Prawnography and Firefox Exploitability

A few months ago, I created the following bug report at the Mozilla project’s install of Bugzilla:

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

It’s possible to use XMLHttpRequest to retrieve the text from a remote javascript file and then to eval that text and execute the javascript within a local scope. This circumvents the need to sign remote scripts and can be done without enabling UniversalXPConnect. In theory, one would simply suggest that application developers be careful not to write code that would execute arbitrary remote javascript, but this doesn’t account for malicious coders who might make extensions available, for example, and use them to tamper with the users’ machines. It may be that this is a jslib issue and not a Gecko issue, but I wasn’t sure where else to report it.

Reproducible: Always
Steps to Reproduce:
1. Install jstest package (attached).
2. Edit xul.js (in zip file), replacing the second parameter to the “save()” call to a local file on your system (or to a file that doesn’t exist yet in a writable directory).
3. Place xul.js (in zip file) on a remote server.
4. Edit the button in jstest.xul within package so that the parameter to “execute()” in the “oncommand” parameter points to the file created in step 2.
5. Run the package and press the button.
Actual Results:
A file is written to the local path specified in the remote script containing the text sent as the first parameter to the remote “save()” function.

Expected Results:
No unsigned remote javascript should be able to perform certain actions, such as local file operations.

In plain English, it means that installing Firefox extensions can be dangerous if you’re not very careful about what you install. When you install an extension, you’re giving full control of your browser to the developer who wrote the extension. In most cases, this’ll work out just fine, as most people who write extensions are writing utilities that they find useful and wanted to make available to others. But there’s always the jerk who ruins a good thing. Later in the bug report, I go back and forth with a key developer about whether or not this is in fact a bug. He concludes that it’s not. In short, if you agree to install an extension, you agree to take whatever pain or pleasure comes with installing that extension, and it’s a bad idea to install untrusted extensions. And of course he’s right. The extension system has to have pretty much full privileges or else it’ll be rendered essentially useless. So the credibility of Firefox as a secure browser is in some ways in the hands of users, who are known for installing spyware on their systems through IE and can’t really be trusted to keep security in mind.

To illustrate the point, I’ve written a little test extension named Prawn (as in shrimp) that shows you prawnography on demand. The real life example, of course, would showcase pornography and would be more fully-featured than my extension. Prawn adds an item to your “Tools” menu named “Prawn me” that, when selected, spawns a new tab loaded with a random racy image from prawnography.net. The extension also has an annoying habit of popping up a window every 30 seconds or so. It’s ok to download and try my extension — I promise it doesn’t do anything truly malicious, and it shows the point pretty well, I think. If you happen to be a prawn fetishist and you see this great extension that gives you access to prawnography, you might carelessly download this extension and find yourself stuck with annoying popups. Moreover, if the popups don’t indicate that they’re associated with the Prawn extension, you might not be able to figure out how to make them stop, short of reinstalling Firefox (though all it in fact takes is uninstalling the extension).

The real dirty thing about my extension is that it doesn’t merely do a popup. It in fact downloads a remote text file and evaluates the code in that file as javascript. So a particularly sneaky developer could write an extension that, the first few days it’s loaded, does expected and harmless things but that begins after a while to do popups or other unsavory things (writing files to your system, for example, or sending cookies or information about your browsing habits back to a central server). This method renders it more difficult to associate the activities with the extension in question. My little Prawn extension effectively gives complete control of your browser to me. I could program it to close your browser upon startup so that you never even have the chance to uninstall it (unless you know what text files to edit by hand to do so). Can anybody see Microsoft covertly putting out a similar extension in order to frustrate Firefox users and drive them back to IE? The really scary thing is that because the extension executes remote code, I can change its behavior at any time I want without your having to modify your local copy; so it can start out as a friendly extension and morph into something ugly and destructive.

The moral here isn’t that Firefox is bad or insecure, though the argument could be made. I’ve spoken to Firefox developers who point out that the extensions manager instructs users not to install untrusted extensions, and I suppose that’s valid, though we all know that it’s absurd to trust users to follow instructions. (In spite of my warnings about not installing untrusted extensions, did you download and install mine? If so, shame on you. It really is safe, but what if somebody else wrote a similar blog posting with their own extension that actually turned out to be malicious?) Developers and advocates also point out that one of Firefox’s big strengths is that it doesn’t run ActiveX controls, which are responsible for most of the malware that’s out there. And that’s true and good. But if a similarly exploitable technology is built into Firefox, is it really that much better?

Well, I think it is. I’m a devoted Firefox user, and I encourage everybody I can to use the browser. But I also encourage them to be sensible about what extensions they add to Firefox. Theoretically, the extensions available at update.mozilla.org are safe, but I don’t know how much scrutiny is actually given to extensions before they’re added there. (There may be a great deal of scrutiny; I’m not saying there’s not; I’m just saying that I don’t know.) And I don’t know how much code review is done. Is it possible, I wonder, to submit and have approved a cool extension but then to go back and edit it without review a few months later so that it includes malicious code?

Questions like this are no doubt being asked as the Mozilla Foundation works even now on revamping update.mozilla.org, but they’re probably too technical and uninteresting to many, if not most, members of the growing pool of Firefox users. And debatably, they’re questions that users shouldn’t have to worry about. In an ideal world, you’d just install your browser and use it without looking back. The jerks out there who make malware will always find ways to thwart this ideal vision, I suspect. My advice, then, is to use Firefox (right now, it is safer than IE; if you don’t use Firefox, consider Opera or some other alternative). I also advocate spreading Firefox, an activity I’ve been engaged in for six months now. But don’t be blind to the shortcomings that the greatness of Firefox extensibility introduces. Try to verify that any extensions you install are safe. And whatever you do, if you need to browse prawnography, don’t use my extension to do so; you’ll find it most annoying, if (for now) technically harmless.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s