The Core

NoScript and other popular Firefox add-ons open millions to new attack
Unlike many browsers, Firefox doesn't always isolate an add-on’s functions.

NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.

The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected.

FF had better revamp their entire core structure...quick

> 3 or 4 extensions

Same here, no matter what the OS or device.

I have a Light and a Dev profile for Firefox.

Light has what I need to surf the web. Dev has all the other stuff (like Firebug). The danger is when I'm doing dev and need to go look something up or get distracted.

Ironic, though, because NoScript is something paranoiacs like bill run in order to keep safe... ;-)

hmmm... Where to start with this one? 

I like the idea of using profiles. I wonder whether that would be enough to stop something like this. I may need to look into this a bit more. I'm not clear on how isolated these profiles are because back in the early days I remember it was possible to run multiple profiles simultaneously.

Regarding NoScript et. al., I may be a bit ahead of them as I try to run all of my browser sessions in disposable virtual machines. Even if one of those machines were corrupted I could just start another. Technically in those VMs I wouldn't have to run NoScript, but I like that it eliminates a lot of the cruft from websites. That's going to be a hard habit to break.

Well, even Snowden was recommending NoScript, so if you're going to blame me, I'm going to kick the blame up the food chain.

We're looking at 9 of the top 10 add-ons vulnerable according to the articles. There are more. Lots more. It seems the fix is to kill all of your FF add-ons.

> Live Mesh
Oh, did I mention the new Bittorrent Sync and SyncThing? They're even better than Live Mesh!

I guess I've earned my tin-foil hat status somewhat. Glad to know there's some value in that...even if I had to break some bones to prove it.

> profiles
I know I've read all of this before, but this thread inspired me to look again as in the course of the day sometimes my multitude of privacy add-ons wreak havoc with some websites. I've resorted to using Portable Apps to run plain browser profiles, but I could do the same just using Profiles. https://developer.mozilla.org/en-US/Firefox/Multiple_profiles