Orange County Security SIG

Firefox was supposed to be the bastion of security so a problem seems kind of perplexing. Recently a problem with updating many of Firefox's extensions. This applies to all browsers in the Mozilla project. One of the things IE (Internet Explorer) is dissed for is having so many functions. Each capability gives the badguys one more potential vulnerability. This is one place that Ffx (firefox) is similar to IE. They both have ways to extend/improve the way it works. It would be a major head-ache if every copy of these browsers was the same. Each of us have different needs and concerns. The main difference between Ffx's extensions and IE's active-X controls are that Ffx's extensions aren't as powerful as active-X. Firefox extensions are small JavaScript programs which can't affect the inner workings of the Operating System like active-X can. However, they do affect how the browser works and there is little QC when it comes to Firefoxes extensions. The differences between how IE and Ffx is controlled is important too. In Microsoft you turn-on the ability for most all Active-X controls while in Firefox you can decide on an individual basis what you want, if you have the right extension (NOSCRIPT). I say "most all Active-X controls" because you actually decide how you want to handle completely anonymous or unsigned controls. IE will ask you whether to run all signed or trusted Active-X controls, not to run them, or to ask you. To some degree this is good but it isn't adequate because it assumes you can trust a "signed" control which is easy to fool. Anybody can "sign" a control. There is no attempt to prove who it is from who it claims to be from. Anybody can sign a control. It doesn't prove a thing. Getting back to Firefox. They have some "quality control" in extensions that are authored by them. For example, the ebay tool-bar had a security flaw in it that was fixed by the Mozilla team since Mozilla co-branded it. And if an extension is updated at the official site then the update is safe since SSL encryption is used. You can tell Ffx to warn you when it is installing an extension but some third party extensions ignore those settings. Google has it's own controls to decide when to update their extension. An official extension from Mozilla Organization uses encryption (SSL or https) to update the programs and gives you the option of whether to automatically check for updates. Then if you choose the automatic check option it also gives you the option whether or not you want to automatically download those updates, do it manually, or to do it automatically but warn you when it happens. Botton line is that you so you should either get all your extensions from Mozilla.org or check them to make sure they use SSL. The requirements for this exploit to work

• The DNS or connection is not trustable
• a public wireless network is used
• the router was recently infected/hacked
• a 'hub' is used instead of a 'switch'
• the extension is updated by a bogus site
• the extension is updated without encryption

attack details The vulnerability is a MAN-IN-THE-MIDDLE attack that performs DNS and ARP spoofing. An attacker must somehow convince your machine that he is the update server so Ffx will download and install the malicious update. What you can do to protect yourself

1. change the password on your router (check it's doc)
2. Get extensions from addons.mozill.org if possible
https://addons.mozilla.org
3. turn off automatic checking
tools -> options -> advanced -> updates -> turn off any options
4. turn off extension installation or at least turn on the warning. This is not necessary when automatic checking is already turned off.
tools -> options -> advanced -> updates -> "warn me when web sites try to install extensions ..."
5. check to make sure SSL is used
https://www.example.orguses SSL
http://www.example.orgdoesn not use SSL
6. verify the validity of the extension by getting a copy of the MD5.
   Most extension developers don't offer them but if enough people bug them it just might happen
7. disable all extensions that don't use SSLtools -> extensions -> click "uninstall" on encryption
8. if you use Google's extesions then disable it's autoupdates.
9. in ABOUT:CONFIG search for "extensions.google",
if an extension has an entry ".autoupdate" set it false.

Some of the extensions that are shown to be vulnerable:

• Google Toolbar
• Google Browser Sync
• Yahoo Toolbar
• Del.icio.us Extension
• Facebook Toolbar
• AOL Toolbar
• Ask.com Toolbar
• LinkedIn Browser Toolbar
• Netcraft Anti-Phishing Toolbar
• PhishTank SiteChecker

Some Miscellaneous notes:

1. all versions of FFx are vulnerable
2. extensions are not checked for validity
3. some extensions (Google) ignore Ffxs settings and use their own autoupdate option.
4. google toolbar is added with WinZip, Real Player, Shockwave. (Google pays publishers $1 for each copy they install)
5. The Mozilla team provides a free/safe hosting service for open source extensions, (https://addons.mozilla.org)
6. SSL Encryption will avoid DNS poisoning because the certificate will not properly match
7. Ffx 'code signing' does not abate the situation
8. Mozilla fixed ebay extension because they co-branded it
9. Ffx checks for updates every 24 hours.
10. Ffx downloads and installs extenstion the next time it restarts.

HOW TO IMPROVE THE SITUATION:Request from the extension author that all extensions use encryption or the official update site, and MD5 signatures. NOTICES:

• Mozilla was notified on April 16th Their response: it is not a Firefox bug or vulnerability and to avoid vendors that do not update through their site and that a fix is is slated for Ffx 3.0
• Google was notified on April 16th, 20th, and May 24th
  They said (May 25th) that they were working on a fix and expected to have it before May 30th
• Yahoo was notified on April 20th
• Facebook on April 21st
  There has been no response.

WEBSITES to also read:If the address wraps around the line, enter as one word

• www.SecurityCartoon.com
• Christopher Soghoian's write-up
  http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html
• 3rd party directions on developing extensions
  http://www.rietta.com/firefox/Tutorial/security.html
• eweek's write-up. by Lisa Vaas
  http://www.eweek.com/article2/0,1895,2140603,00.asp
• softpedia's write-up on Ffx 3.0
  http://news.softpedia.com/news/ Firefox-3-0-To-Bundle-Google-039-s-Security-Tools-56574.shtml

MAIN RESEARCHER Christopher Soghoian, a PhD student in the School of Informatics at Indiana University and a member of the Stop Phishing Research Group. This vulnerability was discovered and disclosed to vendors during the spring semester at Indiana University.