Millions of Firefox Users are vulnerable to attack

[redlukas]

Millions of Firefox user might be vulnerable to a new kind of exploit. It uses a weakness in Mozillas Browser: lacking compartmentalisation of extensions. By using the capabilities and privileges of one or more of the vulnerable extensions, attacker could force a Browser to open a Website containing malicous content and eventually execute arbitrairy code on the victim's machine.

Of the top 10 most popular add-ons vetted by Mozilla officials and made available on the Mozilla website, only Adblock Plus was found to contain no flaws.

The Attack seem to be in the proof-of-concept stage, there are no reports of the vulnerability being exploited in the wild.

EDIT: For the attack to be properly executed, a victim would have to download a compromised add-on in the first place.

The Ball is now in Mozilla's park since only a proper vetting of extensions would lead to a short-term resolution of the problem.

 

Source: http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/

[Godlygamer23]

I hope Mozilla can get this sorted out soon.

[Bittenfleax]

This is not good. I have always thought Firefox has been a bit less secure (although I do use it at home but not work).

 

And also, after doing tests with Firefox compared to Chrome, the way Firefox stores passwords is way less secure. Unless you set a "Master Password" or use something such as LastPass. This may have changed from 4 months ago, but what I found was severely concerning, the way that a general home user could easily be susceptible to near silent attacks.

[Guest]

One thing you've omitted, OP is that the attack relies on a malicious add-on being installed.

What the vulnerability basically means is that it's easier for malicious add-ons to pass security vetting on the account that they can forgo including functionality that would have raised suspicion and relying on other add-ons for it.

[stconquest]

I am due for a reformat of my drive... bring on the crippling virus!

[colonel_mortis]

Mozilla to vet addons to try to ensure that they are not vulnerable, and the restrictions on what code you are allowed to use is very strict to try and prevent issues like this. However, vetting software to find vulnerabilities is very difficult, so, while I'm surprised that there are issues with 9 of the top 10 addons, it's not surprising that some have issues.

Mozilla are currently working on compartmentalising addons, and will be enabling support for the new webextensions API, which mirrors Chrome's system, at the end of the year.

Mozilla can't afford to vet addons more thoroughly though - the review queues are long enough already - so this will now just rely on the addon developers fixing their addons.

[xwrench3]

hmmm, i downloaded and installed that exact extension in firefox about a week and a half ago. i have been battling a SICK" computer for the last 4-5 days. coincidence or not, i think i will try to remove it.

[Timmy-P]

12 hours ago, AlexTheRose said:

I fear for those who use Tor, and therefore NoScript…

Wait, what's wrong with NoScript?  I use it heavily, am I at risk then?

[Doobeedoo]

Hmm, I've been using Opera mainly, will use Vivaldi now more to, it just released as 1.0v

[Energycore]

It sounds like we're safe as long as we don't install any new addons until the weakness is sorted out. Not like suddenly my noscript will be compromised.

[VagabondWraith]

NoScript released an update today. Not sure if it has to do with this or not.

[colonel_mortis]

Just now, VagabondWraith said:

NoScript released an update today. Not sure if it has to do with this or not.

Based on my experience on how long addon reviews take, and based on the release notes for that version, I don't think so, and I would expect it to be at least a few days before it's fixed because, at least publicly, no details about what the vulnerability is, though they have given some details about how it's exploited, so it might take the developers some time to even identify the issue.