Firefox: Silent Add-ons Possible

Wednesday, January 23, 2013 @ 03:01 PM gHale


It is possible to silently install extensions for Mozilla’s open source Firefox web browser.

The process makes use of the fact that Firefox uses a Sqlite3 database to maintain information about which add-ons, or extensions, end up installed and, of those, which ones the user has approved, said ZScaler security researcher Julian Sobrier.

RELATED STORIES
Chrome Updated, Fixes Security Holes
Mozilla Closes Critical Holes
Chrome Wards Off BlackHole
Phishing Report: Comparing Browsers

This goal of this feature, introduced in Firefox 8, was to stop toolbars and other applications adding in their own add-ons without informing the user.

Sobrier’s technique shows the mechanism is relatively easy to overcome. Add-ons have privileged access to the browser and therefore a malicious add-on could do anything including stealing the user’s history, modifying pages’ contents or disabling security features in the browser. The add-on doesn’t have to be malicious either, just unexpected; back in 2009 Mozilla found itself blocking a silently installed Microsoft extension which happened to expose Firefox users to a .NET Framework flaw. Without a user knowing what is on the system, it becomes hard to react to security threats when they appear.

An application has to be able to copy an extension into the Firefox extensions directory. Once this occurs, a user must access the Sqlite3 database and add a record to it for the new extension. It is a simple task to set the field for “Has this add-on been approved” and that is what Sorbrier’s code does. The add-on will only begin running when Firefox restarts. Sorbrier demonstrated the technique with a proof of concept extension and installer written in C# and available for download.

Mozilla has the capability to blacklist malicious add-ons, but the catch is they have to end up detected. There are reportedly other techniques too, such as modifying prefs.js in Firefox to block its need to prompt to install add-ons. Although the technique does require a high level of local privileges, it is one that is easy to hide in installers and downloads, and if the purpose of the attack is not to cause immediate damage, it is a useful tool for an attacker, researchers said.



Leave a Reply

You must be logged in to post a comment.