QuoteNoScript and other popular Firefox add-ons open millions to new attack (http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/)
Unlike many browsers, Firefox doesn't always isolate an add-on’s functions.
NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.
The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected.
FF had better revamp their entire core structure...quick
Thanks, I use Firebug.
Seems like quite a serious exploit that'll affect many, especially in our industry. I stick with a core of 3 or 4 extensions so should be safe.
> 3 or 4 extensions
Same here, no matter what the OS or device.
I have a Light and a Dev profile for Firefox.
Light has what I need to surf the web. Dev has all the other stuff (like Firebug). The danger is when I'm doing dev and need to go look something up or get distracted.
Ironic, though, because NoScript is something paranoiacs like bill run in order to keep safe... ;-)
Quote from: ergophobe on April 06, 2016, 04:30:28 PM
I have a Light and a Dev profile for Firefox.
Light has what I need to surf the web. Dev has all the other stuff (like Firebug). The danger is when I'm doing dev and need to go look something up or get distracted.
Ironic, though, because NoScript is something paranoiacs like bill run in order to keep safe... ;-)
hmmm... Where to start with this one? ::)
I like the idea of using profiles. I wonder whether that would be enough to stop something like this. I may need to look into this a bit more. I'm not clear on how isolated these profiles are because back in the early days I remember it was possible to run multiple profiles simultaneously.
Regarding NoScript et. al., I may be a bit ahead of them as I try to run all of my browser sessions in disposable virtual machines. Even if one of those machines were corrupted I could just start another. Technically in those VMs I wouldn't have to run NoScript, but I like that it eliminates a lot of the cruft from websites. That's going to be a hard habit to break.
Quote from: bill on April 06, 2016, 10:41:01 PM
I wonder whether that would be enough to stop something like this.
Good question. I get the stability advantages of not having those plugins active, but do I get the security advantages? I'm not sure.
Obviously it doesn't help me from run-of-the mill malicious code execution like NoScript, but the truth is I ran it for a while on your recommendation and found it a lot of trouble... not as much as a virus infection of course.
Well, even Snowden was recommending NoScript, so if you're going to blame me, I'm going to kick the blame up the food chain. ;)
We're looking at 9 of the top 10 add-ons vulnerable according to the articles. There are more. Lots more. It seems the fix is to kill all of your FF add-ons.
Not blaming you Bill. I recognize it as a good idea, something I should do like flossing and balancing my checkbook and all those things.
I'm just fessing up to the fact that I am too lazy, despite knowing better.
[edit] Now seeing the subtext here. I never blamed you for the Live Mesh disaster. Nor did I or will I ever take responsibility for your broken arm.... though these events remain linked a decade later ;D
In this case "trouble" just means "annoyance that I was too lazy to deal with even though I would rest easier if I would suck it up and be more like Bill"
You're my hero. I'm just not ready to level up. That's all
[/edit]
> Live Mesh
Oh, did I mention the new Bittorrent Sync and SyncThing? They're even better than Live Mesh!
I guess I've earned my tin-foil hat status somewhat. Glad to know there's some value in that...even if I had to break some bones to prove it. ;)
> profiles
I know I've read all of this before, but this thread inspired me to look again as in the course of the day sometimes my multitude of privacy add-ons wreak havoc with some websites. I've resorted to using Portable Apps to run plain browser profiles, but I could do the same just using Profiles. https://developer.mozilla.org/en-US/Firefox/Multiple_profiles