Wednesday, May 30, 2007

A Remote Vulnerability in Firefox Extensions



See a demo of the attack against Google Browser Sync: (12MB Quicktime).

Executive Summary

A vulnerability exists in the upgrade mechanism used by a number of high profile Firefox extensions. These include Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions.

Users of the Google Pack suite of software are most likely vulnerable, as this includes the Google Toolbar for Firefox.

The latest version of all of these listed, and many other extensions are vulnerable. This is not restricted to a specific version of Firefox.

Users are vulnerable and are at risk of an attacker silently installing malicious software on their computers. This possibility exists whenever the user cannot trust their domain name server (DNS) or network connection. Examples of this include public wireless networks, and users connected to compromised home routers.

The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.

In addition to notifying the Firefox Security Team, some of the most high-profile vulnerable software vendors (Google, Yahoo, and Facebook) were notified 45 days ago, although none have yet released a fix. The number of vulnerable extensions is more lengthy than those listed in this document. Until vendors have fixed the problems, users should remove/disable all Firefox extensions except those that they are sure they have downloaded from the official Firefox Add-ons website (https://addons.mozilla.org). If in doubt, delete the extension, and then download it again from a safe place.

In Firefox, this can be done by going to Tools->Add-ons. Select the individual extensions, and then click on the uninstall button.






Frequently Asked Questions


Q: Who is at risk?

A: Anyone who has installed the Firefox Web Browser and one or more vulnerable extensions. These include, but are not limited to: Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker.

Q: How many people are at risk?

A: Millions. Exact numbers for each toolbar/extension are not released by the vendors. Google Toolbar, which is one of the most popular of the vulnerable extensions, is installed as part of the download process with WinZip, RealNetworks' Real Player and Adobe's Shockwave. Google publicly pays website publishers $1 for each copy of Firefox + Google Toolbar that customers download and install through a publisher's website.

Google confirmed in 2005 that their toolbar product's user base was "in the millions". Given the number of distribution deals that have been signed, the number of users can only have grown in size since.

Q: When am I at risk?

A: When you use a public wireless network, an untrusted Internet connection, or a wireless home router with the default password set.

Q: What can happen to me?

A: An attacker can covertly install malicious software that will run within your web browser. Such software could spy on the you, hijack e-banking sessions, steal emails, send email spam and a number of other nasty tasks.

Q: What can I do to reduce my risk?

A: Users with wireless home routers should change their password to something other than the default.

Until the vendors release secure updates to their software, users should remove or disable all Firefox extensions and toolbars. Only those that have been downloaded from the official Firefox Add-Ons page are safe.

In Firefox, this can be done by going to the Tools menu and choose the Add-ons item. Select the individual extensions, and then click on the uninstall button.

Q: Why is this attack possible?

A: The problem stems from design flaws, false assumptions, and a lack of solid developer documentation instructing extension authors on the best way to secure their code.

The nature of the vulnerability described in this report is technical, but its impact can be limited by appropriate user configuration. This shows the relation between the technical and social aspects of security. For numerous other examples, please see the publications listed at www.stop-phishing.com. It also illustrates the need for good education of typical Internet users. This has been recognized as a difficult problem to tackle, but some recent efforts, e.g., www.SecurityCartoon.com look promising.





Description Of Vulnerability

The Firefox web browser includes the ability for third parties to release code, known as extensions, that will run within the user's browser. Firefox also includes an upgrade mechanism, enabling the extensions to poll an Internet server, looking for updates. If an update is available, the extension will typically ask the user if they wish to upgrade, and then will download and install the new code.

An exploitable vulnerability exists in the upgrade mechanism used by Firefox. The only real way to secure the upgrade path is for those websites hosting extensions and their updates to use SSL technology. The Mozilla team have provided a free hosting service for open source extensions, which is secure out of the box, by having the code served from https://addons.mozilla.org

For the most part, any extension which gets updates from a website that looks like http://www.example.com is insecure, while an extension that gets its updates from a website that looks like https://www.other-example.com is secure.

The vulnerability is made possible through the use of a man in the middle attack, a fairly old computer security technique. Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong. While Firefox does at least prompt the user when updates are available, some commercial extensions (including those made by Google) have disabled this, and thus silently update their extensions without giving the user any say in the matter.

A DNS based man in the middle attack will not work against a SSL enabled webserver. This is because SSL certificates certify an association between a specific domain name and an ip address. An attempted man in the middle attack against a SSL enabled Firefox update server will result in the browser rejecting the connection to the masquerading update server, as the ip address in the SSL certificate, and the ip address returned by the DNS server will not match.

When Are Users Vulnerable

Users are most vulnerable to this attack when they cannot trust their domain name server. Examples of such a situation include:

  • Using a public or unencrypted wireless network.

  • Using a network router (wireless or wired) at home that has been infected/hacked through a drive by pharming attack. This particular risk can be heavily reduced by changing the default password on your home router.

  • Using a 'network hub' - either at the office, a university, or elsewhere.

Such users are vulnerable to a number of attacks such as DNS spoofing, DNS poisoning and ARP spoofing. A potential hack can occur when a malicious person is able to convince a victim's Firefox browser to connect to a malicious host, instead of going to the intended update server.

Using this vulnerability, an attacker can force a user's browser to download and install malicious code. Such code runs within the browser, and does not run as a superuser or privileged user. A malicious extension could spy on the user, perform an active man in the middle attack on e-banking sessions, steal emails, send spam from the user's account, perform local network port scanning, and a number of other nasty tasks.

Fixing The Problem


The number of vulnerable extensions is more lengthy than those listed in this document. Until vendors have fixed the problems, users should remove/disable all Firefox extensions except those that they are sure they have downloaded from the official Firefox Add-ons website (https://addons.mozilla.org). If in doubt, delete the extension, and then download it again from a safe place.

In Firefox, this can be done by going to Tools->Add-ons. Select the individual extensions, and then click on the uninstall button.

The vendors can either host their extensions on https://addons.mozilla.org, or if they choose to host them on their own webservers, they should turn on SSL. While this is not a particularly difficult engineering effort, for those extensions with millions of users, it may require a few additional machines to cope with the extra load required by all of those SSL connections.

As a matter of general policy, vendors really should not have their software silently install updates without asking the user's permission. It is asking for trouble.

The Mozilla Security Team has updated their developer documentation to properly address the risks that hosting updates from an insecure server can pose. The updated documentation can be found online.

There seems to be one commercial vendor whose extension does get its updates from a secure website. The McAfee SiteAdvisor does things correctly, and is thus not vulnerable to this attack.


Why Are Commercial Vendors' Extensions Vulnerable


The vast majority of commercial software vendors do not have their extensions hosted on the https://addons.mozilla.org website. They prefer to control the entire user experience, and thus wish to have the users connect to their own servers for the initial download and future updates. These vendors are not hosting the updates on a secure, SSL-enabled webserver, and thus the update process for these extensions is vulnerable to a man in the middle attack.

Some vendors have made things much worse by having their extensions automatically update without asking the user for permission. The majority of the open source extensions follow the Firefox defaults, and thus require that the user "OK" any software updates.


What About Code Signing


The code signing functionality in Firefox is fairly limited. The main difference is that a signed extension will show the signer's name when the user is prompted to install the extension, while an unsigned extension will list "un-signed" next to the extension name.

The availability of an update without signatures for extensions that previously had a valid signature does not raise any kind of error. Furthermore, the signature is thrown away as soon as the new extension update is installed.

Code signing is not currently an effective method of securing the extension upgrade path. Developers should instead have their updates served by a SSL enabled webserver.

Notification of Vendors


The Mozilla Security Team was notified of this on April 16th. They do not believe that this is a Firefox bug or vulnerability, due to the fact that the vast majority of extensions (those hosted at https://addons.mozilla.org) are secure by default.

The Ebay developed, but Mozilla cobranded Firefox/Ebay extension was vulnerable, but the Mozilla Security Team fixed the problems and rolled out an update within 2 days of being notified.

The Mozilla developers have created an entry in their bug tracking database for the insecure updates issue, but it is not slated to be fixed until Firefox 3.0.

The Google Security Team was notified of the problem on April 16th. They were given a full explanation of the vulnerability. An additional four emails were sent between April 20th and May 24th. These included additional information on the problem, offers to provide help as well as offers to delay publication of the vulnerability. The Google Security Team replied on May 25th stating that they were working on a fix, and expected to have it ready and deployed before May 30th. At the time of publishing this vulnerability disclosure, it does not appear that Google has rolled out an update yet.

The Yahoo Security Team was notified of the problem on April 21st. A human being replied to the initial report with intelligent questions, in less than 12 hours, on a Saturday. There has been no further communication from Yahoo.

The Facebook Security Team was notified on April 21st. They replied with two emails from a human being confirming receipt of the report. There has been no further communication from Facebook.

The number of vulnerable extensions continues to grow. It is just not feasible to provide advanced notification to every creator of a Firefox extension. Advanced notice has thus been given to those major vendors who the research initially focused on.

The CERT disclosure policy states that "All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors." Given the fact that fixing the flaw is a fairly trivial engineering task (changing a couple urls from http->https), and it is very easy for users to protect themselves (remove the vulnerable toolbars), sitting on this information any longer would be a bad idea.

Another other well respected responsible disclosure policy sets a 5 days time limit. If the vendor does not keep in touch with the security developer every 5 days, then the vulnerability will be made public. While this path was not followed, it is worth noting that neither Google, Yahoo or Facebook made an attempt to keep the lines of communication open. Following such a policy, this information would have thus been revealed a number of weeks ago.


Self Disclosure/Conflict of Interest Statement



Christopher Soghoian is a PhD student in the School of Informatics at Indiana University. He is a member of the Stop Phishing Research Group. His research is focused in the areas of phishing, click-fraud, search privacy and airport security. He has worked an intern with Google, Apple, IBM and Cybertrust. He is the co-inventor of several pending patents in the areas of mobile authentication, anti-phishing, and virtual machine defense against viruses. His website is http://www.dubfire.net/chris/ and he blogs regularly at http://paranoia.dubfire.net

This vulnerability was discovered and disclosed to vendors during the spring semester, while he was paid as a researcher assistant at Indiana University. He is now currently working at an internship in Europe. This disclosure announcement, and the vulnerability in no way reflect the opinions or corporate policy of his current employer nor those of Indiana University.

Information on this vulnerability was disclosed for free to the above listed vendors. Christopher Soghoian has not been financially compensated for this work. He has no malicious or ill feelings towards any of the vulnerable software companies.

He was an intern with the Application Security Team at Google during the summer of 2006. Finding this vulnerability did not involve using any confidential information that he learned while employed by Google. It was done solely with a copy of Firefox and a packet sniffer.

Tuesday, May 22, 2007

Watch This Space/A Free room in Ottawa?

Expect a few interesting things to his this blog soon.

I have a fairly big, and pretty exciting security announcement that I'll be making on May 30th. Check back here next week for that.

I also have recently gotten the results back for a FOIA query regarding the US government's involvement in the takedown of The Pirate Bay a while back. As soon as those are scanned, they'll be put online.

I have another exciting project, which is still hung up with the lawyers (both Indiana University, and my own outside counsel). As soon as I can be sure that I won't get sued/go to jail, it'll go online too.

In other news -

I've been lucky enough to get a travel grant to go to the PET workshop. The grant is paying for my obscenely expensive airplane ticket, but will not be covering the cost of staying in Ottawa for 5 days.

Thus, I'm looking for a way to stay in Ottawa on the cheap. If anyone is planning on going to the PET workshop, and has a room (or even a hotel room floor) free, please let me know. I'm also open to the option of splitting a room, although, obviously a free room is better ;)

If you live in Ottawa, and would be willing to put me up, that'd be great too.

More news next week!

Thursday, May 10, 2007

Lessons learned from the patent filing process (three times bitten)

As of the end of last summer, I had three patent applications in the works. I searched the european patent database today, and it seems that my very first application is now public, and available online.

The name is typical lawyer-speak: Method or apparatus for managing a server process in a computer system. The paperwork was filled out in the final weeks of my internship with IBM Research (Switzerland) in August of 2004. It was made public by the European patent office at the end of February 2007.

I am quite proud of this idea, although, the circumstances that followed proved to be a fairly negative, yet extremely useful learning experience. The full description can be seen online. Essentially, the idea involves having a number of short-lived virtual machines each running on one physical machine. Incoming connections are routed to a new virtual machine every few minutes, and thus, the existing virtual machines can be brought down and restarted from a 'known' good state. In addition to making it really difficult for a hacker to leave a machine in a permanently hacked state, it also accelerates the rate at which forensic information can be gathered, and potentially, automatically reacted to.

However, the purpose of this blog post is not to discuss the technical details of the patent. It is to describe the problems that came after the patent filing. This problem was not unqiue to IBM, and thus the very same thing happened to me two years later at Google. I would like to say that I've finally learned. It's also quite reasonable to argue that these two experiences have done much to shape my current ill-feeling towards the patent system.

While the details are slightly different, my two internship patent filing experiences at both IBM Research and Google can essentially be generalized to the following:

1. Come up with cool idea while an intern at company x.
2. Tell my boss/the legal department, and begin the process of filing an invention disclosure.
3. Begin writing code that implements the idea.
4. Run out of time on the internship.
5. Am told by bosses/company lawyers: Here is your $1000 (give or take) patent filing bonus. Thank you very much. The idea is now ours, you are forbidden from telling anyone about the idea, you are forbidden from writing any/completing any code that implements the idea, and you may not publish a research paper on the subject.

Now that my patent application from IBM is public, I suppose that I can finally finish implementing it, should I wish to do so, but arguably, the idea is stale now (it's 3 years old), and the field has moved on.

The two ideas that I came up with at Google were the same. For one, I had a good chunk of demo code that at least fleshed out the idea. It would have made a perfect research paper, but my several attempts to get permission to work on the idea post-internship have gotten me nowhere.

The moral of the story, I suppose, is to be careful about disclosing inventions.

Interns really don't have any room to negotiate an NDA. Thus, the only real power you have, is over your choice to disclose inventions or not. Sure, you get a cash bonus, but in the grand scheme of things, it's chump change - esp. if it means that you won't be able to publish a research paper on the subject. After all - research papers are the currency of academia. And were it not for my desire to be an academic, I'd be making real money now, instead of being $100 per month shy of food stamp eligibility.

Tuesday, May 08, 2007

Blogging Hiatus, New Travel Blog

I am now safely in Munich, Germany, and thus for the next 4 months, mostly beyond the reach of the US government and the nasty DMCA.

Just as I did last summer, I will be taking a break from blogging, at least about computer security, and anything else likely to get me in trouble. I'm working for a respectable Japanese company, and I want to keep a low profile while I'm here.

This blog will not remain 100% silent, as I have a bit of unfinished business to take care of. There are two semi-big project that I worked on this past semester at university. I fully expect to announce the details of one of them in the next few weeks. I'm attempting to follow the practice of 'responsible disclosure', and thus I'm giving the various vendors a reasonable period of secrecy in which they can fix the design flaws in their products.

The second project is currently being held up with the lawyers. I do not know when they'll approve it - but I would rather not receive the latex glove treatment, or worse when I fly back to the US in August, and so I'm playing it safe on this one. Stay tuned for that project, which should be very very fun.

However, I do at least want to continue writing about my travels - but I don't want to bore those regular readers of this blog who come here to hear about computer security-ish things. I've therefore created another blog, available here where you can read about my travels. I've got 3 months in Germany, and a month in India that I'll be writing about.