Re: FFSpy, a firefox malware PoC

[FUDder Guy <fudderguy () gmail com>]

On Mon, May 25, 2009 at 8:26 PM, saphex <saphex () gmail com> wrote:
> This isn't about making the user install a malware add-on. It's about
> gaining access to the system trough an exploit, or physical access,
> modify an existing add-on with your code. And Firefox wont even
> notice. Instead of installing a fancy rootkit or keylogger, just go
> straight to the browser, simple. Go tell your average user to check
> the codebase of the plug-ins he has installed in is Firefox from time
> to time in order to make sure they haven't been tampered with, yeah
> good choice...........

I agree that attacking Firefox is a simpler way to carry out the
attack than installing rootkit or keylogger. However, this is no
simpler than asking someone to download a cool game, script of
screensaver from my site.

Moreover, only addons.mozilla.org and update.mozilla.org are set as
allowed sites for addon installations by default in the browser. If
one tries to install addons from other site, Firefox issues a warning.
So, this is pretty good. As far as the possibility of malicious addon
on Mozilla site is concerened, the probability is pretty low as the
addons on the Mozilla site appear for download only after a review
process.

So, I don't see this type of attack particularly more dangerous than a
user downloading a software or script with trojan and running it. I
also don't see this type of attack any simpler than fooling a user to
run a cool game or script.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/