Security holes in Firefox due to plugins

[lu_chin]

How do FF addons/plugins compare with BHO and activex used by IE? Won't missing updates to such cause similar potential security holes in IE? I guess the update issue is more general than relating to a particular program. There is also an Update Notifier addon for FF written by Todd Long that notifies the user when updates for extension and themes are available. It is supposedly "easily configurable for automatically installing updates when available and checking for updates when Firefox starts." But then users have to keep this addon up-to-date first in case of bugs.

[GrailVanGogh]

Quote:

Originally Posted by lu_chin

There is also an Update Notifier addon for FF written by Todd Long that notifies the user when updates for extension and themes are available. It is supposedly "easily configurable for automatically installing updates when available and checking for updates when Firefox starts." But then users have to keep this addon up-to-date first in case of bugs.

Fx 2.0 will check for updates to addons, search plugins, as well as the browser on a daily basis if the user allows it.

Sticking with Mozilla Addons site to get any extensions and themes goes a long way in protecting yourself as the addons and themes are tested.

[LUSHER]

Quote:

Originally Posted by DavidGGG

Well you don't know if it is the latest version, do you? How fix that?

How do you know that the full 'exe' that you use is updated? It's the same problem, the exe that you install will and should update the plugin at the same time. So far my check shows that they all do. WMP is the same except their plugins reside in the normal program folder except the plugins folder. Firefox is set to scan various standard folders (which you can turn off) if the plugins do not exist in the normal plugin folder, you can google all the glory details if you want, but it's not necessary.

Quote:

Seems the latest version is from April 13th 2007 and that the official download site (redirected to by M$) is http://port25.technet.com/pages/wind...-download.aspx.

But that's not the point. Apparently there's a risk you are vulnerable to whatever bugs WMP has had since 2005, and you can go download that plugin right now, but then they might find a new bug and make a new update tomorrow, or next week.

Okay calm down you are not vulnerable, if you have "npdsplay.dll" (normally located in the C:\Program Files\Windows Media Player folder) - version 3.0.2.629 (which I have). Here's what mozilla says

"In Windows XP and earlier, the WMP plugin file "npdsplay.dll" and related plugin files are normally included in the Windows Media Player program folder. The WMP plugin is automatically detected through plugin scanning and will be used by Mozilla applications for embedded media that require the WMP plugin. Important: Microsoft Security Bulletin MS06-006 (February 2006) reported a vulnerability in the standard Windows Media Player plugin file "npdsplay.dll" on Windows 2000 and Windows XP systems, that could result in remote code execution when using non-Microsoft web browsers. The "Security Update for Windows Media Player Plug-in (KB911564)", available from Windows Update or from the download links given in the security bulletin, updates the file "npdsplay.dll" (normally located in the C:\Program Files\Windows Media Player folder) to version 3.0.2.629. If your system includes the standard WMP plugin, make sure that it is the updated version of this file."

It goes on to explain about the newer plugin you found, but it has nothing to do with security problems. And as I highlighted in bold, if you keep up date with windows update you have nothing to worry.

Quote:

So you need (have I said it before) aauutooo-updating. And can you get that from a plugin? I can't find settings for it anyway.

As many of us have being saying in this thread, the plugin will be updated together with the application. So WMP plugin is updated when you run windows update as shown by my experience.

I am somewhat surprised to see that there are plugins that work without the full exe, I'm going to reinstall firefox in a new fsystem and see what plugins if any come with them.

Quote:

Well no. I'm talking about what can be the effects if you only have the plugin (but your tests are intersting to know of). You are now saying that you also have the full exes. Don't know why you bother to use the plugins then, but that's not very interesting.

If you don't know what browser plugins do, you can do a google...
But yeah plugins allow you to play content embededd in the webpage. Some might find that pointless, but to each their own.

Quote:

Thanks for reminding me of the old about: commands, I never can remember them. If you know of a list it'd be nice. And I see several in the list I'd like to fully disable, do you know how to do that?

Yes, I do. There are several ways. You can find them in the usual places on mozillazine etc which I'm sure you already have.

IMHO, while I appreciate your attempt to raise awareness and yes media players will be the next holes people will go after, I think you should step back, and take a breath. Your post has inspired me to look a bit deeper (some nice info on plugin scanning locations), but so far I have found nothing really big worth worrying about.

In fact, some of your responses (not to me) strike me as lacking in logic and perhaps you seem determined to be afraid. I don't know.

[DavidGGG]

Quote:

Originally Posted by lu_chin

Update Notifier addon for FF written by Todd Long that notifies the user when updates for extension and themes are available. It is supposedly "easily configurable for automatically installing updates when available and checking for updates when Firefox starts." But then users have to keep this addon up-to-date first in case of bugs.

The part about having to keep this plugin up-to-date probably isn't a problem, since for the Fx-specific "plugins" I've added (IEtab and ADblocker) Fx does check for updates automatically and even download and install them.

But if I got the meaning of the words extension, plugin etc right, then this plugin doesn't check for updates for what is really called plugins, such as the media players, only for extensions and themes, which is already built into Fx it seems (maybe not themes, dunno). So it seems redundant for extensions and useless for plugins, if I got it right.

I did search addons.mozilla.org for update checkers AND post a question at their forum, so I'd be surprised if there existed a useful plugin.

[tlu]

Quote:

Originally Posted by DavidGGG

But if I got the meaning of the words extension, plugin etc right, then this plugin doesn't check for updates for what is really called plugins, such as the media players, only for extensions and themes, which is already built into Fx it seems (maybe not themes, dunno).

That's correct. And I agree that keeping 3rd party plugins updated is a problem. On the other hand (as I've already mentioned in another post), by using Noscript and checking to block Java, flash and other plugins for untrusted sites the security risk of not always having up-to-date plugins is minimized.

[DavidGGG]

Quote:

How do you know that the full 'exe' that you use is updated?

I use an exe which can be set to auto-update! If it wasn't possible, I'd use a different exe. Feels like I said that before......................

milw0rm.com has a few WMP exploits dated 2006 listed. You can check them out and report how serious they are if you're up to it. And you can also check if all exes update all dlls, it's all interesting details, I'm sure. Me, I don't have to worry about that, I dont use plugins anymore..

Quote:

perhaps you seem determined to be afraid

Why should I be afraid? I don't use plugins anymore.

Quote:

I am somewhat surprised to see that there are plugins that work without the full exe

Don't they all? One of the major reasons that plugins exist is they are smaller that the exes (sometimes enormeously much smaller). You can find that too by googling

Quote:

I agree that keeping 3rd party plugins updated is a problem

Finally someone who agrees this IS a problem! I wasn't sure if it was me going insane or the rest of the forum. Thanks for saving my mental health (what's left of it).

BTW, I think Noscript blocks java already, so you don't have to do that twice. I tried Noscript but found it slightly annoying and wouldn't recommend it for my mama and persons like that (which are like 80% of the population), but I'm sure it's a good addon for many users. I'm not aiming at becoming an expert on how exploits work, but I do know java and activeX has too much access to my whole PC to feel safe, javascript is much more restrained (though not bug free). But I'm not aware that Noscript saves you from all exploits like the QT RTSP mentioned. Regarding Flash I have set it to update often, so I feel I can allow it uncrippled.

[tlu]

Quote:

Originally Posted by DavidGGG

BTW, I think Noscript blocks java already, so you don't have to do that twice.

No, that's incorrect. Noscript blocks Javascript by default, and this makes sense since a lot, if not most FF security leaks were somehow related to it. If you want to block Java, Flash and other plugins (which I recommend highly, of course) you have to check the appropriate buttons in the settings menu.

Quote:

I tried Noscript but found it slightly annoying and wouldn't recommend it for my mama and persons like that (which are like 80% of the population), but I'm sure it's a good addon for many users.

I read that quite often but I don't understand it. Let's face it: The percentage of websites most users regularly load is probably at about 80-90%. They are trustworthy sites, otherwise you wouldn't load them, would you? So just add them to trusted sites just once (if necessary), Noscript will remember your decision till eternity and you won't have any problems with them. Why do you view that as annoying? And since they are trustworthy sites, it shouldn't do any harm if your plugins are not up-to-date. But on all other sites you come across, e.g. via Google, you'll still be protected as JS, Java, Flash and other plugins are blocked. If some of them cause problems, you still can allow them temporarily with two mouseclicks if you regard them trustworthy. By the way: Another important aspect is that Noscript is AFAIK the only solution so far against the more and more popular cross-site scripting (XSS).

Quote:

I'm not aiming at becoming an expert on how exploits work, but I do know java and activeX has too much access to my whole PC to feel safe, javascript is much more restrained (though not bug free).

As a matter of fact, Java has a better track record than Javascript regarding security issues. Giorgio Maone, the programmer of Noscript shares this opinion. But you're right that ActiveX is probably the worst technology security-wise that Microsoft ever invented.

[lu_chin]

I guess the same logic can go for updating softwares in general. For a plugin that comes together with a program, e.g. WMP, if doing an update of the program (be it via WMP or Windows) does not in fact update the plugin, then you may prefer to stop using it too. Or if you prefer to meticulously check all the files (executables and plugins that come with them) to see if they are in fact up-to-date or not, you may prefer to download a fresh full installer and install over the existing version. I could not see a link of security concern between plugins and FF in terms of updating. The same thing will happen to IE and in fact many other programs that use any extensions, plugins, activex controle, etc. At times users will be responsible to do some updating of softwares, drviers, etc. installed on their PCs. For a lazy person like me I just run my web browsers within a sandbox HIPS program to get a little more security without thinking too much about how things really work.

Quote:

Originally Posted by DavidGGG

I use an exe which can be set to auto-update! If it wasn't possible, I'd use a different exe. Feels like I said that before......................

[DavidGGG]

tlu, what I meant is that you can block java either in Noscript or in Firefox, no need to do both. And I don't feel I ever need java, but js is everywhere so blocking it means annoyances for every other new site. And looking at the capabilities of java vs js and restraints of js, java should be worse, but maybe it isn't in reality, dunno why, maybe JRE limits java somehow or maybe hackers prefer js? You may well be right I should limit js, but I can't be bothered since it's too annoying to do so. Don't you think it's enough to logout from the internet bank when finished, not visit the bank + other sites simultaneously, don't follow links in e-mails without thinking, and keeping www-apps on auto-update, using Fx as default and disallowing java, as an option to using Noscript?

And lu_chin, the problem at hand is that it's not really possible to handle updating of plugins in a secure manner, at least noone has shown a way to me yet, and the solution I use myself is to stop using plugins, since full apps exist which do the same job but can auto-update themselves. So, think that was the 5th time I said that. Also, of all programs to patch, those with internet access are the most important, since for e g Word and stuff, though full of bugs and scripts, the user has a degree of control what documents he opens, but for stuff at www, it's enough to visit the wrong site and you suddenly have nasties installed, like spyware. The same may well be valid for all browsers more or less, but since I use Fx I can't really make intelligent posts regarding the others.

[tlu]

Quote:

Originally Posted by DavidGGG

tlu, what I meant is that you can block java either in Noscript or in Firefox, no need to do both. And I don't feel I ever need java,

Well, I need Java on a couple of sites I visit regularly, that's why I don't block it in FF.

Quote:

but js is everywhere so blocking it means annoyances for every other new site.

Please read my previous post - it's no problem for me. Most sites I visit regularly, and allowing JS for them - if needed - is a breeze. And that all or at least most new sites necessarily require JS is a myth.

Quote:

And looking at the capabilities of java vs js and restraints of js, java should be worse, but maybe it isn't in reality, dunno why, maybe JRE limits java somehow or maybe hackers prefer js?

Java applets run in a sandbox from which they shouldn't be able to break out.

Quote:

You may well be right I should limit js, but I can't be bothered since it's too annoying to do so. Don't you think it's enough to logout from the internet bank when finished, not visit the bank + other sites simultaneously, don't follow links in e-mails without thinking, and keeping www-apps on auto-update, using Fx as default and disallowing java, as an option to using Noscript?

I don't want to do without the extra security Noscript provides, the more so as I don't find it annoying (I described why).

Quote:

And lu_chin, the problem at hand is that it's not really possible to handle updating of plugins in a secure manner, at least noone has shown a way to me yet,

Switch to Linux and you won't have this problem any more. In Linux, you install at least 99.9% of your applications not from some more or less trustworthy websites but from the repositories of your distribution - including those plugins. If security updates are available you will get informed about them (or they will be installed automatically if you chose so). That's one of the big advantages of Linux: Not only the OS itself but also all applications are always up-to-date.

Quote:

and the solution I use myself is to stop using plugins, since full apps exist which do the same job but can auto-update themselves.

I think you're throwing out the baby with the bath water. There are enough sites available that inform you about available updates of important applications. And if you use Noscript and block plugins by default for any site not being on your whitelist, you are protected even if your plugin(s) are outdated.

[DavidGGG]

Well, now I'm tired of this thread. I won't be checking it anymore. And this thread starting business was a disappointment. Good luck, especially to you who decide to keep your plugins.

[Pedro]

Don't be. I understand your concerns, even though others have explained why it's not Firefox itself.
Maybe there could be a feature to watch for plugin updates, and warn? I can see the use for that, sugesting a link to update the software in question, with instructions.

[tlu]

Quote:

Originally Posted by Pedro

Maybe there could be a feature to watch for plugin updates, and warn? I can see the use for that, sugesting a link to update the software in question, with instructions.

One site that helps to easily check for new releases might be http://www.download.com/3140-20_4-0-...g=browsedl_new

[swami]

@DavidGGG
How about chegking them here:
http://secunia.com/software_inspector/

[nadirah]

Quote:

Originally Posted by DavidGGG

Yes exactly. So if anyone sees that he has QT7.1.3 in the plugins list, then it's time to get scared - and I bet you are a few! I even checked it with the Fx support forum, and the 7.1.3 plugin is vulnerable to the RTSP exploit, just like the 7.1.3 exe.



And exactly how do you keep a plugin up-to-date, if you can't set it to auto update? Supernatural plugins? I see only one good solution (again): Get rid of the plugin, and get the exe instead, because this you can set to auto-update.

I suspect the majority of the Fx users have un-updated plugins either without realizing it or because not being able to access settings to make it update itself. Where do they come from? I think real player and adobe flash player came with Firefox. The WMP plugin I'm guessing comes with Windows. QT plugin I suspect came with the K-Lite Codec pack, which is very popular. I also have a Zylom plugin, which I suspect was installed by a game I bought called Chicken Invaders. VLC Player has added a plugin. And then there's 2 M$ DRM network i/f plugins, wonder how they got here, I certainly never approved them, but they probably belong to WMP (M$ "Digital Rights Management"). All of these are security holes in Firefox on my PC, as far as I can see.

I can't understand you guys not getting upset over this, it's a much greater security hole than 99% of the posts in this forum, both from a user's point of view and for the Firefox community.

You should add it to the ToDo list when installing Windows on a new PC:
- Decent firewall, AV, antispyware, and check the settings
- antirootkit and guard of register and some files & folders (hosts file etc)
- Replace default browser with e g Firefox. Add Noscript or disable java.
- Maybe some more tweaking of Windows (shut down some services etc)
- Set auto-update on all apps with www access
- Hm. Am I done? NO! You have like 5 or 10 major security holes left! All of the above may well be in vane! Many on this forum like playing with multiple AVs, ASs, ATs, ARKs etc. What's the point, if not fixing the MAJOR stuff first!

If anyone new should join here who would actually be interested in fixing this problem on his/hers PC, then I googled this instruction, which complements just changing plugins to exes in the Firefox settings: http://plugindoc.mozdev.org/faqs/uninstall.html

Well David,

I'm using firefox 3.0 alpha 8 here. To keep things brief, I like to highlight certain things:

And exactly how do you keep a plugin up-to-date, if you can't set it to auto update? Supernatural plugins? I see only one good solution (again): Get rid of the plugin, and get the exe instead, because this you can set to auto-update.

The only way to keep a plugin up-to-date is to update the respective program it belongs to. The way you put your statement is telling me that you are just feeling paranoid.
Example, I update Adobe Flash and Shockwave, their plug-ins in firefox are updated as well. And the add-ons dialog in firefox gives me options such as enabling and disabling plug-ins, but not for removing them completely. Those plug-ins that I don't want- I can simply disable them without removing them completely.