Mozilla bans Firefox extensions for executing remote code

Credit to Author: John E Dunn| Date: Tue, 28 Jan 2020 10:38:31 +0000

Every time it looks as if Mozilla is getting on top of the problem of malicious or risky extensions, it finds itself having to step in to block another batch.

In the latest action, noticed by a ZDNet reporter, Mozilla banned 197 extensions, 129 of which were published by one B2B software developer, 2Ring.

The nature of the banned extensions is difficult to say – Mozilla lists them on Bugzilla using only the IDs they used on addons.mozilla.org (AMO) – however, 2Ring’s products appear to be designed for organisations using Cisco telephony and other software products.

These will now be disabled in Firefox and it will no longer be possible to install or update them.

What did the extensions do to incur Mozilla’s wrath? According to the reviewer who made the decision:

I’ve reviewed the add-ons and confirmed they are executing remote code.

Dredging a swamp

The hard ban on extensions that execute remote code seems to have happened around the time pre-release versions of Firefox 72 hove into view, but this was only noticed by some developers and users when the company abruptly banned several page translation extensions in November.

At the time, some developers complained that Mozilla hadn’t communicated the change and offered no workaround for a small number of cases where it might prove useful.

In fact, the policy on remote code goes back to the early days of Firefox but was apparently not always enforced. Mozilla’s policy is now unambiguous – add-ons must be self-contained and not load remote code, which opens up the user to all sorts of risks.

That implies that, prior to November, extensions loading such code could operate with more freedom, specifically those that were being self-hosted as unlisted extensions rather than served via the AMO.

That doesn’t mean that every extension loading remote code in the past was doing so for malicious reasons, but it underlines how Mozilla is having to tighten controls in the face of growing abuse.

It’s becoming a perpetual game of whack-a-mole.

Last year it slapped a ban on extensions using obfuscated code, such as JavaScript code where the purpose or intention is in some way hidden.

That followed an incident in 2018 where Mozilla banned 23 extensions for doing things the company claimed they shouldn’t have been.

In fact, a growing list of extensions have ended up in hot water in recent months for all sorts of things, including search hijacking, and siphoning off user credentials and other user data.

Once installed, browser extensions can acquire a great deal of power, as a study last year reported when it found a small number trying to bypass basic protections such as Same Origin Policy (SOP) policy.

One conclusion is that if browsers are mini software platforms, they are only as good as the security imposed by companies such as Mozilla on the developers uploading to them.

This places huge pressure on review teams to spot problems before they occur. Today, most of the action is still in retrospect and after the fact.

Browser extensions security tips

As Mozilla points out, many extensions aren’t written by well-known developers, so a deeper dive might be necessary.

  • Install as few extensions as possible, and only from official web stores.
  • Check the reviews and feedback from others who have installed the extension.
  • Pay attention to the developer’s reputation and how responsive they are to questions and how frequently they post version updates.
  • Study the permissions they ask for (in Firefox, Options > Extensions and Themes > Manage) and check they’re in line with the features of the extension. And if these permissions change, be suspicious.

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

http://feeds.feedburner.com/NakedSecurity

Leave a Reply