software, becuase..... <the list is too long for this site's purposes> - but basically, because it works and works within itself <the ecosystem that is Microsoft, but also our own businesses and personal uses of technology>. It is a Firefox problem - as part of the ecosystem, it makes sense for them to embrace securable objects and therefore, protected mode, for any application, and or process that faces the public networks and the Internet. To do otherwise serves customers, and advocates like yourselves, less well. It is there for them, and so far, they have not publicly embraced it. |
| #13 By 15406 (216.191.227.68) at 5/31/2007 1:39:38 PM |
| #14: No, I believe it is you that does not get it. This isn't about rich client experiences or MS making supposedly better products eventually, or any of your other buzzwords. This article & thread is about the potential pitfalls of MitM attacks over unsecured protocols. Saying FF is liable because they don't use Protected Mode is simply bizarre as this is not a browser-specific problem, but a problem that can affect any OS or app if it communicates outside the box or network. But, yet again, it turns into a Ketchum Tangent(tm) about using MS software in the ecosystem and how Vista is the answer to every problem. |
| #14 By 37047 (216.191.227.68) at 5/31/2007 2:11:55 PM |
|
I think lketchum's nickname should be "The Magician", since he is always trying to distract everyone with misdirection and sleight of hand techniques. This post was edited by MysticSentinel on Thursday, May 31, 2007 at 14:47. |
| #15 By 32132 (142.32.208.234) at 6/1/2007 12:10:17 PM |
|
Cricket? It wasn't a cricket. It was the Firefox "Security Chief" admitting they screwed up by allowing non-https updates!
"This week there’s been some concern about updates that are distributed over non-SSL channels. Connections using HTTP (instead of HTTPS) can be redirected by an attacker to a hostile server and potentially install malicious code. Add-ons that are hosted on the Mozilla Add-ons site are served over HTTPS and validated with a hash. These add-ons are not vulnerable to this attack. We strongly recommend that add-on developers require SSL for updates to prevent the attack described above. For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels..." Summarized in a couple of words "DUH ... we should have used HTTPS!!!! Especially when there is no authentication mechanism to prove it is the right add-on and considering thes are all open source and the code is avilable for spoofing." http://developer.mozilla.org/devnews/index.php/2007/05/30/add-on-updates This post was edited by NotParker on Friday, June 01, 2007 at 12:10. |
| #16 By 32132 (142.32.208.234) at 6/1/2007 12:14:13 PM |
|
Another day another 30 bugs (some in 10 year old Netscape code) and a couple of exploits in Firefox:
http://www.mozilla.org/security/announce/2007/mfsa2007-12.html |
| #17 By 23275 (24.179.4.158) at 6/1/2007 1:38:37 PM |
|
Abbra.... Oh wait, this isn't magic at all... it's just common sense and the recommendations are based upon the observable and measurable.
We all saw, as the use of computers facing the public networks increased and Microsoft's features first posture shifted to one of secure first [not that we let up any pressure on them as regards features demands...]. We saw it all evolve and billions were invested. So let's look at what I've shared and while reviewing let's try and remember the location, audience and therefore the context: (for those prone to addressing the 90% of us that use Microsoft software; that have compromised local host files that ended up here at "Awin when they meant to go to /.) as apologist shills, bent on world domination - how they could assess us to be so following and so weak on one hand and so dominant on the other is still beyond my thick skulled mind's ability to reconcile... In response to how our industry evolved - it became more vulnerable. Microsoft responded to that and committed to making more secure software and to devise means to deliver that more secure software. So what we see here is a simple recommendation to developers in general - explore securable objects and make use of the API's/Libraries available. That's what I recommended at, #6 above. Do that, or do something similar - but do not sit there and point at ancient history and excuse one program over another - just because it did not come from Microsoft. That goes for add-ins and patches, as much as it does for parent programs - again, Microsoft sets a very good example here - all of its add-ins are delivered over secure/signed means and Windows/Microsoft Updates are either baked in [Vista] or secure websites using signed controls. These are good examples that any dev can use as examples. That is not some rabbit out of some hat, or some idea out of some opening in one's body - it is simple common sense. To suggest that the technically literate tech press knock off with the BS is an opinion - and clearly shared and expressed as such. Don't like it - skip my posts - they are easy to spot - they are the bigger ones in most cases. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 164 Last | Next |
The time now is
11:56:48 PM
ET.
Any comment problems? E-mail us |
