Full Disclosure mailing list archives
Re: New Vulnerability against Firefox/ Major Extensions
From: "Steven Adair" <steven () securityzone org>
Date: Wed, 30 May 2007 11:10:57 -0500 (EST)
We are also at risk from rogue developers, people that have hacked/poisoned your trusted DNS provider, those that have modified your /etc/hosts, /etc/resolv.conf, windows\system32\drivers\etc\hosts (and/or related files), people that have hacked the update server and put there own malicious version there, and the unlocked workstation attack from an attacker with a USB flash drive with a malicious update that might sit down at your workstation and -pwn- you. Steven
This information also posted (with html link goodness) to http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html -------------------------- Executive Summary -------------------------- A vulnerability exists in the upgrade mechanism used by a number of high profile Firefox extensions. These include Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions. Users of the Google Pack suite of software are most likely vulnerable, as this includes the Google Toolbar for Firefox. The latest version of all of these listed, and many other extensions are vulnerable. This is not restricted to a specific version of Firefox. Users are vulnerable and are at risk of an attacker silently installing malicious software on their computers. This possibility exists whenever the user cannot trust their domain name server (DNS) or network connection. Examples of this include public wireless networks, and users connected to compromised home routers. The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about. In addition to notifying the Firefox Security Team, some of the most high-profile vulnerable software vendors (Google, Yahoo, and Facebook) were notified 45 days ago, although none have yet released a fix. The number of vulnerable extensions is more lengthy than those listed in this document. Until vendors have fixed the problems, users should remove/disable all Firefox extensions except those that they are sure they have downloaded from the official Firefox Add-ons website (https://addons.mozilla.org). If in doubt, delete the extension, and then download it again from a safe place. In Firefox, this can be done by going to Tools->Add-ons. Select the individual extensions, and then click on the uninstall button. ------------------------------------ Frequently Asked Questions ------------------------------------
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New Vulnerability against Firefox/ Major Extensions Christopher Soghoian (May 29)
- Re: New Vulnerability against Firefox/ Major Extensions Tim (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Ferruh Mavituna (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Steven Adair (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Matthew Murphy (May 30)
- <Possible follow-ups>
- Re: New Vulnerability against Firefox/ Major Extensions Joey Mengele (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Dr. Neal Krawetz PhD (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions coderman (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions tx (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Dr. Neal Krawetz PhD (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Joey Mengele (May 30)