Hackers can hijack PCs using Firefox add-ons
Attackers can disguise malware as Firefox extension
May 30, 2007 12:00 PM ETComputerworld -
Hackers can drop malicious code into systems running Mozilla Corp.'s Firefox when the browser is armed with any of several high-profile add-ons, including Google Toolbar and Yahoo Toolbar, a researcher revealed today. Mozilla has acknowledged the risk posed by some extensions.
Christopher Soghoian, a Ph.D. student at Indiana University, outlined how "man in the middle" attackers, especially in public wireless networks, could disguise malware as a Firefox extension and surreptitiously plant their code in lieu of a normal update to one of the vulnerable extensions.
The bulk of Firefox extensions -- small plug-ins that add features or functionality and that are almost universally created by volunteer developers or hobbyists -- are hosted and updated from Mozilla's own SSL-secured site and are not vulnerable to this attack, Soghoian said. A number of broadly used third-party extensions, however, update from their own unsecured servers.
"It's sort of a compounding of errors," Soghoian said. "Mozilla didn't tell developers that they should update from a secure link; they erred in assuming everyone would know to do that. But the add-on developers are at fault for not using a secure server."
Mozilla revised the documentation for crafting and maintaining Firefox extensions after being contacted by Soghoian to post a prominent warning that urges developers to host updates on a site using Secure Sockets Layer.
Public wireless access points, like those at airports and coffee shops, would be the most likely scene of an attack, because hackers can use them with relative ease to mimic a legitimate update server with a laptop. But Soghoian warned that other locales would be just as dangerous.
"Any network where you're not running the show puts you at risk," he said. "If you're using your neighbor's wireless, for example." Users of the Tor anonymity network would also be vulnerable, Soghoian added. "There you're trusting your DSN to someone you don't know."
He listed Google Toolbar, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker among the at-risk add-ons, but he couldn't come up with an exhaustive catalog. "I didn't have time to test every extension," Soghoian said, "so I went to Download.com and looked at the top 20."
Ironically, some, such as Netcraft's, are designed to protect users against threats. "Users think 'I'm gonna make myself safer' by installing this extension, but they end up putting themselves at risk."
One vulnerable extension -- the eBay-created, Mozilla-sanctioned add-on for French, German and British online auction users -- was shifted to a secure server within days, Soghoian said.
Other vendors contacted by Soghoian, however, were less responsive.
Mozilla
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
