Penetration Testing mailing list archives
Re: Malicious Mozilla/Firefox/Thunderbird/Etc Extension
From: Steve Friedl <steve () unixwiz net>
Date: Mon, 14 Jul 2008 12:33:55 -0700
On Mon, Jul 14, 2008 at 01:55:12PM +0300, Andrei Hanganu wrote:
I have recently started work on a xpcom component for Firefox, astonished i was by the fact that in an XPI archive file one can include binary libraries (dll/so files) that get auto loaded in firefox via a precise function prototype. The problem is that the code in that component is allowed to do anything the user that runs firefox has credentials to do.
I don't know if there have been any prior reports of malicious Firefox components, but I was very surprised to find that one cannot tell whether a Firefox addon is code-bearing or not, and that Firefox has weaker management facilities for things like this than IE/ActiveX. I wrote about this in a Tech Tip some time ago: Comparing Security Implications of IE and Firefox add-ons http://www.unixwiz.net/techtips/browser-addins.html
Wham i am curious is if there have ever been reported malicious mozilla extensions, and if besides the signing of the addon is there any other way to protect from such addons.
I don't think this is something that a user can do anything about. Steve -- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve () unixwiz net ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Malicious Mozilla/Firefox/Thunderbird/Etc Extension Andrei Hanganu (Jul 14)
- Re: Malicious Mozilla/Firefox/Thunderbird/Etc Extension Steve Friedl (Jul 14)
- Re: Malicious Mozilla/Firefox/Thunderbird/Etc Extension Todd Haverkos (Jul 14)
- Re: Malicious Mozilla/Firefox/Thunderbird/Etc Extension Alexandru Burciu (Jul 28)