homepage Welcome to WebmasterWorld Guest from 54.167.138.53
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Browsers / Firefox Browser Usage and Support
Forum Library, Charter, Moderators: incrediBILL

Firefox Browser Usage and Support Forum

    
Google, Yahoo, Facebook Extensions: Firefox Users At Risk
3rd Party extensions from Google, Yahoo, Ask, Netcraft, & al to blame.
grelmar

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3353849 posted 8:05 pm on May 30, 2007 (gmt 0)

From Wired [blog.wired.com]

Third party extensions including the widely used toolbars from Google, Yahoo, Ask, Facebook, LinkedIn, as well as social bookmark extension from Del.icio.us and two anti-hacking add-ons, the Netcraft Anti-Phishing Toolbar and the PhishTank SiteChecker all put users at risk of having their browser infected with malicious code.

and later...

Unlike the research suggests, McAfee SiteAdvisor is actually worse than any of these other major extensions. It periodically downloads completely unauthenticated code from McAfee's server, which it then executes with the same privileges as your browser.

Not only does this backdoor allow McAfee to do whatever they please with your computer, but a hacker can run any malicious code on your system without you ever noticing by simply spoofing the URL [siteadvisor.com...]

Ok, so not so surprising that 3rd party extensions are a security problem for FF. But Netcraft and McAfee should know better.

This is going to drop a big, wet, bomb on FireFox. Just wait for the collateral spin coming out of Redmond.

 

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3353849 posted 8:28 pm on May 30, 2007 (gmt 0)

Just goes to show you that using a less popular tool to get security from obscurity is just avoiding the inevitable that you WILL eventually get hacked unless the code is secure.

justageek

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3353849 posted 8:45 pm on May 30, 2007 (gmt 0)

Just goes to show you that using a less popular tool to get security from obscurity is just avoiding the inevitable that you WILL eventually get hacked unless the code is secure.

Well said and I say pretty much the same thing to people that start the 'MS is not secure but x is' arguement.

I wish that just for one day all the underdog companies could be the top dog. Just watch the hackers go after them then. It's no fun bringing down the little guy so why even try?

JAG

jtara

WebmasterWorld Senior Member jtara us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3353849 posted 9:17 pm on May 30, 2007 (gmt 0)

Not as serious as it sounds from the headline:

That means that users who open their browsers when using an open wireless connection are vulnerable to a hacker being able to intercept these third-party extensions' checks for updates at a plain http:// site and then pretend to be the update server. At lesser risk are users who haven't changed the default password on home routers, which could allow an attacker to take over the router and mess with internet packets.

Using an open wireless connection is risky in any case.

However, they certainly should be using SSL for downloading updates. Though less common, there are other means of man-in-the-middle attacks that are possible.

Mobile users need to be aware of ALL programs that do automatic updates, and should disable them when traveling. Easier said that done, I know...

dasfundo

5+ Year Member



 
Msg#: 3353849 posted 11:25 pm on May 30, 2007 (gmt 0)

... and large rectangle banner of windows Mobile in wired.com's homepage....

blend27

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3353849 posted 11:31 pm on May 30, 2007 (gmt 0)

---Using an open wireless connection is risky in any case.---

I spent 2 hours yesterday trying to restore HD for a friend of mine who was Accidentally using neighbors open WiFi for the past 2 month, Just cause it was wide open and he did not have a clue what is going on. At the end it was Full ReFormat, All data LOST.

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3353849 posted 11:33 pm on May 30, 2007 (gmt 0)

Mozilla responds: [developer.mozilla.org...]

Jim

StupidScript

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3353849 posted 11:36 pm on May 30, 2007 (gmt 0)

ServerWatch.com [securityspace.com] indicates that Microsoft servers are one of the "underdogs" ... and they have been for quite some time now. If it was all about market share, then Apache would be the number one attack target in the server world. And maybe it is ... the several that I manage are attacked thousands of times per day. Funny how they never get in ... but then I run Linux as my OS of choice. Not that that establishes a causal relationship, but I think it's interesting in that context, don't you?

This has nothing to do with Microsoft v. The World. This is about poor security choices during the development of advertising vehicles (those third-party extensions and toolbars.) The extensions/toolbars behave exactly the same way whether installed on MacOS, Windows or Posix.

Of course, compromising a Linux browser running one of the extensions would limit the attack to that particular user's identity, and wouldn't compromise the box, but that's the way Linux is designed. (Windows users don't have that same level of protection, tho' ... as goes the browser, so goes the kernel ... :) )

zafile



 
Msg#: 3353849 posted 11:53 pm on May 30, 2007 (gmt 0)

"Just wait for the collateral spin coming out of Redmond."

I wonder which are the real people who suffer from the "Amiga syndrome" ...

[liw.iki.fi...]

bill

WebmasterWorld Administrator bill us a WebmasterWorld Top Contributor of All Time 10+ Year Member Best Post Of The Month



 
Msg#: 3353849 posted 2:50 am on May 31, 2007 (gmt 0)

Just got my auto-upgrade notice for 2.0.0.4. Was that part of this issue or unrelated?

grelmar

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3353849 posted 3:00 am on May 31, 2007 (gmt 0)

Just got my auto-upgrade notice for 2.0.0.4. Was that part of this issue or unrelated?

Unrelated. The key problem here is how 3rd party extensions interact with 3rd party servers. If you want to avoid the problem (AFAIK, there are no exploits in the wild as of yet), then disable 3rd party extensions that you didn't get from the Moz site. Any extensions that update from Mozilla.org do so over https, and aren't a part of the vulnerability.

I wonder which are the real people who suffer from the "Amiga syndrome" ...

[liw.iki.fi...]

I have to admit, I suffer from that syndrome now and then. Trying real hard to get over it. That article should be mandatory reading for everyone involved in the browser wars/OS wars. Good link.

As an aside: I'm still using FF, but months ago on my blog I commented that I would ditch it as soon as it became as buggy as IE, or as much of a target for malware as IE. I don't think it's reached anywhere near that point, yet, but the more I read about FF v3, the features and bloat that are going into it, the more I'm brushing up on my familiarity with other browsers.

StupidScript

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3353849 posted 3:11 am on May 31, 2007 (gmt 0)

I wonder which are the real people who suffer from the "Amiga syndrome" ...

[liw.iki.fi...]

I have to admit, I suffer from that syndrome now and then. Trying real hard to get over it. That article should be mandatory reading for everyone involved in the browser wars/OS wars. Good link.

Indeed. Point taken and points to grelmar, too. Nicely stated.

[edited by: StupidScript at 3:12 am (utc) on May 31, 2007]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Browsers / Firefox Browser Usage and Support
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved