Wednesday, September 06, 2006
Firefox security: is the fun over?
The niftiest things you can do with Firefox are supplied by "extensions", little programs that you add in to your Firefox installation and that work with Firefox to do various cool things.
I'd been kind of surprised that the world wasn't full of maliciously written Firefox extensions. Partly that's because the folks who developed Firefox saw the potential problem and made sure you'd have to go out of your way to install extensions from random and potentially evil places. Another part of the reason is probably that there weren't enough Firefox users to be worth a crook's time.
Scary headlines are popping up now about a rogue extension called FormSpy, which forwards things you type (passwords, for example) to machines controlled by crooks. The scary headlines say that it installs silently, without you having a chance to say no. That's a key point: that would make Firefox as dangerous as Internet Explorer. So, is that the real story?
The computer industry press has let us down again. You can't just get FormSpy from visiting the wrong place. For it to install silently, you first have to be infected with another malicious program ("Downloader-AXM") which is designed to sneak things onto your computer without your knowledge. And how do people get hit with "Downloader-AXM"?
By opening an attachment from spam. An executable attachment.
Not much of a news story, is it? But it does give my an excuse to remind you that Firefox extensions are programs, you're trusting them with your security when you install them, and you should only download one if you hear good things about it from people who know what they're talking about. An example of something you do want to download and install is NoScript.
|
I'd been kind of surprised that the world wasn't full of maliciously written Firefox extensions. Partly that's because the folks who developed Firefox saw the potential problem and made sure you'd have to go out of your way to install extensions from random and potentially evil places. Another part of the reason is probably that there weren't enough Firefox users to be worth a crook's time.
Scary headlines are popping up now about a rogue extension called FormSpy, which forwards things you type (passwords, for example) to machines controlled by crooks. The scary headlines say that it installs silently, without you having a chance to say no. That's a key point: that would make Firefox as dangerous as Internet Explorer. So, is that the real story?
The computer industry press has let us down again. You can't just get FormSpy from visiting the wrong place. For it to install silently, you first have to be infected with another malicious program ("Downloader-AXM") which is designed to sneak things onto your computer without your knowledge. And how do people get hit with "Downloader-AXM"?
By opening an attachment from spam. An executable attachment.
Not much of a news story, is it? But it does give my an excuse to remind you that Firefox extensions are programs, you're trusting them with your security when you install them, and you should only download one if you hear good things about it from people who know what they're talking about. An example of something you do want to download and install is NoScript.
# posted by Frederick @ 8:59 PM Email to a friend:
Haloscan: they provide trackback