
How to install silently malicious extensions for Firefox - felipebueno
http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html
======
pandog
This isn't a security issue in Firefox.

To pull this off you need write access to Firefox's SQLite database.

If you have write access to Firefox's SQLite database you've already 'won',
the system is already yours. You can do a lot more damage to the system than
whitelisting a Firefox extension.

Sure you could argue that this is another place for malware to hide - but I
don't that this is really a security flaw in Firefox.

~~~
Svip
You are correct. His point is that one can use this trick to install programs
that Anti-Virus programs cannot detect, because they are part of the browsers,
unlike perhaps a service.

Because while having control of a system is 'winning', one still wish to do
damage relatively undetected (if one's intent is to use the machine as a
zombie, for instance). And doing it through Firefox is a very undetectable way
to do so.

------
roger5
Right. I can also write an app that reads the process memory of FF and steals
your passwords.

------
pi18n
This is one of the exact scenarios Apple is trying to prevent with Gatekeeper.
Although I think Apple implemented it poorly and I strongly object to their
code signing policies, I do hope more OS's include application-level
permissions and methods for developers to sign their binaries as a standard
thing.

------
martinced
Plugins and automatic security updates (or any update for what it is worth)
are two biggest security holes ever.

Which is why for anything really sensitive I'm booting from a live CD, giving
me a system which is "read-only" and not "phoning home" to see if there are
updates.

It's a pain. But less of a pain than getting root'ed / admin'ed.

Signed binaries ain't helping either: we've seen several seemingly "legit"
software signed with compromised keys.

False sense of security.

~~~
atesti
Plugins are not security holes! Sure they make it slightly more accessible to
e.g. steal browser passwords, but you can always inject code into other
processes to do such things.

~~~
Armbrs
The presence of other security holes doesn't invalidate the existence of this
one.

~~~
atesti
I really don't consider this a security hole!

This does not increase privileges of the attacker: If the attacker can modify
Firefox's profile directory it could also inject something into firefox or
read the cookies directly.

