Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: New Vulnerability against Firefox/ Major Extensions
From: "Steven Adair" <steven () securityzone org>
Date: Wed, 30 May 2007 11:10:57 -0500 (EST)

We are also at risk from rogue developers, people that have
hacked/poisoned your trusted DNS provider, those that have modified your
/etc/hosts, /etc/resolv.conf, windows\system32\drivers\etc\hosts (and/or
related files), people that have hacked the update server and put there
own malicious version there, and the unlocked workstation attack from an
attacker with a USB flash drive with a malicious update that might sit
down at your workstation and -pwn- you.


This information also posted (with html link goodness) to

Executive Summary

A vulnerability exists in the upgrade mechanism used by a number of
high profile Firefox extensions. These include Google Toolbar, Google
Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar,
AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft
Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others,
mainly commercial extensions.

Users of the Google Pack suite of software are most likely vulnerable,
as this includes the Google Toolbar for Firefox.

The latest version of all of these listed, and many other extensions
are vulnerable. This is not restricted to a specific version of

Users are vulnerable and are at risk of an attacker silently
installing malicious software on their computers. This possibility
exists whenever the user cannot trust their domain name server (DNS)
or network connection. Examples of this include public wireless
networks, and users connected to compromised home routers.

The vast majority of the open source/hobbyist made Firefox extensions
- those that are hosted at https://addons.mozilla.org - are not
vulnerable to this attack. Users of popular Firefox extensions such as
NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.

In addition to notifying the Firefox Security Team, some of the most
high-profile vulnerable software vendors (Google, Yahoo, and Facebook)
were notified 45 days ago, although none have yet released a fix. The
number of vulnerable extensions is more lengthy than those listed in
this document. Until vendors have fixed the problems, users should
remove/disable all Firefox extensions except those that they are sure
they have downloaded from the official Firefox Add-ons website
(https://addons.mozilla.org). If in doubt, delete the extension, and
then download it again from a safe place.

In Firefox, this can be done by going to Tools->Add-ons. Select the
individual extensions, and then click on the uninstall button.

Frequently Asked Questions

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]