Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Zero-Day Vulnerabilities In Firefox Extensions

kdawson posted more than 4 years ago | from the wild-in-the-playground dept.

Bug 208

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

cancel ×

208 comments

Sorry! There are no comments related to the filter you selected.

Yep that's why I avoid extensions (2, Informative)

commodore64_love (1445365) | more than 4 years ago | (#30171318)

I don't trust them, plus they use more memory (I only have 1/2 gig), and they make the machine run slower. The only extensions I have are NoScript and ImageZoom and FlashVideoDownloader. I try to keep it to a minimum to avoid security problems, memory waste, and slowdown

Re:Yep that's why I avoid extensions (2, Insightful)

amazeofdeath (1102843) | more than 4 years ago | (#30171394)

I completely agree, and I have been talking against the extension model for a long time. They are one of the main reasons why I use Opera instead of FF, as then I have only one vendor to introduce vulnerabilities, and it's the vendor I need to trust in any case to use the browser. Opera's inbuilt functionalities fortunately enable me to do the things for which I'd need to use extensions on FF.

Re:Yep that's why I avoid extensions (1)

Neil Hodges (960909) | more than 4 years ago | (#30171546)

The ad blocking functionality is limited in Opera, though. While its image-blocking setup works just fine, you can only block scripts based on the URL of the page being viewed, not by the URLs of each of the scripts themselves.

That said, I do use Opera at work since it's more responsive than Firefox.

Re:Yep that's why I avoid extensions (1)

amazeofdeath (1102843) | more than 4 years ago | (#30171662)

I might be misunderstanding your meaning, but if you mean things like Google's text ads, you can block them by adding "http://pagead2.*" to the blocked sites list. Sure, it's more work than with Adblock.

Re:Yep that's why I avoid extensions (0)

sopssa (1498795) | more than 4 years ago | (#30171998)

While Opera has the full-scale ad blocking tools in itself, I've found Ad Muncher [admuncher.com] to be a lot better on it, and it works with all the other browsers you have installed and gives more options too.

Re:Yep that's why I avoid extensions (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30172112)

Ad blocking shouldn't be done at the browser. It should be handled at the DNS level, or by a firewall or proxy.

You can run your own DNS server and return 127.0.0.1 for requests to known ad servers. You can do the same with your /etc/hosts file, too. This even works on Windows!

Use your firewall to prevent connections to known ad hosts.

Use a filtering proxy to strip out ads, Flash, ActiveX controls, and all sorts of other shit.

There are several community-collected lists of hostnames that are commonly used for serving ads, so you don't even have to build or maintain such a list yourself.

Do it those ways so it can easily apply to all browsers, mail clients, and other applications you might be using.

It's just fucking stupid to use a browser plugin to perform filtering that should be performed outside of the browser.

Re:Yep that's why I avoid extensions (1)

clone53421 (1310749) | more than 4 years ago | (#30172180)

Why? Then I have useless queries to 127.0.0.1 which stall and finally give me 404’s.

Better to filter it at the original HTML content, and simply not even request the parts I don’t want to download.

Re:Yep that's why I avoid extensions (0, Redundant)

sopssa (1498795) | more than 4 years ago | (#30172212)

You cant do the same kind of URL filtering on DNS level since the only thing you can filter is the domain/subdomain part. Theres lots of cases where you need to be able to filter more specifically (like if the website is hosting the ads itself, or just to make some more general rules), and Opera+Ad Muncher [admuncher.com] is perfect for that.

Re:Yep that's why I avoid extensions (1)

commodore64_love (1445365) | more than 4 years ago | (#30171598)

You are correct that Opera's single vendor model is "safer" but the lack of extensions is a problem. If I see a youtube video I like, Opera has no way to grab it. Neither does it have an easy way to zoom-in on tiny photos. It's one of the reasons I've stayed with Firefox so I have the addon option if I need it.

Re:Yep that's why I avoid extensions (1)

amazeofdeath (1102843) | more than 4 years ago | (#30171738)

>If I see a youtube video I like, Opera has no way to grab it.

You can grab it from Opera's cache. Not convenient, but doable (personally I have done it a couple of times; I have cache off normally, so I turn disc cache on, watch the vid, and then take the file from cache).

>Neither does it have an easy way to zoom-in on tiny photos.

Pressing "8" gives you incremental zoom ("6" puts it back to no zoom). Probably not exactly what you wanted, as it zooms the whole site, but again, a work-around.

Re:Yep that's why I avoid extensions (0)

Anonymous Coward | more than 4 years ago | (#30171780)

Neither does it have an easy way to zoom-in on tiny photos.

Huh? I zoom in and out of photos and web sites all the time using + and - keys. Maybe you're using Oprah?

Re:Yep that's why I avoid extensions (1)

sconeu (64226) | more than 4 years ago | (#30172040)

That's what the widget model is for. There are a couple of widgets for grabbing video.

Not the problem (1)

jDeepbeep (913892) | more than 4 years ago | (#30171912)

I have been talking against the extension model for a long time.

The problem is not with the extension model. It is with the Firefox implementation of the extension model. If done properly, the browser would not be exposing an API to the plugin that is capable of doing naughty things, nor would it be exposing an API for a plugin to alter another plugin. You build a clear but limited line of communication on established browser events, but everything else is concealed from the plugin.

Re:Yep that's why I avoid extensions (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30171734)

FUCK FIREFOX! [webs.com]

Re:Yep that's why I avoid extensions (2, Informative)

clone53421 (1310749) | more than 4 years ago | (#30171864)

BULLSHIT.

Just to save anyone else the trouble...

That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.

GTFO with your FUD.

Adblock will save you memory (2)

Nicolas MONNET (4727) | more than 4 years ago | (#30171750)

It will also protect you overall, considering the amount of crap you find in web ads, even on supposedly reputable networks.

Re:Yep that's why I avoid extensions (-1, Troll)

JeffSpudrinski (1310127) | more than 4 years ago | (#30171758)

Dang that Microsoft!!! Why can't they just make more secure software????

Yeah...I know this wasn't Microsoft, but aren't the rules here at /. that we are somehow supposed to blame Microsoft for everything?

Get a Mac!

(note: I don't own a Mac and run IE almost exclusively)

-JJS

Re:Yep that's why I avoid extensions (2, Interesting)

cmiller173 (641510) | more than 4 years ago | (#30171782)

As a web developer I used the Web Developer Toolbar, Firebug, and DOM Inspector extensions daily. I could not be as productive without them.

Re:Yep that's why I avoid extensions (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30171830)

Don't you feel ashamed admitting you "work" as a web "developer"? Please refrain from using "develop

Re:Yep that's why I avoid extensions (1, Funny)

Anonymous Coward | more than 4 years ago | (#30172034)

Can't find string terminator '"' anywhere before EOF on line 1

Re:Yep that's why I avoid extensions (1)

clone53421 (1310749) | more than 4 years ago | (#30172074)

...says the troll from his mother’s basement. If you actually had a job you’d be more in a situation to criticize someone who does.

Re:Yep that's why I avoid extensions (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30172000)

Only half a gigabyte? Here's a quarter, kid. Buy yourself some more memory.

Re:Yep that's why I avoid extensions (1)

clone53421 (1310749) | more than 4 years ago | (#30172046)

A “minimum”, to me, would really be:

    Adblock Plus
    Download Statusbar
    Video DownloadHelper
    IE Tab
    Screengrab
    Tab Mix Plus

I don’t know how much bloat I’m adding by having them, but they all provide functionality that I really prefer not to do without. The only one that I’d be willing to waive is Screengrab, but it’s damn handy to have.

Browser vulnerabilities (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30171336)

Wow, what Firefox lacks in quantity they make up for in quality. These are huge - what's more, it is nothing short of negligent for the Firefox dev team to have designed the security model this way.

I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior.

Re:Browser vulnerabilities (1, Funny)

Anonymous Coward | more than 4 years ago | (#30171524)

I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior

Okay, Jack [wikipedia.org] . Let us know how you make out.

Re:Browser vulnerabilities (2, Funny)

clone53421 (1310749) | more than 4 years ago | (#30171636)

I thought you were trolling, and then I read this:

I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior.

Poe’s Law [rationalwiki.com] appears to be in full effect today.

Chrome time (0, Troll)

jaggeh (1485669) | more than 4 years ago | (#30171342)

Time to switch to chrome until the holes are patched.

Re:Chrome time (1, Informative)

Anonymous Coward | more than 4 years ago | (#30171488)

Or you could, you know, remove those extensions?

Re:Chrome time (1)

Stan92057 (737634) | more than 4 years ago | (#30171696)

Which ones? they clearly didn't list all the plug ins that are affected,only the known ones.

Re:Chrome time (1)

jgtg32a (1173373) | more than 4 years ago | (#30171794)

No you should switch to Chrome. I use FF because of the extensions, honestly I don't consider vanilla FF that much better than IE8. I've already moved all my friends off of FF to Chrome because they weren't interested in using extensions

Re:Chrome time (1)

clone53421 (1310749) | more than 4 years ago | (#30171906)

they weren't interested in using extensions

Give them AdBlock Plus and let them use it for a while, and I honestly doubt they’ll still feel that way.

Re:Chrome time (0)

Anonymous Coward | more than 4 years ago | (#30172208)

So for Chrome do I run "apt-get install chrome" or what? Do I have to turn on some alternate repository?

Re:Chrome time (2, Informative)

Basje (26968) | more than 4 years ago | (#30171508)

Or use a clean firefox without extensions.

Of course, without extensions there isn't much that sets firefox apart from chrome except for the license. Some purists will prefer firefox for that reason but it's pretty much a coin toss.

Re:Chrome time (1)

maxume (22995) | more than 4 years ago | (#30171664)

Extensions that do not retrieve data (or even untrusted data) should also be reasonably safe from the types of attack discussed in the article (because the attacks discussed in the article all result from executing malicious data).

Re:Chrome time (1)

DavidTC (10147) | more than 4 years ago | (#30171854)

As should extensions that retrieve data from responsible sites, like those extensions that alter google result pages. Assuming Google doesn't try to attack us, they should be fine.

I use to have an assload of extensions, but I've been really trying to restrict what I have for speed issues, so I'm not that worried.

Re:Chrome time (1)

cmiller173 (641510) | more than 4 years ago | (#30171860)

Or use the " -profilemanager" switch on the shortcut that you launch Firefox with. You could then have a profile that loads no extensions that you use when surfing untrustworthy sites. And a profile that does load your extensions when you doing normal surfing. What I actually use it for is I have a profile that loads my development tools (Web Developer Toolbar, Firebug, and DOM Inspector) a profile for just normal surfing, and a profile with no extensions for when I need to be absolutely sure that the add-ons are not the cause of a problem.

Re:Chrome time (1)

maxume (22995) | more than 4 years ago | (#30172004)

From what I gather, the vulnerabilities in the article all stem from trustworthy sites acting like untrustworthy sites (that is, something malicious gets stuck in a supposedly trusted RSS feed or whatever), so that particular separation probably isn't that important.

The idea of an extension that executes code from every page it visits is pretty scary, I hope none of those exist.

Re:Chrome time (1)

SanityInAnarchy (655584) | more than 4 years ago | (#30171916)

Actually, not even the license, really. Just use Chromium, if you care.

That actually makes sense. (1)

SanityInAnarchy (655584) | more than 4 years ago | (#30171768)

From TFS:

Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension.

Not one of these is true of Chrome extensions -- or at least, it is possible to develop extensions which are not fully trusted.

I have to say, I am depressed... (1)

hesaigo999ca (786966) | more than 4 years ago | (#30171346)

: (
FF is my favorite web browser because they always made sure to be more secure then IE. I guess when it comes to add-ons and extensions, its always a crap shoot, but I always thought FF was better at handling security for extensions then IE, I guess
I will have to go back to using linx now because I trust nothing else...
Life will be boring

Re:I have to say, I am depressed... (0)

Anonymous Coward | more than 4 years ago | (#30171366)

Or wget.

LOL

Re:I have to say, I am depressed... (5, Informative)

farlukar (225243) | more than 4 years ago | (#30171540)

I will have to go back to using linx now because I trust nothing else...

If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

Re:I have to say, I am depressed... (3, Funny)

NoYob (1630681) | more than 4 years ago | (#30171804)

I will have to go back to using linx now because I trust nothing else...

If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

Yeah, but how do I know that the snapshot is clean? Or for that matter how do I know that my virtual machine hasn't been compromised?

They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

And who are you to be posting these things to make us feel like we can be secure? The sig of yours is French, no? But your user name looks Arabic. You could be a French secret agent with an Arabic code name - or, an Islamic Jihadist, hiding in France acting like a friendly internet user "helping" folks to "secure" their browsing habits all along undermining their computers so you and your agents can break in, compromise their machines, do your nefarious activities, and all the while, the poor sap who follows your advice gets arrested by the FBI while you take off with the hot secret agent babes from Russia.

No sir! I know what you're doing here!

Re:I have to say, I am depressed... (2, Funny)

unix1 (1667411) | more than 4 years ago | (#30172252)

They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

So, you have hardwired your brain into your computer and are using it as a Firefox extension? This makes my head spin.

Re:I have to say, I am depressed... (0)

Anonymous Coward | more than 4 years ago | (#30171874)

Poe's Law strikes again!

Re:I have to say, I am depressed... (1)

farlukar (225243) | more than 4 years ago | (#30171974)

Poe's Law strikes again!

Yes, it's terrible. I don't even know if I am serious or joking anymore.

Re:I have to say, I am depressed... (2, Funny)

clone53421 (1310749) | more than 4 years ago | (#30172002)

You can’t possibly be serious...

Re:I have to say, I am depressed... (1)

owlstead (636356) | more than 4 years ago | (#30172014)

Better yet, create a special user or two, one for anonymous browsing and one for your security relevant tasks (banking etc). The first one should be automatically reset after use (I use an Ubuntu guest account for that), the other one should have an encrypted home folder. At least make sure your browser is up to date if you use farlukar's scheme.

Re:I have to say, I am depressed... (1)

commodore64_love (1445365) | more than 4 years ago | (#30171820)

Linux is boring? Sacrilege! You get to read all those obscure docs and get into flamewars with developers. How is that not fun? ;-)

Which reminds me, what Linux needs is something like what I had on my old Amiga PC: A graphical way of interacting with the CLI so I don't have to remember all those obscure commands like "sudo -s -t /whatever"

   

Re:I have to say, I am depressed... (1)

jd (1658) | more than 4 years ago | (#30171828)

There's really no excuse for Firefox to allow at least some of the more common security flaws - or at least allowing those flaws to cause problems.

First, sandboxing of extensions should limit what problems can be caused.

Second, a lot of errors are caused by the overflowing of buffers - a problem that could be limited by the use of stretchy buffers or bounds-checking malloc implementations. Or not allowing direct access to the heap.

Third, Firefox (and indeed all programs) should run on the principle of least privilege. Where some specific subset of program functionality requires significantly greater privilege than the rest, run the subset as a different thread or process at a different level of privilege. By extension (bad pun, I know), extensions could also be run as a different thread or process with even fewer rights. (OS' that don't allow programs to shed rights might be a problem, though.)

Re:I have to say, I am depressed... (1)

clone53421 (1310749) | more than 4 years ago | (#30171926)

First, sandboxing of extensions should limit what problems can be caused.

While also limiting what functionality can be created.

Zero Day (0, Troll)

siyavash (677724) | more than 4 years ago | (#30171352)

Could we please stop using "Zero Day"? It's silly. Doesn't fit /. imho. Or is /. becoming Fox News of IT?

Re:Zero Day (1)

Lord Lode (1290856) | more than 4 years ago | (#30171446)

What does it mean anyway? That you're infected in zero days?

Re:Zero Day (3, Informative)

taoye (1456551) | more than 4 years ago | (#30171518)

Apparently, yes. To paraphrase Wikipedia, it means that the attack occurs on the 0th day that the vendor is aware of the problem... which is a significant because it means the vendor has not even had a chance to respond to the vulnerability before it is exploited. Notwithstanding the fact that they could have prevented it, but that's another matter.

Re:Zero Day (1)

ohampersand (1600309) | more than 4 years ago | (#30171522)

A publicly disclosed vulnerability that has no available patch.

Re:Zero Day (1)

Fast Thick Pants (1081517) | more than 4 years ago | (#30171660)

Supposed you watched the Firefox commits when they do a security update (or reverse-engineered an IE patch) and discovered how to exploit a fixed vulnerability 2 days after the update. You could call that a 2-day vulnerability, and the small number of days means that a lot of people haven't patched yet.

So a zero-day vulnerability means that nobody's gotten a chance to patch yet, because the security hole is discovered before a patch is available.

Re:Zero Day (1)

clone53421 (1310749) | more than 4 years ago | (#30171672)

Geez, I wonder where you could find that sort of information... [lmgtfy.com]

The term derives from the age of the exploit. When a vendor becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A “zero day” attack occurs on or before the first or “zeroth” day of vendor awareness, meaning the vendor has not had any opportunity to disseminate a security fix to users of the software.

How did the "many eyes" miss this? (0, Troll)

Anonymous Coward | more than 4 years ago | (#30171358)

Where is your multi-eyed God now OSS fanboys? Hmmmm???

Re:How did the "many eyes" miss this? (1, Informative)

Jalfro (1025153) | more than 4 years ago | (#30171484)

The trouble is, although Firefox is FOSS, most extensions are not.

Re:How did the "many eyes" miss this? (1)

middlemen (765373) | more than 4 years ago | (#30171728)

The real trouble is that most extensions are in javascript and javascript is not a language that emphasises security. The fact that there is no way to perform a "use strict;" (as in Perl) is for starters a way to get access to all the other global variables in other scripts.

I have written a Firefox extension, and the Mozilla Developer API allows you to load any script at runtime, and also gives access to all the possible extensions that are installed, thus giving you an idea of where they can be located on the disk, and then loading those files and manipulating the content on the fly. Because of the lack of strictness in javascript as a language, if a global variable XYZ is in one script, it can be manipulated by any other script as well. Fundamentally it is a problem with Javascript and not with the Mozilla API. The API is excellent and allows you to do a lot of things. Any solution to sandbox each extension will just lead to eventual bloat.

Re:How did the "many eyes" miss this? (1)

clone53421 (1310749) | more than 4 years ago | (#30171886)

The real trouble is that this is the way it’s designed, and it needs to stay this way.

Just like the real trouble with running arbitrary .exe files you download off the net is that .exe files are trusted a whole lot more than arbitrary files you download off the net ought to be.

Re:How did the "many eyes" miss this? (1)

SanityInAnarchy (655584) | more than 4 years ago | (#30172048)

The real trouble is that most extensions are in javascript and javascript is not a language that emphasises security.

I don't really know of many languages that "emphasize security" -- indeed, Javascript is more sandboxed by default than most languages I know.

The fact that there is no way to perform a "use strict;" (as in Perl) is for starters a way to get access to all the other global variables in other scripts.

And the solution to this is obvious -- if you want to isolate scripts, isolate them at the runtime level, as you do for separate tabs/pages.

also gives access to all the possible extensions that are installed... Because of the lack of strictness in javascript as a language, if a global variable XYZ is in one script, it can be manipulated by any other script as well... Fundamentally it is a problem with Javascript and not with the Mozilla API.

Sorry, but that looks to me very much like a fatal flaw in the API. A strict language may allow you to compensate somewhat, but there is no reason a global variable needs to by default be accessible from every script.

allows you to do a lot of things.

So did older versions of Mac OS, which did not have a concept of memory protection -- all programs ran in the same address space. This let you do some interesting things that you can't do as easily on a platform like OS X, but it should be obvious why OS X is more stable and more secure.

Re:How did the "many eyes" miss this? (1)

unix1 (1667411) | more than 4 years ago | (#30172110)

Any solution to sandbox each extension will just lead to eventual bloat.

How so? Whether the language does or doesn't support certain security features, they still have to implement the security within the browser. It's not a question of if, but how.

The problem is not the loosely typed language, it's that the API doesn't have a proper security model. One good way to implement it is to exactly sandbox each extension within their environment, only allow access to components/objects that are absolutely needed to run the extensions (but having no access to outside resources), and if additional access is required, present user with the security message and let the user decide whether to allow such access (either at install time, run time, selectively, allow user to grant for session/permanently, etc. - details can be adjusted as necessary).

It can't be that hard or "bloated" since many others are already doing this - Blackberry, Android, etc. - can't be too hard for a web browser.

Re:How did the "many eyes" miss this? (1)

MozeeToby (1163751) | more than 4 years ago | (#30171848)

But, if the 'many eyes' were being honest with themselves, they should have cried foul at the insecure way extentions are handled before exploits were even known. It really isn't acceptible to give any random extention that much control over your software IMO.

Re:How did the "many eyes" miss this? (2, Insightful)

RiotingPacifist (1228016) | more than 4 years ago | (#30171494)

Isn't the point that they have been seen now, if those holes where in closed binary addons (like coolaris preview) then they would never have been seen.

Re:How did the "many eyes" miss this? (1)

tthomas48 (180798) | more than 4 years ago | (#30172080)

Um... posting things on slashdot about exploits? The many eyes doesn't mean all security bugs will be fixed before software ships. It means that over time the open nature will mean that the bugs can be found and closed easier.

Damned Activex Controls! (3, Funny)

Anonymous Coward | more than 4 years ago | (#30171436)

This is why Microsoft should turn off Activex Controls altogether.........oh wait........

Lobo? (1)

jhol13 (1087781) | more than 4 years ago | (#30171534)

There really needs to be Java (or other "managed" language based) based browser (like Lobo). Unfortunately Lobo is not (yet?) ready for prime time.

Re:Lobo? (1)

jaggeh (1485669) | more than 4 years ago | (#30171588)

Sheriff lobo?

Re:Lobo? (1)

Meneth (872868) | more than 4 years ago | (#30171592)

Garbage collection does not protect against most security breaches.

Re:Lobo? (1)

owlstead (636356) | more than 4 years ago | (#30171914)

Garbage collection does not protect against *any* security breaches. It may even introduce a few security issues (e.g. files not closed since the destructor is not called in time). The lack of pointer arithmetic and addition of bounds checking, on the other hand, certainly does protect against many security breaches. It also enables a better component based design where one component cannot change the behavior of other components. E.g. in Lobo it seems that there is an API that enables plugins. If this API is well designed it won't allow plugins to change too much outside their sandbox.

Re:Lobo? (2, Informative)

owlstead (636356) | more than 4 years ago | (#30171640)

I'm very much in favor of that. I would even like to help building a Java based browser (e.g. with a OSGi based plug-in system). But the thing is that these extensions use all kinds of technologies, but not C/C++ (as far as I could see). So if the browser was managed code you would have the same issues. Managed code helps against many bugs, but not against all.

Re:Lobo? (1)

SafeMode (11547) | more than 4 years ago | (#30172010)

managed languages are meant as a convenience, not a crutch. Bad programmers shouldn't be encouraged to write their brain vomit in java any more than in C/C++.

The problem here anyway has nothing to do with language choice as much as an api that puts no restrictions on third party extensions. The question then has to be, how do you restrict what an extension can do when your whole platform is based on the idea that you can use extensions to completely rewrite the application's functionality.

Related link with more info on LWN (1)

owlstead (636356) | more than 4 years ago | (#30171556)

A quick Google search found this interesting article [lwn.net] from August of this year.

Go NoScript! (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#30171584)

I read the article ( ! ) and saw NoScript mentioned; It seems that this can be exploited to whitelist sites within NoScript if FF has other addons installed. Scary stuff.

Re:Go NoScript! (0)

Anonymous Coward | more than 4 years ago | (#30171928)

I read the article ( ! ) and saw NoScript mentioned; It seems that this can be exploited to whitelist sites within NoScript if FF has other addons installed. Scary stuff.

You know where's the irony in your statement? NoScript was caught *actually* modifying AdBlock to whitelist NoScript's author sites, for profit. Yes, I know, you feel butt-hurt. That's reality.

Re:Go NoScript! (1)

clone53421 (1310749) | more than 4 years ago | (#30171956)

Wow, this is a big [citation needed], and if it’s true, were they suitably bitch-slapped for it?

Re:Go NoScript! (1)

geekboy642 (799087) | more than 4 years ago | (#30172148)

Citation: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ [hackademix.net]

And there was as much bitch-slapping as ever occurs when any OSS developer does something blindingly stupid. The Internet's huddled masses screamed incoherently at them for a few days, and they realized that they weren't going to get away with it. Many, myself included, vowed to never again let Giorgio Maone's code run on any machine under our control.

Re:Go NoScript! (1)

clone53421 (1310749) | more than 4 years ago | (#30172250)

Wow, yeah, he sounds pretty butthurt in that blog entry. *rolleyes*

At least the sites that tell you to disable AdBlock or you won’t be able to access their content are up-front and honest about it, and ultimately leave the decision in the visitor’s hands whether to enable their ads or just never visit again.

Re:Go NoScript! (0)

Anonymous Coward | more than 4 years ago | (#30172186)

There was a story about it on this website called Slashdot [slashdot.org] , you may have heard of it? Or do you live under a rock or something?

Re:Go NoScript! (1)

clone53421 (1310749) | more than 4 years ago | (#30172314)

It was posted at 18:18 on a Friday evening. I don’t always check Slashdot on the weekends.

Re:Go NoScript! (1)

MikeURL (890801) | more than 4 years ago | (#30172334)

I'm not going to find a link for you but it happened (there were days worth of nerd rage). I even uninstalled NoScript for a while in protest.

It was also about the same time that I seriously questioned the security practices of Mozilla. If this kind of thing could happen with two of the most popular add-ons then what is going on once you get a few pages deep into the "most popular" section? Some of them may be outright malware.

I know Mozilla does not have the resources of MS but can't they restrict the add-ons that they post to mozilla.com? One should be able to reasonably expect that if Mozilla posts it that it has been tested and that updates will come from mozilla.com rather than iminurbase.cx.

Re:Go NoScript! (1)

clone53421 (1310749) | more than 4 years ago | (#30172370)

Meh. I really don’t blame it on Mozilla... addons are supposed to have pretty broad privileges. It’s up to you to decide whether you trust the publisher of the addon enough to install their stuff. The same would go for any application.

And I’m sure you’ve noticed that several other people provided citations for the claim, so no worries – saved you the trouble.

Re:Go NoScript! (1)

icebraining (1313345) | more than 4 years ago | (#30172344)

Of course it's true, all extension objects are accessible by other extensions. Only web page scripts are sandboxed. Which is nice, because it allows me to control NoScript through Vimperator scripts.

It's about trust (5, Insightful)

TheCoders (955280) | more than 4 years ago | (#30171586)

The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.

The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.

Re:It's about trust (3, Insightful)

jadin (65295) | more than 4 years ago | (#30172070)

I'm in the 'supposed to know crowd' and I had this misconception for a long time. If I failed so quickly in this aspect, what hope is there for "ma and pa" and the rest of the fam'? Which makes the question simply -

What is easier to fix? Firefox's security model or most of the world's perception?

Re:It's about trust (3, Insightful)

wd5gnr (1682238) | more than 4 years ago | (#30172090)

I think the fact that extensions appear on the Mozilla add on site could give some users the impression that they are "trusted" in some way. By default, FF won't install except from there (and maybe one or two other sites). But as far as I know, there's no real check. I mean I'm sure if you put up a extension that wiped your hard drive, enough people would complain and comment that it would get yanked. But something more subtle, maybe not.

Yawn... (1)

Jaysyn (203771) | more than 4 years ago | (#30171602)

This will get fixed in Firefox shortly & then it will be even more secure. What's the problem?

Either way, I'm so hooked on the 20 or so extensions that I use, that I'd never go back to anything else. IE is the pits. Chrome's speed just isn't a that big of a deal. Opera is ok, but the users are worse than Mac snobs.

Re:Yawn... (0)

Anonymous Coward | more than 4 years ago | (#30171952)

The problem is that Firefox's security model for extension is non-existent. If they didn't before, people now know it pays to look for holes in popular extension. We all know there will be plenty of holes to be found, and because of Firefox' shit design all we can do is play catch-up and patch holes after they've been exploited.

color me unsurprised (1)

RiotingPacifist (1228016) | more than 4 years ago | (#30171616)

I've always tried to keep a check on my addons for exactly this reason, the more code your running the more chance there is an exploitable bug in there somewhere. While steps can be taken to prevent an exploited addon doing damage, i don't think much can be done to prevent a buggy addon doing exactly what it sets out to do but wrongly.

The good news is that because all the functionality comes from addons they can be disabled and only affect users that want these features, so bob wanting to use his browser as an rssreader doesn't affect me.

Privilege separation (1)

BlueParrot (965239) | more than 4 years ago | (#30171708)

It's lovely and fussy and all things nice. A world facing app like a web-browser should make use of it.

Really with the performance of current desktop computers and even netbooks there's no good reason not to stick
potentially vulnerable parts of your browser in a separate process and block it from accessing anything it does not
absolutely need to deal with.

For what it's worth... (1)

SanityInAnarchy (655584) | more than 4 years ago | (#30172068)

A world facing app like a web-browser should make use of it.

Chrome does. Yes, for its extensions.

Look to Android for the solution (2, Interesting)

LS1 Brains (1054672) | more than 4 years ago | (#30171752)

Unchecked, or merely poorly checked third party code has long been a tender Achilles heel for any system. We beat down Windows 'round these parts with impunity, but often times the fault is with something outside of the code controlled by the Borg. Firefox is not immune obviously, and there should be some system to help prevent "issues" when extensions and plugins are used.

I wouldn't call it perfect, but Google's Android platform has a novel idea - your third party code must register for the privileges it requires to operate, and those privileges are then presented to the user for scrutiny in a very easy to understand manner. Install an Android application, and you get to see what rights you grant that app before it launches the first time. Hmmm, this game wants access to my contacts and the internet? No thank you, lets just delete that before it shares my phone list.

Thus proving... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30171836)

.. once again that marketing > reality. Firefox has been around since 2003. The situation with extensions has been the same since 2003. Firefox has been enjoying a "Mac effect" where the lack of market share and platform knowledge convinced their users that it's invulnerable to hacks and extensions are safe. Same people who laugh at ActiveX without having a clear idea what the problem is, would claim extensions are totally safe and install them by the dozens. In the last couple of years we have seen increased reporting of security problems with Firefox, and the fans of yesterday explain this with Firefox "becoming bloatware" and hence "becoming insecure". Becoming? Hardly. These issues have been always there. Go back to the first releases and you'll see.

Re:Thus proving... (1)

Ash-Fox (726320) | more than 4 years ago | (#30172266)

In the last couple of years we have seen increased reporting of security problems with Firefox

Much like with other software in the last couple of years. This isn't unusual or unexpected from any software turning mainstream. What is pretty good is that the majority of these vulnerabilities are fixed very soon after. Except for certain, exploits, like on Windows and Linux, you can retrieve the start parameters of any applications being launched and thus if it's a ftp or http url with login credentials or login session in the URL (like launching the browser from an e-mail application) - Firefox has remained quite resilient (source: secunia).

Compare this to IE where many exploits are found and don't get fixed for years on end... (source: secunia). I personally feel there is a lower risk with Firefox, especially with it's automated update system that doesn't care how genuine your system is and default settings make it fully automatic updates, thus preventing the prolonged use of exploits that work years on a substantial amount of people for years).

the fans of yesterday explain this with Firefox "becoming bloatware" and hence "becoming insecure"

I've noticed you do generalize a lot.

DUHHHH...... (1)

AssTard (684911) | more than 4 years ago | (#30171938)

Why was this not quite obvious to anyone else from the beginning of Firefox mania? Seriously, this is the main reason I haven't jumped on the Firefox Fanboi bandwagon.

Reality vs Probability (1)

ossuary (1532467) | more than 4 years ago | (#30171970)

Even with those security issues, I would still put money on Firefox being much better at keeping problems off a user's system than IE (for now).

If Microsoft (1)

SnarfQuest (469614) | more than 4 years ago | (#30172356)

If Microsoft spent as much time on their own software, as they do trying to belittle others, then they might be able to fix some of the gaping holes in Windows. But, I guess it's better politics to throw mud, than to clean up your own messes.

0-day? (2, Insightful)

Tanaric (868318) | more than 4 years ago | (#30172400)

This is the second story recently that tosses the term "0-day" around when "new" would suffice. Yes, 0-day sounds cool, and yes, it's a helpful description in, say, the warez scene (do we still call it that?), but in articles about bugs/exploits it just makes you sound stupid.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>