Mozilla Removes And Blocks 2 Firefox Add-ons
It has not happened often in the past that Mozilla had to pull the plug on add-ons hosted on the official Firefox add-on repository. This can be attributed largely to the review process that every add-on added to the site needs to undergo before it is listed.
The developers of the popular Firefox web browser have some tools at their disposal to deal with add-ons that are either malicious in nature or insecure.
A recent blog post on the Mozilla Add-ons blog revealed that Mozilla had to deal with two add-ons falling in those two groups recently.
The first add-on, Mozilla Sniffer, contained code that intercepted and send login information to a remote server on the Internet.
The issue was discovered on July 12, six days after the addition as an experimental add-on on the Mozilla website. The add-on was disabled immediately after a manual code review and added to the global blocklist.
A total of 1800 installations have been recorded prior to the detection, all users who have installed the add-on receive an automatic uninstallation request, triggered by the adding to the blocklist.
Firefox users who have or had the Mozilla Sniffer add-on installed need to change all their login information on all sites they have visited since installing the add-on to prevent possible account access of third parties.
All add-ons that are uploaded by developers to the Firefox add-on repository are scanned for malicious code. A manual review of the add-on follows at a later time. The virus scan did not detect the "phone home" function, so that the add-on was listed as an experimental add-on on the public website.
It is obvious that this verification process is flawed. It might not happen often that malicious add-ons pass the initial scan but it has happened in the past.
Back in February two add-ons were discovered in the add-on repository that contained malicious code. Mozilla back then increased the number of malware scanners and the frequency of the scans.
A new security model has been proposed which changes the review process so that only code-reviewed add-ons are visible to Firefox users on the add-on's website.
Cool Previews was the second add-on the Mozilla developers had to deal with. A critical security vulnerability was discovered in version 3.0.1 of the add-on, installed by more than 170k users.
Version 3.0.1 and earlier of Cool Previews have been disabled after the discovery. The developer of Cool Previews managed to update the add-on within a day of notification, the new version is already available on the Mozilla website and as an update.
Add-on updates are displayed automatically to Firefox users. Additional information are provided at the Mozilla blog post.Advertisement