It’s a good idea to check your browser extensions if you use Firefox. Nine of the 10 most popular extensions for Mozilla’s browser open computers to malware and security breaches, according to a research paper presented at the Black Hat conference by a group from Northeastern University.
Among the top Firefox add-ons, only AdBlock Plus doesn’t make your system vulnerable. The nine that do allow potential problems are Video DownloadHelper, Firebug, NoScript Security Suite, DownthemAll!, Greasemonkey, Web of Trust, Flash Video Downloader, FlashGot Mass Downloader, and Download Youtube Videos as MP4. These 10 are all available on the Mozilla website.
The problem occurs when users install Firefox add-ons. Because of the way Firefox is designed, those add-ons aren’t protected from each other. The researchers reported that an add-on with malware can “conceal its malicious behavior by invoking the capabilities of other add-ons.” The bottom line is when you download and subsequently use a trusted add-on with the vulnerability, destructive action may take place in the background while you think everything is working correctly.
Nick Nguyen, VP of product for Firefox, acknowledged the issue in a statement to Digital Trends: “The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia. The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.
“Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security,” continued Nguyen. “The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative – our project to introduce multi-process architecture to Firefox later this year – we will start to sandbox Firefox extensions so that they cannot share code.“
How to remove Firefox Add-ons
If have Firefox installed on your computer, here’s what you can do today.
In the upper right corner of your display, on the same line where you enter URLs, look on the far right. Click on the icon with three horizontal lines to bring up the settings menu. Click on Add-ons. An Add-on Manager browser tab will open with a menu on the upper left side of your screen. By default the menu will open the Extensions window; this is where you want to check for any of the problem add-ons we mentioned above in this article.
If you find them, our suggestion is to remove them by clicking the Remove button for each. Don’t just click the Disable button to turn them off, you want them gone, so hit Remove.
If you find and remove vulnerable add-ons, it’s a great idea to run antivirus and spam checking software on your system. Set scan options for a full system check, not just the quick check mode most virus and malware scanning programs offer. Computer security, even for single systems at home, is a never-ending concern.
Updated on April 6 at 6 p.m. PT by Jeffrey Van Camp: Firefox got back to us with a quote. We’ve updated the article, which was originally published earlier today.