NoScript and other popular Firefox add-ons open millions to new attack

Status
Not open for further replies.

pneuma1985

Level 4
Verified
Aug 30, 2015
186
Original Post is here - NoScript and other popular Firefox add-ons open millions to new attack
Feel Free to move this if I posted it in the wrong section admins... Just thought this needs to be seen by everyone :p

NoScript and other popular Firefox add-ons open millions to new attack
Unlike many browsers, Firefox doesn't always isolate an add-on’s functions.
firefox-addons.png



NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.

The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected.

"These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks," the researchers wrote in a paper that was presented last week at the Black Hat security conference in Singapore. "Malicious extensions that utilize this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures."

Of the top 10 most popular add-ons vetted by Mozilla officials and made available on the Mozilla website, only Adblock Plus was found to contain no flaws that could be exploited by a malicious add-on that relied on reuse vulnerabilities. Besides NoScript, Video DownloadHelper, Firebug, Greasemonkey, and FlashGot Mass Down all contained bugs that made it possible for the malicious add-on to execute malicious code. Many of those apps, and many others analyzed in the study, also made it possible to steal browser cookies, control or access a computer's file system, or to open webpages to sites of an attacker's choosing.

top-10-firefox-addons.png

Enlarge

The researchers noted that attackers must clear several hurdles for their malicious add-on to succeed. First, someone must go through the trouble of installing the trojanized extension. Second, the computer that downloads it must have enough vulnerable third-party add-ons installed to achieve the attackers' objective. Still, the abundance of vulnerable add-ons makes the odds favor attackers, at least in many scenarios.

In many cases, a single add-on contains all the functionality an attacker add-on needs to cause a computer to open a malicious website. In other cases, the attacker add-on could exploit one third-party add-on to download a malicious file and exploit a second third-party add-on to execute it. In the event that a targeted computer isn't running any third-party add-ons that can be exploited, the attacker-developed add-on can be programmed to provide what's known as a "soft fail" so that the end user has no way of detected an attempted exploit. Here's a diagram showing how the new class of attack works.

cross-extension-attack.png

Enlarge / An extension-reuse attack showing a malicious extension M reusing functionality from two legitimate extensions X and Y to indirectly access the network and filesystem of a targeted computer. The technique allows the malicious extension to discreetly download a malicious file and execute it.
Buyukkayhan et al.
"We note that while it is possible to combine multiple extension-reuse vulnerabilities in this way to craft complex attacks, it is often sufficient to use a single vulnerability to successfully launch damaging attacks, making this attack practical even when a very small number of extensions are installed on a system," the researchers wrote. "For example, an attacker can simply redirect a user that visits a certain URL to a phishing website or automatically load a web page containing a drive-by-download exploit."

Proof of concept
The researchers said they developed an add-on containing about 50 lines of code that passed both Mozilla's automated analysis and its full review process. Ostensibly, ValidateThisWebsite—as the add-on was called—analyzed the HTML code of a given website to determine if it was compliant with current standards. Behind the scenes, the add-on made a cross-extension call to NoScript that caused Firefox to open a Web address of the researchers' choosing.

The vulnerability is the result of a lack of add-on isolation in the Firefox extension architecture. By design, Firefox allows all JavaScript extensions installed on a system to share the same JavaScript namespace, which is a digital container of specific identifiers, functions, methods, and other programming features used in a particular set of code. The shared namespace makes it possible for extensions to read from and write to global variables defined by other add-ons, to call or override other global functions, and to modify instantiated objects. The researchers said that a newer form of Firefox extension built on the alternative JetPack foundation theoretically provides the isolation needed to prevent cross-extension calls. In practice, however, JetPack extensions often contain enough non-isolated legacy code to make them vulnerable.

In an e-mail, Firefox's vice president of product issued the following statement:

The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia. The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.

Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative—our project to introduce multi-process architecture to Firefox later this year—we will start to sandbox Firefox extensions so that they cannot share code.

In the meantime, the researchers said Firefox users would benefit from improvements made to the screening process designed to detect malicious add-ons when they're submitted. To that end, they have developed an application they called CrossFire that automates the process of finding cross-extension vulnerabilities. In their paper, they proposed that it or a similar app be incorporated into the screening process.

"Naturally, we do not intend our work to be interpreted as an attack on the efforts of Firefox's cadre of extension vetters, who have an important and difficult job," the researchers wrote. "However, since the vetting process is the fundamental defense against malicious extensions in the Firefox ecosystem, we believe it is imperative that (i) extension vetters be made aware of the dangers posed by extension-reuse vulnerabilities, and that (ii) tool support be made available to vetters to supplement the manual analyses and testing they perform."
 
H

hjlbx

Another example of article that will feed user paranoia...

What are you going to do, stop using NoScript ? Why would you do that ?

Solution is not to use unknown, unverified certified clean, browser add-ons. That simple.

And yes. Mozilla needs to get their nonsense sorted out. It has been going on for far too long. Sandboxing\AppContainer, vulnerable code, and now this...

However, what do you expect out of a group of development volunteers ? If Mozilla had Google monies, then things would be different...
 

pneuma1985

Level 4
Verified
Aug 30, 2015
186
Another example of article that will feed user paranoia...

What are you going to do, stop using NoScript ? Why would you do that ?

Solution is not to use unknown, unverified certified clean, browser add-ons. That simple.

And yes. Mozilla needs to get their nonsense sorted out. It has been going on for far too long. Sandboxing\AppContainer, vulnerable code, and now this...

However, what do you expect out of a group of development volunteers ? If Mozilla had Google monies, then things would be different...
Completely agree: I just thought that most of us being securities SW testers it should be shared amongst those of us that understand it and know what the article is stating. Yes it may cause some paranoia among novice users, but either way even the novice users need to know the vulnerabilities within addons. And yes with google's money Mozilla would by far be the best browser there is. I wasn't aiming to cause paranoia. I was just trying to bring awareness to this paper that was released last week. IMO every browser has its faults and vulnerabilities: some bigger than others, but we as testers should know about them!
 
H

hjlbx

Completely agree: I just thought that most of us being securities SW testers it should be shared amongst those of us that understand it and know what the article is stating. Yes it may cause some paranoia among novice users, but either way even the novice users need to know the vulnerabilities within addons. And yes with google's money Mozilla would by far be the best browser there is. I wasn't aiming to cause paranoia just to bring awareness to this paper that was released last week. IMO every browser has its faults and vulnerabilities: some bigger than others, but we as testers should know about them!

Not directed at you. Directed at article authors and those that spread user-paranoia. Such articles only focus on the problem and never mention a single thing about all the facts - nor the "big picture," simple solutions to avoid problem, etc.

At least the article makes a hint to simple solution: First, someone must go through the trouble of installing the trojanized extension.

Newbie reads these type of articles and goes into nuclear-meltdown mode...

Safe is good, OCD paranoid is bad.
 
H

hjlbx

just use Chrome :D

Firefox is outdated in term of security.

IF Cyberfox was not so damn fast on my system, then I would use Chrome. I could even put up with the Sandboxie error message about not being able to connect to SBIE Service.

So I run Cyberfox sandboxed or isolated environment.

Besides, @Umbra taught me how to protect system, so even if I use a Cyberfox there is not much I need to worry about.
 
D

Deleted Member 333v73x

Firefox is a good browser, but there lack of sandbox and other security features makes it useless!
 

Mineria

Level 3
Mar 19, 2016
128
just use Chrome :D

Firefox is outdated in term of security.
What makes you say that Chrome is more secure?
Chromes is the only browser that gave me an isolated incidence that made use of cross server scripting with the intend to run malicious code, where as both IE as FF denied to run the script.
I was aware of the script before entering the link since I detected it on a webserver where one of our developers used some old outdated code, so I did execute it in a fully virtual sandboxed environment and found it interesting to check how the main browsers would react upon it.
 
H

hjlbx

What makes you say that Chrome is more secure?
Chromes is the only browser that gave me an isolated incidence that made use of cross server scripting with the intend to run malicious code, where as both IE as FF denied to run the script.
I was aware of the script before entering the link since I detected it on a webserver where one of our developers used some old outdated code, so I did execute it in a fully virtual sandboxed environment and found it interesting to check how the main browsers would react upon it.

Tab sandboxing and can be set to run inside Windows 10 AppContainer by tweaking hidden experimental settings.

Besides, Chrome doesn't suffer from same vulnerability covered in main OP article.
 

Mineria

Level 3
Mar 19, 2016
128
Tab sandboxing and can be set to run inside Windows 10 AppContainer by tweaking hidden experimental settings.

Besides, Chrome doesn't suffer from same vulnerability covered in main OP article.
I had to test in Windows 7, few businesses use Windows 8 and up, so had to sandbox it to see what that encrypted script was trying to archive.

I know, but that doesn't indicate that Chrome is more secure, every browser has it's flaws to fight with, even if it's only a text based version.
 
Last edited:

jamescv7

Level 85
Verified
Trusted
Mar 15, 2011
13,084
Well that's the challenge considering that Firefox is yet behind on the security implementations hence addons are prone on the risk.

But of course these are statistics, because if you will solve the primary issue here then almost 90% will be fix.

Its up to the developer to engage more on patching and stronger mechanism.
 

Mineria

Level 3
Mar 19, 2016
128
Looking a bit further trough the article will also reveal that java plays a part as well.
I would recommend that people don't install java, silverlight and flash if they don't need it (actually very few sites require it), that takes quite a lot from the attack surface.
 

soccer97

Level 11
May 22, 2014
511
I was about to say, try placing the extensions in a sandbox (as Adobe did apparently with Flash Player - albeit that isn't the best example). I think it's time for Firefox to move away from capatability with older OS's as others are doing and move toward hardening their product - from the Extensions to memory, WebGL, browsing engine, etc.


I like Firefox overall though, good Product.


Would this imply that it is better to use a central AdBlocking product (less risk)? - Ex: AdGuard?
 

Mineria

Level 3
Mar 19, 2016
128
Firefox is a good browser, but there lack of sandbox and other security features makes it useless!
Depends, if your careful and think before clicking it's quite useful.
Mozilla is working on making it more secure but it takes time to get rid of plugins and unsafe extension code without breaking functionality, keep in mind that a lot of their ex-developers have been snatched by Google to work on Chrome.
Also, Symantec is currently holding back on Norton Vault for Firefox, since they don't want to redevelop for every change Mozilla adds, so they wait for them to get the restructuring completed.
 
Status
Not open for further replies.
Top