Top Firefox extensions can hide silent malware using easy pre-fab tool

Discussion in 'malware problems & news' started by hawki, Apr 4, 2016.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,957
    Location:
    DC Metro Area
    "... The most popular Firefox extensions with millions of active users are open to attacks that can quietly compromise machines and pass Mozilla's automated and human security tests.

    The extension reuse attacks exploit weaknesses in the structure of Firefox extensions such that malicious activity can be hidden behind legitimate functionality....

    ...The extensions vulnerable to the 255 reuse exploits found included NoScript with 2.5 million users........"

    http://www.theregister.co.uk/2016/04

    /04/top_firefox_extensions_can_hide_silent_malware_using_easy_prefab_tool/
     
  2. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    I'm glad I stopped using NoScript now.
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    Hmmm....
    https://www.blackhat.com/asia-16/br...on-of-firefox-extension-reuse-vulnerabilities
    which one do you want to remove also?...please :)
    Full report
    https://www.internetsociety.org/sit...s-firefox-extension-reuse-vulnerabilities.pdf
     
    Last edited: Apr 4, 2016
  4. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    883
    Location:
    Triassic
    I found the article wanting. Hard to get my head around this one.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I have to say that I didn't understand it, more info is welcome. But I guess in order to exploit this stuff you first need to be able to convince people to install the evil extension. That's why I always advice to install as few extensions as possible.
     
  6. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
  7. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    491
    Location:
    Earth .... occasionally
    @emmjay - you are not alone there .

    There's way too much " maybe" , "could be " , "might be " in the article .
    It looks to me like a "proof-of-concept " , and a fairly vague one at that !
    Any evidence of actual exploits in the wild ?

    And as for NoScript in particular , Giorgio Maone is clearly a very smart and skilled guy .
    Update cycles for NoScript are fast and frequent and I'm confidant that these reported vulnerabilities will be quickly assessed.
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    I think the way to handle extensions and plugins is to install as few as possible, only install the ones you use on a regular basis and only install the ones that are well known and popular. Thats what I have been doing for a long time and seems to work.

    Bo
     
  9. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    I agree NoScript is regularly updated and maintained.
     
  10. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    174
    Location:
    U.S.
    Here is another explanation, with a link to the original research report. The report is rather dense, and probably only the developer types will be able to decipher it.

    The problem is a flaw in the legacy Firefox extension platform: https://threatpost.com/firefox-add-on-flaw-leaves-apple-and-windows-computers-open-to-attack/117183/

    "Firefox extensions share the same JavaScript namespace
    – in other words, every extension installed on a system can
    freely access all of the JavaScript names defined in the global
    scope by each extension. This problem has been identified
    by the Mozilla community in the past, and it has been
    recommended that each extension define its own namespace to
    avoid JavaScript name collisions. However, the security
    implications thereof has been left largely unexplored so far. In
    particular, this shared JavaScript namespace makes it possible
    for extensions to read from and write to global variables
    defined by others, call or override all global functions, and
    modify instantiated objects."

    "Recently, Mozilla developed an alternative framework for
    extension development, called the Add-on SDK, as part of
    the Jetpack project ...
    ... as of October 2014, 12.0%
    of the top 2,000 Firefox extensions are developed using the
    Jetpack framework, while the remaining 88.0% are legacy
    extensions. While these results indicate that the adoption of the
    Jetpack framework may be increasing, a clear majority of the
    top extensions are still using the legacy extension development
    methods."

    "In addition, our experiments with vulnerable Jetpack extension
    show that, even though Jetpack extensions have a narrower
    attack surface compared to legacy extensions, they are not
    immune to extension-reuse attacks."

    The NoScript forum has this thread on the topic: https://forums.informaction.com/viewtopic.php?f=19&t=21795

    Of course, Mozilla is currently developing [target for Firefox version 48] an entirely new extension API: https://wiki.mozilla.org/WebExtensions
     
    Last edited: Apr 5, 2016
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I have read it, and I now understand. It's basically a security flaw in the current FF extensions architecture. They will fix this in newer FF versions when they switch to a different extensions model. But I've always said that browsers give way too much power to extensions, which can be a huge security risk.
     
  12. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I'd take the "power to extensions" approach any day over the "walled garden" one, even if it leads to some vulnerabilities like the one described in the article. The reason is that vulnerabilities can usually be solved or mitigated, but if the extensions developers or users are not allowed enough freedom, that cannot be changed so easily.
     
  13. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    491
    Location:
    Earth .... occasionally
    For me , that's the key thing to watch right now , and I reckon NoScript will be on top of it very quickly .

    Thanks for the link , it's an ongoing topic in that forum .

    In the meantime , I see no reason to change anything regarding FF and/or NoScript.

    Has anyone here read a reliable report of this exploit in the wild ?
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Well, it depends, too many restrictions is not good either, but extensions should not have access to sensitive data. And this specific problem can only be solved by making the extensions system more strict, but I don't know if capabilities of future extensions will be limited.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    724
    Yes, it will!
     
  16. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    174
    Location:
    U.S.
    Yes! That was some informative reading. It appears to be very good news that the NoScript developer has taken a strong interest in getting his extension ready for the new API.

    The biggest loss may be to the interesting legacy extensions that were developed for Firefox only, have no Google Chrome version, and are no longer actively supported.

    Giorgio Maone (NoScript dev) mentioned in one post that any extensions with a Chrome counterpart could be easily ported to Firefox with the new WebExtensions API.

    https://developer.mozilla.org/en-US/Add-ons/WebExtensions

    https://wiki.mozilla.org/WebExtensions/FAQ
     
  17. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    174
    Location:
    U.S.
    From what I have seen on the topic, they seem to be trying to solve both issues. Giorgio has proposed "native.js" to "embrace & extend" the WebExtensions API as a workaround to give devs some more latitude beyond the "strict" API.

    https://discourse.mozilla-community...-to-embrace-extend-the-webextensions-api/3457
     
  18. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,087
    Sensitive data would include URLs, hostnames, headers, page content, script content, cookies and other storage, user input, etc. The ability to inspect such things, and perform outright blocking and/or more selective threat mitigation steps, allows us to dramatically improve security/privacy while we use the browser.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes good point, but I still believe that extensions should somehow be more restricted by the browser. Of course I can't tell you how exactly, since I don't have the expertise and it's a bit complex as you noted. But fact of the matter is that extensions have a whole lot of power, perhaps too much. In theory they can do stuff like keylogging and stealing passwords. You might also want to read a report called: "Abusing, Exploiting and Pwning with Firefox Add-ons", look for it on Google.
     
  20. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    724
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    724
Loading...