Browser Plug-ins and Security Considerations

"Firefox is an ideal browser platform for creating add-ons. Firefox plugins have access to the entire browser, without any restriction. This allowed me to release two plugins to improve the security of Firefox users (Search Engine Security, and BlackSheep), and a third one is in the works, but the power of Firefox plugins can also be used with malicious intent."

http://research.zscaler.com/2011/02/browser-plugins-and-security.html

 

True...Convenience vs. Security.

 

Articles like this are what you should link to people that moan about ActiveX being the reason they don't use IE.

 

I agree.

c/o p2u in this thread... -http://ssj100.fullsubject.com/t15-firefox-add-on-noscript#2462-

Abusing Firefox Extensions (PDF document; 1.82MB)

Some highlights:

 

Very informative article, thanks for posting.

 

Thank you for your replies, and thanks trismegistos..very interesting.

 

As far as possible, I try to avoid using add-ons. Some are very well known, like AdBlock Plus or Stylish, and I'd guess (and hope) that the risk there is minimal to non-existent.

Anyway, the downside of add-ons has been known for quite some time now.

And pointing out the vulnerabilities of add-ons to justify the use of ActiveX is "interesting"

 

The only difference is the name.

 

Oh noes, Firefox is doomed110!!
Another chrome fanboi? Just look into the Android security model which Chrome is based on and see how that worked out
http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
http://threatcenter.smobilesystems.com/

Alright, not so fast.

The article is right, there is a security and trust issue involved and it's good to raise awareness but:

(@elapsed) This is not like ActiveX, not close. Back in the glorious days of IE6 the browser would happily execute code from any website without much warning or nagging around. Firefox addons work much more like actual standalone programs:
1) obligatory warning about, do you trust the author...
2) install
3) execute

That's so naive I don't even have to comment on that.

If you install software you grant a 3rd party access to your computer, to all the files, to everything. It can be a standalone exe, a dll, a script, java applet or an addon or extension for another program. With the current state of application security and patch policy we can even extend that to data files!

In any of these cases you need to trust
1) the developer is trustworthy
2) he's competent and secures his development environment (tampering with the source code? yes it happens, sf got hacked, remember proftpd)
3) trust that the file you got is the file he wrote

How do we go about solving that?
1) Don't install from anonymous sources, only install known software.
AMO makes that very easy, read the comments, only install software that got a few thousand or more users and most importantly: don't install "experimental" addons on your production system.
This isn't a theoretical problem, there have been malicious addons but they all where (to my knowledge) in the experimental session which comes with additional warnings. If there is a problem users will be warned, the code will be stopped from being distributed and it's likely a legal investigation will have success because not anyone can upload to AMO.
Open source helps too, especially with small addons with limited complexity that are actually understandable and realistically to check for backdoors.
2) files are uploaded to a secure datacenter before distribution (not sf...)
check, Mozilla has a lot of experience and a good track record
3) that's easy sign the files or use TLS
check

In conclusion: There are better targets for you criticism, AMO is a good model and its track record shows that it's much more secure than Active X or random exe file ever where.
If you want to attack something, why not lobby for making app stores and repositories mandatory or at least how it's more secure to use them instead of your favourite download site (or, as widespread probably, warez sites)?

The security model of Chrome OS is a new direction. It changes the whole trust issue from above. The OS is from the ground up designed to run _untrusted_ software ("webapps"). This will improve security for the average joe tremendously. But it comes at the high cost of freedom. That's for another thread though
If you are interested in making 3rd party software untrusted I also recommend you to look into Qubes OS, L4 and similar projects.

 

About a year ago a new Add-on Review Process has been implemented by Mozilla - worth reading. Moreover, in the Jetpack project security improvements are planned - see here and here.

Quote from https://wiki.mozilla.org/Labs/Jetpack/Design_Guidelines:

 

http://www.net-security.org/secworld.php?id=10617

 

Here's an overview of the AMO Review Process. Particularly interesting is this comment. More details can be found in the AMO Editors Guide which includes, among other things, an automatic validation also available for the add-on developers and detailed here.

In a discussion about Firefox extension security, Giorgio Maone, the developer of Noscript, recently wrote about the new AMO Review Process:

All in all this means that security has a high priority in the AMO Review Process contrary to some sensationalist claims.

As already mentioned, Jetpack will bring more improvements. The first beta of the Add-on SDK was released in last December.

 

Good links. There really shouldn't be much to worry about for add-ons that pass the Full Review (though that queue is reportedly quite long currently).

The author of AdBlock Plus has some comments on his blog:
http://adblockplus.org/blog/changes...w-version-isn-t-available-on-addonsmozillaorg

 

And here's a blog from quite a few months ago dealing with a couple of add-ons that were yanked "toot-sweet" once their potential for misuse came to light:
http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/

It's a bit unfortunate that the add-on review backlog is coinciding with the "need" to push Fx 4 out the door.

 

Yes, that was discussed here on Wilders some months ago. It highlights the risk of using unreviewed extensions - which is, according to Giorgio Maone, the normal situation for Chromium extensions ...

 

Here's an interesting comment by Wladimir Palant which also shows that AMO is becoming stricter.