full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] New Vulnerability agai

Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions

From: Steven Adair <steven_at_nospam>
Date: Wed May 30 2007 - 16:10:57 GMT
To: "Christopher Soghoian" <csoghoian@gmail.com>

We are also at risk from rogue developers, people that have hacked/poisoned your trusted DNS provider, those that have modified your /etc/hosts, /etc/resolv.conf, windows\system32\drivers\etc\hosts (and/or related files), people that have hacked the update server and put there own malicious version there, and the unlocked workstation attack from an attacker with a USB flash drive with a malicious update that might sit down at your workstation and -pwn- you.


> This information also posted (with html link goodness) to
> http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html
> --------------------------
> Executive Summary
> --------------------------
> A vulnerability exists in the upgrade mechanism used by a number of
> high profile Firefox extensions. These include Google Toolbar, Google
> Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar,
> AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft
> Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others,
> mainly commercial extensions.
> Users of the Google Pack suite of software are most likely vulnerable,
> as this includes the Google Toolbar for Firefox.
> The latest version of all of these listed, and many other extensions
> are vulnerable. This is not restricted to a specific version of
> Firefox.
> Users are vulnerable and are at risk of an attacker silently
> installing malicious software on their computers. This possibility
> exists whenever the user cannot trust their domain name server (DNS)
> or network connection. Examples of this include public wireless
> networks, and users connected to compromised home routers.
> The vast majority of the open source/hobbyist made Firefox extensions
> - those that are hosted at https://addons.mozilla.org - are not
> vulnerable to this attack. Users of popular Firefox extensions such as
> NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.
> In addition to notifying the Firefox Security Team, some of the most
> high-profile vulnerable software vendors (Google, Yahoo, and Facebook)
> were notified 45 days ago, although none have yet released a fix. The
> number of vulnerable extensions is more lengthy than those listed in
> this document. Until vendors have fixed the problems, users should
> remove/disable all Firefox extensions except those that they are sure
> they have downloaded from the official Firefox Add-ons website
> (https://addons.mozilla.org). If in doubt, delete the extension, and
> then download it again from a safe place.
> In Firefox, this can be done by going to Tools->Add-ons. Select the
> individual extensions, and then click on the uninstall button.
> ------------------------------------
> Frequently Asked Questions
> ------------------------------------

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/