Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

With patch release looming, student details flaw in Firefox add-ons

As users await the latest Mozilla Firefox patches, expected to be released today, absent will likely be a fix for a new remote vulnerability in browser extensions reported by a University of Indiana graduate student.

Christopher Soghoian said on his blog today that a flaw exists in the "upgrade mechanism" used in Firefox extensions, or add-ons that lend additional functionality to the browser - namely third-party toolbars.

"The vulnerability is made possible through the use of a man-in-the-middle attack, a fairly old computer security technique," Soghoian wrote today. "Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong."

In lieu of a fix, Soghoian suggests users remove or disable Firefox extensions except those downloaded from the official Mozilla add-ons site.

Mike Shaver, Mozilla's director of ecosystem development, told today in a statement that the users of Mozilla-hosted add-ons are not at risk. He instead pinned the blame on the third-party providers.

"Users of add-ons that are insecurely hosted/updated are vulnerable to remote code execution if their network is compromised," he said. "We strongly encourage the providers of such add-ons to remedy their hosting situation promptly to minimize the exposure to the users of their software."

Soghoian added that many of the third-parties who provide the extensions, such as Yahoo, Google and Facebook, were notified of the bug but have yet to release a patch.

Meanwhile, Mozilla is expected to push out the latest updates for Firefox today.

The fixes also mark the last release for version 1.5, for which support ends today, according to the Mozilla Developer Center site. Firefox contains a component that can automatically upgrade users to version 2.0 of the alternative browser.

The company suggested that all users download the latest version to "benefit from features that make search, communication and online security more effective."

The updates will be detailed here.

Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.