Firefox Exploitable Through Popular Plugins Such As NoScript

NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data.

There is no isolation among various Firefox add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons, thereby bypassing the normal vetting process that all plugins undergo before being allowed onto the Firefox plugins store. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the extension takes advantage of vulnerabilities in popular third-party add-ons such as NoScript and Firebug, that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of these trusted and already-installed third-party addons, the malicious addon faces better odds of not being detected.

Of the top 10 most popular add-ons vetted by Mozilla officials and made available on the Mozilla website, only Adblock Plus was found to contain no flaws that could be exploited by a malicious add-on that relied on reuse vulnerabilities. Besides NoScript, Video DownloadHelper, Firebug, Greasemonkey, and FlashGot Mass Down all contained bugs that made it possible for the malicious add-on to execute malicious code. Many of those apps, and many others analyzed in the study, also made it possible to steal browser cookies, control or access a computer’s file system, or to open webpages to sites of an attacker’s choosing.

The researchers noted that attackers must jump over several hurdles before such a malicious add-on would succeed. First, someone must go through the trouble of installing the phony, trojaned extension. Then, the computer that downloads it must have enough vulnerable third-party addons installed to achieve the attackers’ objective. Still, the abundance of vulnerable addons makes the odds favor attackers, at least in many scenarios.

In many cases, a single addon contains all the functionality an exploited addon needs to cause a computer to open the malicious website. In other cases, the attacker addon could exploit one 3rd-party addon to download a malicious file and exploit a second 3rd-party addon to run it. In the event that a targeted computer isn’t running any 3rd-party addons that can be exploited, the attacking addon can be programmed to provide a “soft fail”, so that the end user has no way of noticing a failed exploit attempt. The technique allows the malicious extension to discreetly download a malicious program and execute it.

Proof of concept

The researchers said they developed an add-on containing about 50 lines of code that passed Mozilla’s automated analysis and its human review process. Ostensibly, ValidateThisWebsite—as the proof-of-conecpt addon was called—analyzed the HTML code of a given website to determine if it was compliant with current standards. Behind the scenes, the add-on made a cross-extension call to NoScript that caused Firefox to open a Web address of the researchers’ choosing.