What's new and in the works re Firefox Extension Reuse Vulnerabilities?
We use 2 of the 9 extensions that have reuse vulnerabilities. In addition to learning when Mozilla expects to roll out sandboxing FF extensions, we are interested in whether/when referenced CrossFire app will be available to download. In the meantime, what is Mozilla"s recommendation for secure use of Firefox browser? Is it time to switch to Chrome, or do the same vulnerabilities apply to all browsers that permit add-ons/extensions?
All Replies (5)
For reference by other readers, see: http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
The Add-ons team has a forum over here where they may be able to update you on whether anything can be done about this in the short term: https://discourse.mozilla-community.org/c/add-ons
From the support perspective, being cautious about the extensions you install remains the #1 security control on extension re-use or any other potentially bad behavior.
By the way, CrossFire is an analytic tool to determine whether a trusted extension exposes functionality that could be misused by a bad extension. I'm not sure whether it's easy for end users to use or is designed only to be used by the Add-ons team in their reviews. Possibly the researchers do not plan to just give it out to everyone since it also builds proof-of-concept exploits based on its analysis.
jscher2000, TY for the response & link to Add-ons team. Hope guidance for the interim is forthcoming.
The interim guidance from me is really nothing new: assume that any and every extension you install has the full run of your Firefox and your system, and choose carefully.
Well behaved extensions are not the problem, it is malware-ish extensions using the capabilities of well-behaved extensions that pose the risk. The Add-ons team has said it will be more vigilant in looking for any such bad extensions, but ultimately it will always be a case of "buyer beware."
We do try to choose carefully (the basics such as NoScript, ADP, WOT, BetteryPrivacy) & use the minimum necessary of favorably rated. But will revisit & control urge to use extensions that maintain some of the "old (familiar) look & feel" of earlier FF versions and try to roll more with the times...
TY again.