Malware Writers Target Firefox Through Extensions

[Gauravs90]

One of the first things many people do to try and avoid security problems on Windows is to switch users to Firefox. It's true that Internet Explorer is a big fat target and probably the exclusive target of most browser-oriented malware, but that's not the whole story. Much drive-by malware works the same in any browser, relying as it does on social engineering and pushing EXEs and PDFs. Now it seems, according to Symantec, that malware specifically targeting Firefox is on the rise.

The Symantec paper focuses specifically on Firefox extensions rather than plug-ins or themes, although all are potential attack vectors. The difference between extensions and plug-ins is subtle, but it appears that plug-ins handle specific data types; Adobe Reader and Flash, Java and QuickTime are all examples of plug-ins. Extensions are more about creating new features in the browser, like password management, script management (like NoScript), toolbars, etc. On the other hand, sometimes you'll find extension-like programs implemented as plug-ins, like LastPass.


Extensions can become malicious in a number of ways described in the paper. Since they are trusted code, they can install malicious updates to themselves through standard update mechanisms. This could happen intentionally or unintentionally; the security mechanisms around extensions are few and far between at this point, including the absence of code signing for example. An infected developer system last year resulted in the Vietnamese distribution of Firefox 2 containing malicious code.


Other attack techniques include hiding and obfuscating extensions and having one inject code into another. Finally, extensions themselves can have vulnerabilities which can be exploited by malicious web sites.


The mitigation techniques described aren't all that encouraging; Submitting extensions through the official Firefox process involves a testing program, and if an extension is known to be bad Mozilla can blacklist it through updates. The paper concludes with a list of known malware that abuse Firefox.


Source: http://www.pcmag.com/article2/0,2817,2356815,00.asp