NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0189 Firefox Add-On's Vulnerable to Attack:

The process used to update some Firefox add-ons automatically appears to be flawed, allowing criminal hackers to intercept the browser's call to the developer to see if there is a new version available. The most vulnerable add-ons are said to be from sites such as Google, Yahoo, Facebook, and Linkedln. Extensions for Firefox contain hard coded Internet addresses for updates, and Firefox developer Mozilla provides free hosting for the updates at addons.mozilla.org using the secure 'https' protocol. However, many developers who choose for various reasons to serve the updates themselves from servers under their control opt to use the less secure, less resource intensive 'http' instead. The researcher who disclosed the problem, Christopher Soghoian, described a scenario where a wireless user in an internet cafe starts up the Firefox browser, which routinely checks with the extension's update servers to see if there are any updates pending and generally notifies the user. Add-ons using the less secure 'http' protocol are open to a man-in-the-middle attack where a criminal hacker can intercept the transmission and substitute a maliciously coded update instead. While Firefox prompts the user to install any updates, not all updates trigger the prompt. For example, Google Toolbar updates will install automatically. Soghoian urges Firefox users to uninstall extensions not downloaded from Mozilla, including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Netcraft Anti-Phishing Toolbar, AOL Toolbar, Ask.com Toolbar, Linkedln Browser Toolbar, Netcraft Anti-Phishing Toolbar, and PhishTank SiteChecker. Add-ons not vulnerable to this type of attack include NoScript, Greasemonkey, and AdBlock Plus. Secure add-ons can be downloaded from the official Firefox Add-ons web site.

(news.com.com 30MAY07)

Last Modified: Tuesday, 05-Jun-2007 21:52:27 EDT