NoScript and other popular Firefox add-ons open millions to new attack

[xper]

NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.

The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out.

Of the top 10 most popular add-ons vetted by Mozilla officials and made available on the Mozilla website, only Adblock Plus was found to contain no flaws that could be exploited by a malicious add-on that relied on reuse vulnerabilities. Besides NoScript, Video DownloadHelper, Firebug, Greasemonkey, and FlashGot Mass Down all contained bugs that made it possible for the malicious add-on to execute malicious code.

Many of those apps, and many others analyzed in the study, also made it possible to steal browser cookies, control or access a computer's file system, or to open webpages to sites of an attacker's choosing.

Via ArsTechnica

[Tripredacus]

Its a nice article but there seems to be too much FUD about it.

The researchers noted that attackers must clear several hurdles for their malicious add-on to succeed. First, someone must go through the trouble of installing the trojanized extension.

So they have made a POC extension that is able to do the things the article talks about. The article is really about how Firefox does not have isolation in how it handles add-ons, meaning that the add-ons themselves can use and re-use each others' vars. And they just name drop all the popular ones to grab your attention and get the search hits.

[submix8c]

I shall make note of this malicious add-on and never install it. I will also not install any malicious executables. (FUD, indeed...)

[vinifera]

good, don't use any of them