On Mon, May 25, 2009 at 8:26 PM, saphex <[email protected]> wrote: > This isn't about making the user install a malware add-on. It's about > gaining access to the system trough an exploit, or physical access, > modify an existing add-on with your code. And Firefox wont even > notice. Instead of installing a fancy rootkit or keylogger, just go > straight to the browser, simple. Go tell your average user to check > the codebase of the plug-ins he has installed in is Firefox from time > to time in order to make sure they haven't been tampered with, yeah > good choice........... >
I agree that attacking Firefox is a simpler way to carry out the attack than installing rootkit or keylogger. However, this is no simpler than asking someone to download a cool game, script of screensaver from my site. Moreover, only addons.mozilla.org and update.mozilla.org are set as allowed sites for addon installations by default in the browser. If one tries to install addons from other site, Firefox issues a warning. So, this is pretty good. As far as the possibility of malicious addon on Mozilla site is concerened, the probability is pretty low as the addons on the Mozilla site appear for download only after a review process. So, I don't see this type of attack particularly more dangerous than a user downloading a software or script with trojan and running it. I also don't see this type of attack any simpler than fooling a user to run a cool game or script. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
