Firefox Extensions Lift the Keys to the Kingdom

Attackers have myriad ways of gaining access to systems; some are as basic as asking their way in, while others are a bit more high-tech. According to a new Mozilla security bulletin, your Firefox extensions could be the key the hackers are looking for.

The vulnerability — discovered and demonstrated by security researcher Gerry Eisenhaur — involves exploiting so-called "flat" Firefox extensions to access information stored elsewhere on the system. "Flat" extensions are ones not contained within a .jar, which allows an attacker to escape the extensions directory and load files housed elsewhere. Mozilla believes that attackers could use the exploit to harvest information about vulnerability to potential attacks. While security teams are investigating, Mozilla has classified the exploit as low priority, so no news on when it may be fixed.

Mozilla identified two popular extensions — Download Statusbar and Greasemonkey — as vulnerable to the exploit, while the NoScript extension is reported to prevent the attacks.

Read more.


Justin Ryan is a Contributing Editor for Linux Journal.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Download Statusbar

Anonymous's picture

Well damn, I love the status bar.

Me too

Justin Ryan's picture

I have both Greasemonkey and Download Statusbar, so I was initially quite alarmed - however, I also use NoScript, so I'm supposedly safe. It's a pretty neat extension, at least worth a try - a bit annoying at first, until you get used to checking it when things don't work as you expect, but outside that, pretty neat.

Justin Ryan is a Contributing Editor for Linux Journal.