Add-ons for Mozilla Firefox could help to spread malware
Wednesday, November 25, 2009
Security researchers employed by Security Assessment say that Mozilla, the maker of the popular Firefox web browser, does an inadequate job of securing its software against malicious code in user-installed extensions.
A presentation slide from the talk given by Roberto Liverani and Nick Freeman at the DefCon hacker convention asserted that Firefox's security measures for extensions are "non-existent." Liverani and Freeman say that malware authors have already used the vulnerability to hijack browser sessions and compromise sensitive personal data, citing cases from as long ago as 2006, when the Formspy Trojan masqueraded as a legitimate Firefox add-on.
The researchers say that users are not used to thinking that Firefox extensions might be unsafe, since the browser itself has an excellent reputation for security. Open source software is frequently vulnerable to malicious exploitation, according to Liverani and Freeman, because the access to core functionality is so widespread and simple to research.
The techniques used to create malicious Firefox extensions are common ones in the world of malware, including the use of XSS hacks to spread malicious Javascript.
Related News:
Conficker still a threat to web security - 3.18.2010
The Conficker worm was by far the most notorious piece of malware in 2009 for several reasons. Not only did it receive media attention and infect more computers than any other strain, according to Katonda, a business technology website, it reminded web security professionals of bygone days when major epidemics were the norm.
Network security update not responsible for crashes - 2.24.2010
Reports of the so-called "blue screen of death" following the installation of the latest Microsoft security update are the result of malware, not a defect in the update.
Botnets and Chuck Norris take aim at network security - 2.22.2010
Last week, word spread of the Kneber botnet compromising more than 2,000 computers worldwide. With the start of a new week comes more malware attacks plaguing the web community. The so-called "Chuck Norris" botnet is attacking routers and DSL modems by guessing commonly used passwords.
Web security company warns of scareware's risk - 2.19.2010
The rise in scareware attacks and cyber criminal behavior in general forced DynaSis, an IT services company, to issue a warning to its users about the threat of fake anti-virus software infecting their computers on Friday.
Age-old trick with brand-new target - 1.18.2010
Cyber criminals have turned to a scam from the early days of the internet to target the growing smartphone market: Trojan phone dialers.
|
