Vulnerability found in Firefox extension, Google toolbar

Keywords: Match:

Jun. 05, 2007

A security researcher has found a remote vulnerability in the upgrade mechanism in the Firefox extension used by Google Toolbar and Google Browser Sync that could lead to a man-in-the-middle attack and covert installation of malicious software.

Christopher Soghoian, a graduate student at Indiana University's School of Informatics, discovered that an attacker can silently slip malicious software onto computers via an upgrade mechanism flaw in the latest versions of highly popular Firefox extensions, including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker.

Writing in his blog on May 30, Soghoian noted that users of the Google Pack suite are likely vulnerable, given that it includes the Google Toolbar for Firefox. Using the bug, an attacker can install software such as spyware, hijack e-banking sessions, steal e-mail or send e-mail spam.

The only way to secure the upgrade path for sites hosting extensions and their updates is to use SSL technology. For the most part, he said, those sites with an "S" in their URLs are safe, such as in Mozilla's free hosting service for open-source extensions: https://addons.mozilla.org.

An exploit can be done through a man-in-the-middle attack where an attacker convinces a targeted system that he or she is the update server for one or more extensions. Firefox prompts a user when updates are available and then downloads and installs software, which in this case would be malicious code. Some commercial extensions, including those from Google, have disabled the notification, opting instead for silent install.

To read the rest of Lisa Vaas's eWEEK.com article, go here.

Related stories:

(Click here for further information)

7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.

4 Legal Reasons to Control Internet Access
The Internet is obviously a valuable resource for many organizations. However, many are exposed to legal liability concerns because they fail to control Internet access. Learn if you're safe in this white paper.

Rapidly Resolve J2EE Application Problems
Whether you are in the process of building J2EE applications or have J2EE applications already running in production, you must ensure that they deliver the expected ROI. Learn how in this white paper.

Load Testing 2.0 for Web 2.0
There are many unknowns in stress testing Web 2.0 applications. Find out how to test the performance of Web 2.0 in this white paper.

Build Better Games Online
For the game infrastructure providers, life is complex. Making money from games has become more complicated. Why? Find out in this white paper.

Building a Virtual Infrastructure from Servers to Storage
This white paper discusses the virtual storage solutions that reduce cost, increase storage utilization, and address the challenges of backing up and restoring Server environments.

Gaining Faster Wireless Connections with WiMAX
Welcome to what is quickly becoming the hyperconnected world where anything that would benefit from being connected to the network will be connected. Learn more in this white paper.

Is Your Desktop a Security Threat?
The new wave of sophisticated crimeware not only targets specific companies, but also targets desktops and laptops as backdoor entryways into those business’ operations and resources. Learn how to stay safe in this white paper.

Increasing SAN Reliability by 100 Percent
Storage area networks (SAN) are a strong part of storage plans. Learn how to increase your reliability and uptime by 100 percent in this case study.

Got a HOT tip? please tell us!

ADVERTISEMENT
(Advertise here)

Desktop Linux books Join our Desktop Linux discussion forums: • Moving to Linux • Linux/Windows debate! • Linux Q&A . . . and more Linux vs. Windows • in the enterprise • in gadgets & devices	Most popular recent stories: • A Vista vs. Linux matchup • Choosing a desktop Linux distro • Linus versus GNOME • Why Windows wins and Linux loses • The best free desktop Linux • Why Windows Vista will suck • 2006 Desktop Linux year in review • The well-tempered Debian desktop • Here come the Dell Linux desktops, laptops • Seven Linux distros fight over one old ThinkPad • Putting openSUSE 10.2 through its paces • Results from the 2006 Desktop Linux Survey

BREAKING NEWS

• Graphics board vendor touts faster Linux drivers
• Private St. Louis school goes Linux
• Xandros quietly acquires Linspire
• Microsoft pushes India toward Linux
• "Intrepid Ibex" plucks up courage for alpha release
• Military-grade USB key supports Linux desktops
• CentOS 5.2 ships with enhanced virtualization
• Ubuntu "MID Edition" ships
• Gutsy Geeks take Linux to the airwaves
• OpenSUSE 11.0 arrives
• Opera 9.5 gets mad at malware
• Sample chapter available for revised Ubuntu book
• Linux jukebox app achieves first stable release
• OpenSUSE forums merge
• Desktop Linux platforms debut at Computex

Linux-Watch headlines:
• Microsoft tactics push India toward Linux
• Bell, SuperMicro sued over GPL
• "Business intelligence" software goes GPL
• Will Atom bomb?
• LF Summit videos posted
• Linux gains "embedded" maintainers
• Virtualization on tap in SLES and RHEL upgrades
• Linux gets security black eye
• Verizon chooses Linux "platform of choice"
• Hats off to Fedora 9

Visit the...

news feed

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.