Thursday, May 15, 2008

Trust you plugins? Think again

Over the last weekend, Armando Romeo and I spent some time discussing the attack vectors possible by inserting "backdoor" code into the Firefox (Mozilla) browser through Extensions, Themes and Language Packs.

Romeo has the proof-of-concepts ready for two scenarios - In-browser keylogger and Download and save executable. Two very dangerous scenarios for your "Mac OS X for FF Theme" to be playing with. It would be possible for this vulnerability to be used to map the network and carry out many other dangerous attacks on the intranet.

Just as we went about playing with the fact that the same POCs worked well with Thunderbird and other Mozilla products, we found this. Turns out there were others in the wild who had already explored this concept and put it to work to compromise 10000s of people.

This whole Mozilla incident brings me to a larger point: Do you trust your plugins?

Not just Mozilla; with a few minutes of Googling I was able to identify the following applications that allow plugins:
  1. Internet Explorer
  2. Miranda IM
  3. Wordpress
  4. Total Commander
  5. Joomla
  6. Ad-aware
  7. Virtual-DJ
  8. ........
There are 1000s of applications out there that blindly trust third party plugins/addons.

The concerning part of such attacks that can occur from plugins is that in most cases they would be missed by traditional control mechanisms such as Anti-viruses, Firewalls etc.

I havn't had the time to play with each of these scenarios as of yet, but would definitely like to sometime soon. As for now, disabling javascript on your browser is no longer enough. You will need a source code audit on every extension/theme/language pack you install in Firefox or any other application. Until Mozilla fixes the issue, I recommend running Firefox from Sandboxie.