|
Top Security News |
ColdFusion Security Reminder - READ NOW
I know I've blogged this before, and it's covered in my security checklist, but folks, stop what you are doing and make these changes right now on your production...
Unifying Fragmented Security Systems
One of the promises of Web 2.0 widgets is that it can take data from various inputs and output them into various formats, and views. Some of the more interesting technology like prediction models...
Retiring The Browser
The time when Internet Explorer, Safari, Netscape, and Firebox as your window to the internet is just about done for. What is going to replace it? Rich internet...
Preventing & Exposing Errors In Ajax Applications
Ajax.sys-con is running a good article on Ajax and application security that is a good read. While it starts slow with background info, the rest of it is well worth reading. Security issues are more important...
How Britney Spears Relates To Insider Threats
No, I am not nuts, but if you want a perfect example of personality changes that could precipitate into an insider threat to a company, look no further than people...
Penetration Testing Vs. Vulnerability Analysis Tools
Over the past several years I have heard people asking the question "should I use vulnerability analysis tools to assess my web based applications or should I look...
|
|
 |
|
05.30.07
Firefox Automatic Update
 By
Dan Morrill
Firefox automatic update might be something security folks need to watch out for when they automatically update.
Most companies do not want employees to automatically update their software, they usually have some kind of patch management system that allows them to push patches to the clients across the enterprise in either staggered or depending on size, all at once. Firefox though has an automatic update cycle for their extensions that need to fall under patch management process, and might not be able to.
By design, each Firefox extension -- any of a number of free software applications that can be added to the popular open-source browser -- is hard-coded with a unique Internet address that will contact the creator's update server each time Firefox starts. This feature lets the Firefox browser determine whether a new version of the add-on is available. Source: Washington Post
The scenario thought of in the article is the rogue AP in a coffee shop, but given how easy it is to hijack a domain, people who are hosting their own Firefox extensions on their web sites are (depending on their hosting company) more vulnerable in the end for domain hijacking. As well, depending on how often they visit their own web site will show how long this process can work. In fairly short order, a large number of Firefox browsers can be compromised.
This is not new; this is a risk, and a risk that can be taken care of by turning off the automatic update feature in Firefox initially to assess the risk. One quick and dirty solution to the problem for internal network users who have an internal DNS system is to do internal control of the automatic updates, you can set up a staging server and do a quick internal DNS redirect for the extension so that you can test them and then provide them to the internal network clients.
This will not influence systems that are not on the internal network. However, it does require that there be a staging server, and people watch to see which Firefox extensions are updated, test them, and then provide them. These are usually parts of a patch management system, just adding on the complexity of testing browser extensions. This also requires that the company be monitoring for vulnerabilities in the browser and downloading patches.
Good valid hack, with a good valid solution that is worth checking out.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
|
