Top Firefox extensions can hide silent malware using easy pre-fab tool The most popular Firefox extensions with millions of active users are open to attacks that can quietly compromise machines and pass Mozilla's automated and human security tests. The extension reuse attacks exploit weaknesses in the structure of Firefox extensions such that malicious activity can be hidden behind legitimate …
Provide link to memo!
I'm not the only one who has been pushing uBlock Origin over ABP lately. Maybe if you take off the mask you'll notice more. Last week in this topic I said
Adblock is so 2015. Those in the know have long since migrated to uBlock Origin.
And got four downvotes!
Less than two weeks ago, I positively mentioned uBlock Origin twice in this topic..
We're trying, mate, but you have to help yourself, too.
This is funny, because once I opted out of Whitelisted advertising through Adblock (they even tell you how to disable it in the iinstaller, ffs), I really haven't noticed a difference in operation between Ublock and AdBlock Plus.
I also opt out of the whole debate about the ethical factor of paid whitelisting. I would have a stronger opinion if AdBlock Plus were the only ad-blocker available, but it's not. As it is, I use both, depending on the install. For Example, i used UBlock on my Lubuntu install, but I can't be bothered to switch on my main machine. My wife's Kubuntu box got whatever I felt like installing (ABP, I think), and it seems to work just fine. The machine I built for my co-worker got Ublock, because he doesn't care which I put on as long as it blocks most ads.
Wish I could get ABP op UBlock for my tablet's default browser. Makes browsing the web a bit of a chore having al that extra crap on the page.
And today we learned that massivelySerial hasn't realised that ABP has a facility to turn off whitelisting.
I looked at uBlock. It blocked more than ads. Specifically it was blocking the videos of weather forecasts on the Beeb's site. It was removed forthwith & ABP was back with whitelisting turned off.
"Specifically it was blocking the videos of weather forecasts on the Beeb's site."
You know uBlock Origin has a very obvious "Off Button" you can use to turn it off on a per-site or per-page basis if you need it? It's kinda necessary when ad content and legit content are fed off the same server, creating a part-and-parcel problem.
I'm glad it's not just me. I think you're right - it isn't that the likes of NoScript contain any malware, but rather that their use can be subverted by dodgy extensions.
So, if I only have one extension - NoScript, as it happens, and don't install anything else, there is no problem.
And if so, I'll stick with Palemoon for now.
That's the way I interpret what they've said. I'd call it a trojan-extension vulnerability. You have to go out and grab the extension from either off-Mozilla source (and forcefeed that in) or you have to download an extension that Mozilla says is okay but has internals that have been vetted as good but isn't.
Frankly, I've always paid attention to who author is and I keep it lean on the add-ons.
Yes, Palemoon has the same problem and, I suppose, will continue to have it for a lot longer than Firefox.
I was trying to acknowledge that point, and at the same time conclude that the risk is containable - provided that I don't install any extensions other than NoScript. As it stands, NoScript is all I need or use beyond the basic fit (both for Palemoon and for Firefox - when I occasionally use it).
If you add RequestPolicy to your repetoire, you'll find that (in my experience) at least 7/10 times you don't even need to enable a single script, just a cdn (or local domain-hosted images) to see all you need to - I find that (almost) the only time I need any scripts is when I want to do anything that rquires a login (like replying here for instance).
Exactly my thoughts - no link to source material either. At one point the message is "don't trust extension writers", then it's "some are okay", but in parts it looks more like malware is riding in under the cloak of the extension, as if it's nicking a session ID, or that it's replacing the regular extension in the library with a fake version.
If the conclusion is to trust AdBlock more than NoScript... ... oh dear. I'd rather trust NoScript than the ad-slingers and analytics trackers. It's almost as if the research was funded by those behind DoubleClick or AdBlock - wouldn't surprise me if uBlock Origin was also found wanting...
FUD.
Yeah, felt like a mental midget as well. What is noscript's role in all this? Someone can upload a malicious clone of it somewhere? Or someone can write a different extension that taps into legit noscript to hack you?
I agree with the poster that the less you install the better off you are and only do it for large volume use stuff. Let other kids take point in landmine country. That model is true for PCs, smartphone apps, JS n Python modules, browsers. I do tend to trust Linux and macport official repos though.
I haven't heard of NoScript before, yet it has 2.5 million users? A quick search says its in the Tor browser bundle, so they will be Tor users.
https://en.wikipedia.org/wiki/Tor_%28anonymity_network%29#Tor_Browser
"Tor Browser, previously known as Tor Browser Bundle (TBB), is the flagship product of the Tor Project. It consists of a modified Mozilla Firefox ESR web browser, the TorButton, TorLauncher, NoScript and HTTPS Everywhere Firefox extensions"
But that would also explain one of the unknown Tor attack vectors, from the story last week.
I can't work out whether you are being serious, AC. However, in case you are (after all, there is a first time to find anything, even it is well-known), NoScript is a very well-known and trusted script blocker for Firefox and its forks: https://noscript.net/. I have been using for years, and I suspect I heard about it on these here fora - the list of comments runs to ten pages: http://forums.theregister.co.uk/post/search/?q=noscript&sort=score&page=10.
"I haven't heard of NoScript before, yet it has 2.5 million users? A quick search says its in the Tor browser bundle, so they will be Tor users."
Where did you search? If you use your browser's search for extensions options you should find it there. Tor might bundle it but lots of us use it without using Tor. I'm surprised the count is as low as 2.5 million. You seem to have much to learn.
" A quick search says its in the Tor browser bundle, so they will be Tor users."
Thats the kinds of bollox you get if your first line of research is wiki
it may be in the TOR browser, but thats just a tiny part of its use. Its a script blocking extension for Firefox.
Its available for download from https://addons.mozilla.org/en-GB/firefox/addon/NoScript/
the authors webpage is at https://noscript.net/
jts a good program, though using it can get tiresome due to the amount of interaction it requires to view many siters
"I haven't heard of NoScript before, "
Really? New to IT or something? It's usually one of the Top Picks if you go to the Firefox add-ons page
As for Tor, no. NoScript is included with and used as part of the Tor Bundle, yes, as are many other useful tools and utilities which are nothing to do with Tor per sè. NoScipt is a separate and standalone project and nothing to with the Tor project
This post has been deleted by its author
I've said this time and time again. Core funcionality should be built into the browser rather than relying on, "plugins", for just about everything.
Well, have a prize for being the most self-righteous prick of the day!
The vulnerability here described stems from the way XUL provides access to core functionality. It is, however, pretty esoteric and requires considerable social engineering in order to be exploited. Furthermore, while I'm no fan of the XUL approach, we're talking about an architecture that it is 15 years old and is already side-lined for replacement with a sandboxed, but less capable one.
As for core browser functionality: I'm more worried about browsers being able to spaff my location or access microphone and camera than I am about this, because if the browser itself can be compromised, and this seems more common than compromised extensions, it can spew far more information.
This post has been deleted by its author
@ 1980s_coder
That depends on what you understand by core functionality. We started out with a very limited functionality. The server provided minimal tags to describe the content and the client was left to do layout. The most objectionable element of the whole lot was probably the blink tag. PDQ marketroids and the like took over and demanded more & more control over the appearance of the displayed page. Hence we got CSS, Javascript, cookies, Java applets, Flash & whatever other crap escapes me for the moment. The browser became less of a client to display what it was sent and more of a remote execution platform. No wonder it's riddled with vulnerabilities. The "core functionality" has grown and part of the need for extensions is to block some of it.
I'm not against the idea of a core without extensions but it would have to be smaller than the present core, not bigger. It would have to be small enough to be safe - i.e. a remote display platform, not a remote execution platform and web sites need to adapt.
However the original concept of the web is now so seriously broken and I can't see how it can be fixed. Any browser attempting to go back to an intrinsically safe core would break so many sites it would be rejected by users. The browser authors should have said "no" when the first requests to subvert the original concept came in and they should have kept saying "no".
However the original concept of the web is now so seriously broken and I can't see how it can be fixed.
and the rest of the post - my thoughts entirely.
I want a "browser" that treats every incoming byte as possible malware/spyware, shows me the pure information content and sends nothing back to the source.
"I want a "browser" that treats every incoming byte as possible malware/spyware, shows me the pure information content and sends nothing back to the source."
Then how do you do things like interactive whiteboards, running stats/scores/whatever or a shopping cart where the URL doesn't give the works away each time? Surfers want two-way content, and you can't do that on a one-way web.
"Mozilla already maintains a list of malicious extensions which sports 161 blacklisted items [...]"
A link would have been useful. Presumably it is this one?
https://addons.mozilla.org/en-GB/firefox/blocked/
Can't find the Selenium VBA Web Driver that it disabled last week on 45.0.1 - but it is not in the allowed extensions either.
1. Was this disclosed to the extension authors with sufficient time for them to produce fixes? If not it's an irresponsible disclosure.
2. Is this a vulnerability which can be exploited by simply browsing a malicious site or does the user have to be tricked into doing something active?
3. If the latter what should we avoid?
I don't claim to be an expert but, this seems to me to be an undermining attempt to get surfers to abandon something that works. (Fear is the key which seems to work in this age)
So using Tor with noscript and https everywhere is unsafe? yeah right..
I'd be more worried about the avenue Microsoft is pursuing and what the future holds for privacy and the impending data breach of YOUR data on THEIR systems.
As far as I can tell someone has demonstrated that a malicious extension can hijack reputable extensions and do bad things (the implication being that reputable extensions have the power to do bad things but don't ).
For context, some of the most popular (vulnerable) extensions were listed.
Cue commentards promptly slagging off various extensions, apparently missing the point that you also need to install the malicious extension for harm to happen.
Isn't the real message that the extension framework in Firefox is unsafe by design so be very careful about adding extensions?
Just to join in the general slagging off, I've given up on Firefox on Windows and Android because it is so bloated and slow.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
