| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 May 2007 11:10:57 -0500 (EST) From: "Steven Adair" <steven@...urityzone.org> To: "Christopher Soghoian" <csoghoian@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: New Vulnerability against Firefox/ Major Extensions We are also at risk from rogue developers, people that have hacked/poisoned your trusted DNS provider, those that have modified your /etc/hosts, /etc/resolv.conf, windows\system32\drivers\etc\hosts (and/or related files), people that have hacked the update server and put there own malicious version there, and the unlocked workstation attack from an attacker with a USB flash drive with a malicious update that might sit down at your workstation and -pwn- you. Steven > This information also posted (with html link goodness) to > http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html > > -------------------------- > Executive Summary > -------------------------- > > A vulnerability exists in the upgrade mechanism used by a number of > high profile Firefox extensions. These include Google Toolbar, Google > Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, > AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft > Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, > mainly commercial extensions. > > Users of the Google Pack suite of software are most likely vulnerable, > as this includes the Google Toolbar for Firefox. > > The latest version of all of these listed, and many other extensions > are vulnerable. This is not restricted to a specific version of > Firefox. > > Users are vulnerable and are at risk of an attacker silently > installing malicious software on their computers. This possibility > exists whenever the user cannot trust their domain name server (DNS) > or network connection. Examples of this include public wireless > networks, and users connected to compromised home routers. > > The vast majority of the open source/hobbyist made Firefox extensions > - those that are hosted at https://addons.mozilla.org - are not > vulnerable to this attack. Users of popular Firefox extensions such as > NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about. > > In addition to notifying the Firefox Security Team, some of the most > high-profile vulnerable software vendors (Google, Yahoo, and Facebook) > were notified 45 days ago, although none have yet released a fix. The > number of vulnerable extensions is more lengthy than those listed in > this document. Until vendors have fixed the problems, users should > remove/disable all Firefox extensions except those that they are sure > they have downloaded from the official Firefox Add-ons website > (https://addons.mozilla.org). If in doubt, delete the extension, and > then download it again from a safe place. > > In Firefox, this can be done by going to Tools->Add-ons. Select the > individual extensions, and then click on the uninstall button. > > ------------------------------------ > Frequently Asked Questions > ------------------------------------ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists