Firefox's protection against silent extension installations can be bypassed
Modifications to the Firefox browser by third party applications, often in the form of adware offers in program installers or by security software, is something that users of the browser had to cope with for a long time. Mozilla some time ago added protection to the browser to prevent that extensions installed by third party programs are enabled by default. Firefox users are prompted whenever the browser recognizes a silent installation to give users the choice to either enable the extension if it is wanted or keep it turned off if it is not.
What the browser does in the background is check all installed extensions, usually found in the extensions folder of the profile folder but also sometimes in other locations, against the content of the extensions.sqlite file. Warnings are shown if extensions are found but not listed in the sqlite file.
Researchers at Zscaler have found a way to bypass the notification message that Firefox normally displays to its users. All that it takes actually is to add information about the silently installed extension to the extensions.sqlite file so that it won't trigger Firefox's protection. The end result is that the extension gets installed and enabled in the browser without notification.
The extensions.sqlite file is a database that contains information about each installed extension including its name and version, whether it is enabled or not, and whether it has been installed from Mozilla's Firefox Add-ons repository or by a third party.
The developers have released demo code that will install an extension silently into Firefox profiles when executed. The researchers suggest to create a new profile to test the method in Firefox.
They have also released a demo video that highlights the whole process.
Closing Words
It is unlikely that the majority of adware offers will abuse the loophole to install themselves silently on the system. Creators of malicious software on the other hand may use it to plant their extensions in the Firefox browser without the user knowing about it. Users can only find out about silently installed extensions if they check the add-ons listing of the browser by loading about:addons in it.
It needs to be noted that the method can only be used when software is executed by the user on the system.
Still, it is important to know that it is possible to bypass the protection. There is little that users can do to prevent this from happening other than being very careful in regards to the programs they run on their systems.
The problem with this research is – you are running “evil” executable on your computer – nothing can protect you in this case! The general rule apply here – do not run untrusted applications in your trusted computer.
More interesting scenario could be – is it possible a extension installed in profile “test” to modify other profiles and silently modify/install things (like “Firefox Security Update”)
Hey,
Well the good news I guess is that it’s “easy” to fix.
Have an encrypted file on disk, digitally signed by Mozilla and if altered then you alert the user.
The file would of course be the list of currently enabled add-ons and only firefox itself can write to it.
Problem solved rather nicely. ;)
cya,
Will
@trender101: Existing HIPS software are perfectly capable of protecting against this kind of behavior, there is no need for a separate solution. However, they require some user intervention, not just leaving everything at default settings.
@Al Gee: I didn’t play much with Sandboxie, but from what I understand its purpose is to protect your computer from the threats that come from “inside” your browser (i.e. drive-by malware download), and not to protect Firefox from the threats running on your computer.
@ Al Gee
Yes!.
I never browse in FF without Sandboxie.
But there should be
a more basic “line of defense” monitoring software
against unwanted Extensionss behavior in FF
Another excellent
& practical report, Martin! Thank you.
Useful extensions/addons
are the great advantage of FF,
and it’s a pity that they have become a “surface of attack”
to FF Users…
It’s time for someone to write
a [ Firefox Extensions Monitor ],
to detect unwanted behavior
in the “extensions.sqlite” file or other associated files.
Similar to the tons of traditional AV software,
we need to protect our FF.
(of course,
that should be the job at the FF/Mozilla Extensions Repository…).
Am I missing something here? Isn’t this the sort of thing that running Firefox inside of a sandbox (i.e religiously using a program like Sandboxie) will protect against?
This is troublesome, but not unexpected. Firefox keeps information about it’s extensions in registry and in the file mentioned in the article on Zscaler blog. It is easy for an application that runs on your system to alter those files or registry entries, and it is very hard to defend against this. A workaround that I can think of is to have some HIPS on your computer that will alert you on the modification of those files or even stop another application except Firefox to write into them.