FirefoxIndiana University researcher Christopher Soghoian has discovered an unusual vulnerability that affects several widely-used Firefox extensions including the Google Toolbar, Facebook Toolbar, and Anti-Phishing Toolbar. According to Soghoian, a man-in-the-middle attack can be used on a public wireless network to trick browser extensions into downloading malicious code instead of legitimate updates. The solution to this problem, says Soghoian, is to use SSL to deploy extension updates. Since the official addons.mozilla.org server uses SSL, extensions that update from that location aren’t affected.

DNS-based man-in-the-middle attacks are futile with SSL-enabled web servers, according to Sogholan, because the browser will reject the connection to the false update server. This is because the IP address returned by the DNS server will not match the IP in the SSL certificate.

Although this security issues doesn’t necessarily represent a Firefox problem, Soghoian points out that the limitations of Firefox’s code-signing functionality certainly don’t help. “The code signing functionality in Firefox is fairly limited,” says Sogholan. “The main difference is that a signed extension will show the signer’s name when the user is prompted to install the extension, while an unsigned extension will list ‘un-signed’ next to the extension name. The availability of an update without signatures for extensions that previously had a valid signature does not raise any kind of error. Furthermore, the signature is thrown away as soon as the new extension update is installed.”

In response to the security problem, the Firefox developers have included a security notification in the documentation to ensure that developers are aware of the importance of using SSL to distribute extension updates.

Unrelated but still relevant to Firefox security, Mozilla released the 2.0.0.4 security update for Firefox, which resolves a handful of security issues that relate to cookies and autocompletion. Improved support for Windows Vista is also present but apparently not entirely sufficient, as there are reports that Vista’s parental controls are not entirely respected by the release. A security update for Firefox 1.5 (1.5.0.12) was released in tandem with 2.0.0.4 and marks the end of the line for Firefox 1.5. All users of that version are strongly encouraged to migrate to Firefox 2.0.

Source

  • Share/Bookmark