As you probably know, plugins are external software components which the web browser delegates to render custom content inside web pages, and/or to play audio clips and potentially much more: they actually can do anything, since they’re executable code running inside the browser process, with the same privileges as their host. This can cause major security concerns, no doubt about that. They’ve accumulated lots of security issues of their own over the time, and the scriptable ones (like Flash or Java) are often used in combination with JavaScript to prepare memory for attacks working around protection features deployed by modern OSes. That’s why one of the major features of NoScript is blocking plugin content from untrusted web sites, and optionally from trusted too, in an easy “click to activate” fashion: this way you can considerably reduce your attack surface, while retaining the power of accessing plugin content on sites where you really need to.

Add-ons, in mozillaspeak, are a broader category, including plugins of course, but also themes (packages which can change your browser appearance, also called “skins” in other communities) and extensions. NoScript itself is an add-on, or more precisely an extension. Extensions are tiny applications developed with the same technologies which Firefox is made of (i.e. XUL, JavaScript, XPCOM and, possibly but rarely, C++) which upon installation get tightly integrated in the browser, extending (and hopefully enhancing) its functionality. They can access and modify practically any aspect of the browser, and are granted the same privileges as the browser. With great power comes great responsibility, and add-ons are obviously not immune of bugs which can compromise browser security.

There are some differences, though, between extensions and plugins in regard of security:

  1. Extensions which are found to be unsafe can be promptly disabled worldwide by Mozilla admins using a remote centralized mechanism. This is true for plugins too, but I’m very dubious that Mozilla would abruptly kill Flash (or even worse, Java) on all its users in reaction to a zero-day vulnerability disclosure…
  2. Extensions enjoy a safe and very effective update mechanism, which allow security updates to be deployed almost instantly. The same can’t be said for most, if not all, the most popular plugins.
  3. The vast majority of Firefox extensions are open sourced. Those hosted on AMO, which is the only place where you can to safely install add-ons from* where Firefox sends you to safely install add-ons, must allow per-policy code reviews, therefore even in those rare cases where native executable code is included, this must comes with its sources, no matter the license. This allows manual screening against malicious extensions (all the hosted add-ons are also automatically scanned by anti-virus software anyway), or more focused security code reviews like the one Wladimir Palant performed recently.

Wladimir is also engaged in a laudable effort for educating extension developers to safer coding practices: whoever maintains or wants to develop a Firefox extension should subscribe his feed.

Coming to “Security Advisers”, Roger A. Grimes (a CPA, a CISSP, a CEH, a CHFI, a TICSA, and an MCSE: Security, which in plain English means more or less “security consultant with a strong Microsoft background”) recently wrote a serie of articles comparing security features of all the major browsers.

The one about Firefox contained, among others, a quite disturbing (for me at least) paragraph (emphasis is mine):

Although add-ons such as NoScript, and plug-ins such as Adobe Flash, bring many useful capabilities to Firefox, at the same time they come with problems and security issues of their own. Firefox has a built-in add-on manager that allows you to browse available extensions, install and uninstall them, and enable and disable them, but again, they can’t be enabled or disabled with per-site granularity.

So I decided to send Roger an email, sparking a pretty intense exchange (in the meanwhile, I was implementing PoC X-Frame-Options compatibility for Firefox with my left hand).

Yesterday I noticed he published a synthesis of our discussion. Even though he cut some logic passages, making our reasoning a bit hard to follow, I have been positively impressed by his openness and I’d like to rectify just two little things:

  1. Roger introduces his report of our thread with these words:

    I indicated that browser add-ons (or plug-ins) could bring additional risk to a browser. One browser add-on provider, Giorgio Maone of Firefox’s NoScript, wrote me to strongly disagree.

    As this very post of mine demonstrates, I couldn’t and didn’t disagree on the concept “that browser add-ons could bring additional risk to a browser“. But I was rather surprised (and, honestly, pissed off) about his suggestive exemplification choices.

  2. In an original message of mine, I tried to explain my objection this way:

    You would never dare to say “Mail servers and Web servers, such as qmail and IIS, which come with problems and security issues of their own…”

    I choose qmail for my example because of its almost immaculate security records: should you pick a single product to illustrate mail server security risks, you’d bash Sendmail with its several documented vulnerabilities, rather than DJB’s impervious creature. However the article inexplicably morphed “qmail” into GMail, making my point quite obscure (given that GMail is not even a proper mail server, nor exactly a security champion).

That said, I appreciate Roger’s transparency and I hope we’ll have chances for new constructive discussions.

* Note: JJ Barton correctly made me notice that sites different than AMO can adopt the same hosting security policies (automatic update over a SSL channel, which by the way is required by the Mozilla browser toolkit itself, and possibly blacklisting of unsafe versions), e.g. GetFirebug.com for the Firebug extension. However AMO is the place where you’re automatically directed by Firefox itself when you look for an add-on, so stressing its security features was very important.

16 Responses to “Browser Plugins, Add-Ons and Security Advisers”

  1. #1 johnjbarton says:

    Nice work Giorgio! One small correction: you said
    AMO, which is the only place where you can safely install add-ons from,
    which is obviously false, by your own reasoning if nothing else.

    In pointing out the practices employed at AMO to improve add-on security, you don’t need to slap down every other site. For example, getfirebug.com has a firebug add-ons with the same security as AMO, include secure updates.

    jjb

  2. #2 Cal-O-Ne says:

    "in the meanwhile, I was implementing PoC X-Frame-Options compatibility for Firefox with my left hand"

    Now the major question is: Are you left- or right-handed? :o)

  3. #3 Chin Fang says:

    First, suggestion to fix a typo: "I have been positively impressed by is…" should be "I have been positively impressed by its…"

    Second, the backend of gmail, as many others (e.g. Yahoo!Mail), including Postini which was acquired by Google in its early days, use derivatives (i.e. modified forms) of the plain qmail. In other words, qmail has a profound influence on may large scale mail services on the Internet. This is just FYI for other readers of this blog only.

  4. #4 kuza55 says:

    Actually I think "a CPA, a CISSP, a CEH, a CHFI, a TICSA, and an MCSE: Security" translates to "idiot with a microsoft bent" in English (yes, I know some people are forced to get certs, yada yada yada, but I have yet to see anyone who proudly displays a long list of certs to be in any way competent at security)

  5. #5 pwnedwatchingfartporn says:

    Bottom line is that enabling a script remains a crapshoot, even on fully patched systems.

    How annoying that after all these years, I still can’t watch online videos, etc, without placing my system at risk.

  6. #6 Dan Veditz says:

    AMO-hosted addons with binary components don’t necessarily present source for those components. This does make review of those addons problematic.

  7. #7 Security Grills | Homelybedside says:

    […] …Business Web Directory Blog » Blog Archive Charbroil Grills …Related Blogs on Securityhackademix.net » Browser Plugins, Add-Ons and Security AdvisersZabthink taining for SOA security » Computer internet security0Related Blogs on Security GrillsReal […]

  8. #8 Vadusik says:

    FlashGet 3 …

  9. #9 Giorgio says:

    @Dan:
    last time I’ve been involved in a discussion about binary components (AMO 2.0 times, long ago), there was an orientation to mandate source code inclusion in the XPI for those add-ons containing them, FWIW (of course, nobody can grant the binary is actually related to the source). FlashGot’s XPI does include C++ sources, for instance. Has this policy been abandoned, after all?

  10. #10 Tom T. says:

    @ pwnedwatchingfartporn says:
    "Bottom line is that enabling a script remains a crapshoot, even on fully patched systems. How annoying that after all these years, I still canât watch online videos, etc, without placing my system at risk."

    May I recommend Sandboxie? 3w dot sandboxie dot com. It’s free, but it’s nagware, and the nag screens keep getting worse with each update. If you get v3.02 or earlier, it’s just a single mouse click to go away. Although the name was (cleverly) derived from "Sandbox IE", you can also sandbox Fx or any other app, including, say, Apple Quick Time. So you can watch your movies inside the SB browser, or d/l them to the desktop inside SB, without worrying that anything in there can affect your machine. SB makes a virtual clone of the particular app (i. e., IE, or Fx) and necessary Reg hive, and renders the rest of your hard drive read-only to the sandboxed process. When done, empty the sandbox, and viruses, germs, STDs, etc. are flushed down the drain. Your hard drive remains virginal. And of course, you can still use NS inside SB for further protection (like wearing two condoms).

    I have no personal connection with Sanboxie or its developer, but I recommend it whenever I can, just as I have no personal connections to Giorgio, but recommend NS whenever I can.

    Watch whatever you like without placing your system at risk. Cheers!

  11. #11 Johannes la Poutre says:

    Regarding secure updates of Firefox Add-ons: there is even a third option without using SSL.
    You sign the extension’s install.rdf and, for every update, the corresponding update manifest, witch a signed checksum of the new installer package (.xpi).

    This is well documented [1] and there is a XULRunner based tool available, McCoy [2], which takes care of all of the signing actions.

    I chose this approach for the Twones Firefox Add-on, which is currently in private beta and only distributed from our own website at www.twones.com.

    The bottom line is: if you trusted the extension when you installed it first, you also trust future updates which are signed with the same key.

    So this enables secure auto-update over plain http!

    1. https://developer.mozilla.org/en/Extension_Versioning%2c_Update_and_Compatibility#Securing_Updates
    2. https://developer.mozilla.org/en/McCoy

  12. #12 taverngeek says:

    Can NoScript show what site it is blocking when it blocks javascript or so on? I hate having to randomly give permissions to site in hopes that’ll be the one that lets me execute a javascript submit button or so on.

  13. #13 Giorgio says:

    @taverngeek:
    you always need to start with the main site (the one in the location bar, also shown in bold by NoScript menu).
    For other sites you should use a bit of common sense (e.g. starting with those which resemble the main one, like cnn.com/cnn.net).
    However an “About these sites…” menu item is planned, opening a page with information about every site listed.

  14. #14 All protection you need for your Internet Security | FileNetwork Blog says:

    […] mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the […]

  15. #15 kimm says:

    That honor actually goes to Opera, which had tabbed browsing even before Firefox did. Some say that Opera invented tabbed browsing - http://wiwapia.com/en/browsing

  16. #16 All protection you need for your Internet Security | Today News, Technology, Wordpres says:

    […] this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online […]

Bad Behavior has blocked 35933 access attempts in the last 7 days.