Video Screencast Help
Security Response

Extending good and evil

Created: 19 Oct 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:56:00 GMT
Candid Wueest's picture
0 0 Votes
Login to vote

ost users that have a computer spend a vast amount of time on the Internet, be it for work-related business, or just out of curiosity. Spending so much time browsing the Web should make it obvious that people will try to optimize and improve the user experience of surfing the Web. For instance, the Mozilla Firefox browser allows the user to extend the browser's feature set with extension add-ons. If you want to control script execution on a more granular basis, then the “No Script” extension might be the right thing for you to have a look at. If you get annoyed by ads while surfing, you can give AdBlock a try. These are only two of the many examples out there. There are hundreds of different extensions freely available on the Internet. Even if your idea has not yet been integrated into an extension, then you can simply make one yourself (in a short amount of time) using XPCOM, XUL, AJAX and normal JavaScript.

Looking at all the possible extensions, there is one thing that becomes evident: these extensions are very powerful. Once installed, a Firefox extension has full read and write access to the local file system, to the registry, and to network sockets. Extensions can even start new processes on the local machine. Extensions are platform independent, if implemented correctly by the author, and can therefore read files from a Windows system as well as from a Linux machine. This allows the extension to perform very helpful features (as discussed above), but it can also be misused for evil motives. We have already seen examples like JS.Ffsniff, which attempts to steal passwords and sensitive data from the user. There are also prank applications like OfficePoltergeist, which allows a remote user to take limited control over a machine once it is installed. Did you ever wonder where these pop-ups come from? Maybe you should ask your office-mate. This behavior could easily be extended to build a full remote access Trojan that runs as a browser extension. FTP- and Web servers already exist as legitimate extensions. Such a back door could be dropped by an exploit or a Trojan like Infostealer.Snifula did. As it runs as a browser extension, it would be non-trivial to block it on the desktop firewall. Of course, it would only run while the browser is open, but this is usually a very large window of opportunity.

Does this make Firefox a less safe browser? I don’t think so; similar extensions or plugins are possible for other browsers. Take BHO for Internet Explorer for example, it already happened there a long time ago. A user still has to be tricked into downloading and installing the extension. It’s just that people might install an extension with less precaution in mind, compared to downloading and running an unknown executable.

How do you prevent it from happening to you? Be careful when installing extensions and double check the trustworthiness of the source. Because most Firefox extensions are not signed, this can be a tricky task. If you are in serious doubt, simply check the source code yourself, as the XPI extension files are just .zip archives with the scripts inside. WIth those precautions taken, in the end, nothing disrupts your browsing fun and you can enjoy surfing the Internet as much as possible (as you hopefully do right at this moment).