Firefox Extensions Lift the Keys to the Kingdom

Attackers have myriad ways of gaining access to systems; some are as basic as asking their way in, while others are a bit more high-tech. According to a new Mozilla security bulletin, your Firefox extensions could be the key the hackers are looking for.

The vulnerability — discovered and demonstrated by security researcher Gerry Eisenhaur — involves exploiting so-called "flat" Firefox extensions to access information stored elsewhere on the system. "Flat" extensions are ones not contained within a .jar, which allows an attacker to escape the extensions directory and load files housed elsewhere. Mozilla believes that attackers could use the exploit to harvest information about vulnerability to potential attacks. While security teams are investigating, Mozilla has classified the exploit as low priority, so no news on when it may be fixed.

Mozilla identified two popular extensions — Download Statusbar and Greasemonkey — as vulnerable to the exploit, while the NoScript extension is reported to prevent the attacks.

Read more.


Justin Ryan is a Contributing Editor for Linux Journal.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Download Statusbar

Anonymous's picture

Well damn, I love the status bar.

Me too

Justin Ryan's picture

I have both Greasemonkey and Download Statusbar, so I was initially quite alarmed - however, I also use NoScript, so I'm supposedly safe. It's a pretty neat extension, at least worth a try - a bit annoying at first, until you get used to checking it when things don't work as you expect, but outside that, pretty neat.

Justin Ryan is a Contributing Editor for Linux Journal.

One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix