Products
Applications
Support
Company
How To Buy
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Register
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Home
My Communities
Communities
All Communities
Enterprise Software
Mainframe Software
Symantec Enterprise
Blogs
All Blogs
Enterprise Software
Mainframe Software
Symantec Enterprise
Events
All Events
Enterprise Software
Mainframe Software
Symantec Enterprise
VMware
Water Cooler
Groups
Enterprise Software
Mainframe Software
Symantec Enterprise
Members
Endpoint Protection
View Only
Community Home
Threads
Library
Events
Members
Back to Library
The Invisible Firefox Extensions
0
Recommend
Dec 03, 2009 04:58 PM
Candid Wueest
The Mozilla Firefox browser is constantly gaining in popularity. A recent market share survey by Net Applications awards Firefox with 24% of users worldwide. One of the key philosophies of Firefox is that its functionality can easily be extended using plug-ins or extensions. According to the Mozilla foundation there are more than 12,000 extensions available and they have recorded more than 1 billion extension downloads so far. Quite an irresistible target for a malware author, don’t you think?
This is by no means a new phenomenon, nor a Firefox-centric one. Browser helper objects (BHOs) in Microsoft’s Internet Explorer have been misused by attackers for years, and we saw malicious Firefox extensions appear more than three years ago. But, we have recently observed an increase in malware that drops malicious BHOs, Firefox extensions, and even Opera user scripts—all this in order to maximize their impact on a user’s machine.
Trojan.Ransompage
is a good example of such a threat targeting three browsers at once.
Even though it is often the case that people get tricked into installing malicious extensions unsolicited, most of the time we see that malicious extensions are dropped by local malware. This is not the fault of the browser per se, it' s just that the malware authors are misusing all of the provided features and a browser is present on nearly every system nowadays. Furthermore, all of the interesting information (such as credit card numbers or passwords) is usually entered through the browser, so it’s a perfect playing field for attackers.
In Firefox there is the possibility to drop an extension as a raw component directly into the core folders of Firefox. This means that the component is loaded invisibly for the user. The user has no facility to disable or uninstall it from within the browser, let alone knowing that it is there in the first place. This is obviously not nice, since even legitimate add-ons might crash the browser from time to time. If the add-ons are installed invisibly, the user has no chance of linking them to that behavior or disabling them. The malicious extensions are obviously also a fan of these stealth methods because it provides them with a relatively safe hooking point into the browser.
To solve this issue, the Mozilla developers have now decided to
remove this capability
and only load their own core components in Firefox 3.6 and beyond. This should prevent malicious add-ons from using this method in the future, but unfortunately this is not the only trick they can use.
If you want to know more on this topic—malware that uses Firefox extensions—you can
read the whitepaper
(.pdf) that I co-wrote with Elia Florio.
Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads
Tags and Keywords
Related Entries and Links
No Related Resource entered.
Copyright 2019. All rights reserved.
Powered by Higher Logic