Firefox Extensions Lift the Keys to the Kingdom

Attackers have myriad ways of gaining access to systems; some are as basic as asking their way in, while others are a bit more high-tech. According to a new Mozilla security bulletin, your Firefox extensions could be the key the hackers are looking for.

The vulnerability — discovered and demonstrated by security researcher Gerry Eisenhaur — involves exploiting so-called "flat" Firefox extensions to access information stored elsewhere on the system. "Flat" extensions are ones not contained within a .jar, which allows an attacker to escape the extensions directory and load files housed elsewhere. Mozilla believes that attackers could use the exploit to harvest information about vulnerability to potential attacks. While security teams are investigating, Mozilla has classified the exploit as low priority, so no news on when it may be fixed.

Mozilla identified two popular extensions — Download Statusbar and Greasemonkey — as vulnerable to the exploit, while the NoScript extension is reported to prevent the attacks.

Read more.

______________________

Justin Ryan is a Contributing Editor for Linux Journal.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Download Statusbar

Anonymous's picture

Well damn, I love the status bar.

Me too

Justin Ryan's picture

I have both Greasemonkey and Download Statusbar, so I was initially quite alarmed - however, I also use NoScript, so I'm supposedly safe. It's a pretty neat extension, at least worth a try - a bit annoying at first, until you get used to checking it when things don't work as you expect, but outside that, pretty neat.

Justin Ryan is a Contributing Editor for Linux Journal.

Geek Guide
The DevOps Toolbox

Tools and Technologies for Scale and Reliability
by Linux Journal Editor Bill Childers

Get your free copy today

Sponsored by IBM

Webcast
8 Signs You're Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
On Demand
Moderated by Linux Journal Contributor Mike Diehl

Sign up now

Sponsored by Skybot