Orange County Security SIG

Notes and comments of a Special Interest Group on computer security.

June 30, 2007


Firefox extensions (MITM)

Firefox was supposed to be the bastion of security so a problem seems kind of perplexing. Recently a problem with updating many of Firefox's extensions. This applies to all browsers in the Mozilla project. One of the things IE (Internet Explorer) is dissed for is having so many functions. Each capability gives the badguys one more potential vulnerability. This is one place that Ffx (firefox) is similar to IE. They both have ways to extend/improve the way it works. It would be a major head-ache if every copy of these browsers was the same. Each of us have different needs and concerns. The main difference between Ffx's extensions and IE's active-X controls are that Ffx's extensions aren't as powerful as active-X. Firefox extensions are small JavaScript programs which can't affect the inner workings of the Operating System like active-X can. However, they do affect how the browser works and there is little QC when it comes to Firefoxes extensions. The differences between how IE and Ffx is controlled is important too. In Microsoft you turn-on the ability for most all Active-X controls while in Firefox you can decide on an individual basis what you want, if you have the right extension (NOSCRIPT). I say "most all Active-X controls" because you actually decide how you want to handle completely anonymous or unsigned controls. IE will ask you whether to run all signed or trusted Active-X controls, not to run them, or to ask you. To some degree this is good but it isn't adequate because it assumes you can trust a "signed" control which is easy to fool. Anybody can "sign" a control. There is no attempt to prove who it is from who it claims to be from. Anybody can sign a control. It doesn't prove a thing. Getting back to Firefox. They have some "quality control" in extensions that are authored by them. For example, the ebay tool-bar had a security flaw in it that was fixed by the Mozilla team since Mozilla co-branded it. And if an extension is updated at the official site then the update is safe since SSL encryption is used. You can tell Ffx to warn you when it is installing an extension but some third party extensions ignore those settings. Google has it's own controls to decide when to update their extension. An official extension from Mozilla Organization uses encryption (SSL or https) to update the programs and gives you the option of whether to automatically check for updates. Then if you choose the automatic check option it also gives you the option whether or not you want to automatically download those updates, do it manually, or to do it automatically but warn you when it happens. Botton line is that you so you should either get all your extensions from or check them to make sure they use SSL. The requirements for this exploit to work attack details The vulnerability is a MAN-IN-THE-MIDDLE attack that performs DNS and ARP spoofing. An attacker must somehow convince your machine that he is the update server so Ffx will download and install the malicious update. What you can do to protect yourself
  1. change the password on your router (check it's doc)
  2. Get extensions from if possible
  4. turn off automatic checking
  5. tools -> options -> advanced -> updates -> turn off any options
  6. turn off extension installation or at least turn on the warning. This is not necessary when automatic checking is already turned off.
  7. tools -> options -> advanced -> updates -> "warn me when web sites try to install extensions ..."
  8. check to make sure SSL is used
  9. https://www.example.orguses SSL
    http://www.example.orgdoesn not use SSL
  10. verify the validity of the extension by getting a copy of the MD5.
    Most extension developers don't offer them but if enough people bug them it just might happen
  11. disable all extensions that don't use SSLtools -> extensions -> click "uninstall" on encryption
  12. if you use Google's extesions then disable it's autoupdates.
  13. in ABOUT:CONFIG search for "",
    if an extension has an entry ".autoupdate" set it false.
Some of the extensions that are shown to be vulnerable: Some Miscellaneous notes:
  1. all versions of FFx are vulnerable
  2. extensions are not checked for validity
  3. some extensions (Google) ignore Ffxs settings and use their own autoupdate option.
  4. google toolbar is added with WinZip, Real Player, Shockwave. (Google pays publishers $1 for each copy they install)
  5. The Mozilla team provides a free/safe hosting service for open source extensions, (
  6. SSL Encryption will avoid DNS poisoning because the certificate will not properly match
  7. Ffx 'code signing' does not abate the situation
  8. Mozilla fixed ebay extension because they co-branded it
  9. Ffx checks for updates every 24 hours.
  10. Ffx downloads and installs extenstion the next time it restarts.
HOW TO IMPROVE THE SITUATION:Request from the extension author that all extensions use encryption or the official update site, and MD5 signatures. NOTICES: WEBSITES to also read:If the address wraps around the line, enter as one word MAIN RESEARCHER Christopher Soghoian, a PhD student in the School of Informatics at Indiana University and a member of the Stop Phishing Research Group. This vulnerability was discovered and disclosed to vendors during the spring semester at Indiana University.
Comments: Post a Comment

Links to this post:

Create a Link

<< Home

Experience the computer club and all it's SIG group that meet at Chapman university, California on the 1st Sunday of every month.

SECSIG meets in the Science building 203 at 11:15 am.

By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.

The RSS feed address is

Dave Keays, SIG leader

This page is powered by Blogger. Isn't yours?