According to security researchers, hundreds of popular Firefox browser extensions are vulnerable to attack which could give cyber criminals control of Mac OS X and Windows machines. The experts say that the flaw is tied to Firefox’s support for an older browser extension platform and the Mozilla Foundation’s plug-in vetting process for its Firefox browser. The researchers’ findings were presented at Black Hat Asia last week.
“Attackers could write an extension that looks innocuous to anyone reviewing the plug-in. But once added to the Firefox browser, the benign looking extension could easily exploit a second Firefox extension to plant malware on the user’s computer,” stated the assistant professor at Northeastern University and one of four researchers who discovered the vulnerability, William Robertson.
In the “CrossFire report: An Analysis of Firefox Extension-Reuse Vulnerabilities” researchers say that 2,000 Firefox extensions – including nine of the top 10 extensions – are exploitable via “extension-reuse vulnerabilities.” The experts tested the desktop version of the Firefox browser running on Mac OS X and Windows platforms finding them both vulnerable.
“The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia,” said Nick Nguyen, Mozilla vice president of product strategy, in a statement to Threatpost. “The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.” Nguyen said Firefox will start to sandbox Firefox extensions so that they cannot share code later this year.
Prevalence of so-called reuse flaws outside the context of web browsers is not new, Robertson told Threatpost. “We have just never seen a reuse vulnerability exploited within a browser extension like this.”
According to Northeastern experts, Firefox, unlike other browser extensions, does not isolate a browser add-on’s functions. The researchers claim that this can let a hacker submit an extension through the Mozilla Foundation’s vetting processes that looks harmless. Though, after being installed, the extension can work independently and leverage a second Firefox browser extension to function in ways it was never intended. This could allow a hacker to manipulate a second plug-in to let him install malware on the Mac OS X or Windows machine.
“Extensions can often access private browsing information such as cookies, history and password stores, and also system-wide resources,” researchers explained.
“For instance, Firefox exposes a rich API to its extensions through XPCOM (Cross Platform Component Object Model) that allows nearly unrestricted access to sensitive system resources such as the filesystem and network. Consequently, malicious extensions, or attacks directed at legitimate extensions, pose a significant security risk to users.”
The security experts also claim that the Firefox extension architecture allows JavaScript extensions installed on a Mac OS X or Windows system to share the same JavaScript namespace. That, it says, makes it possible for an extension to “invoke the functionality (or modify the state) of others.”
William Robertson refers to the reliance by Firefox on the older XPCOM framework, which does not isolate extensions, as the source of the problem. The Mozilla Foundation, he said, had planned to support the more modern Jetpack framework-similar to Google Chrome and Microsoft Edge browsers–that isolated extension modules from each other.
However, last year Mozilla Foundation reported that it would support the WebExtensions framework which would allow for add-on compatibility between Chrome and the Opera browsers. This project is still in progress. WebExtensions restricts browser add-ons modules interaction. After the Mozilla Foundation announced plans to support WebExtensions, support for the Jetpack framework dwindled.
“Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security,” Nick Nguyen told Threatpost.
“The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative – our project to introduce multi-process architecture to Firefox later this year – we will start to sandbox Firefox extensions so that they cannot share code”, Nguyen added.
According to William Robertson, the Mozilla Foundation has been aware of Northeastern University’s research for “some time” and since then, it has been more vigilant in its evaluation of Firefox add-ons submitted for inclusion for the web browser.
“Malicious extensions that utilize this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures,” researchers wrote.
“The malicious extension itself does not make any sensitive API calls or resource accesses, which allows the malicious behavior to stay hidden.”
Security specialists also say that testing of extensions should require an analysis of how an extension candidate would interact with all other Firefox extensions, making the vetting process arduous.
“Vetting, researchers wrote, “would require covering the code from the entire extension pool available to Firefox users since the attack could utilize code from any and multiple extensions, which would considerably increase the complexity of the analysis task.”
In addition, the experts uploaded a proof-of-concept extension that passed a “fully reviewed” analysis.
