Malicious Firefox add-ons can co-opt other, vulnerable add-ons

Security researchers recently discovered that Firefox add-ons can use functions and data from other add-ons. This allows malicious persons to create seemingly-innocuous add-ons that look for and use vulnerable versions of popular add-ons like NoScript and Firebug.

For this type of exploit to work, a user would need to a) leave a vulnerable add-on unpatched; and b) install the malicious add-on. Which means that we have yet another reason to make sure that Firefox add-ons are kept up to date. Thankfully, the extremely useful NoScript add-on receives updates automatically, and frequently.

This also serves as a reminder to be careful when installing any add-on, no matter how innocuous it seems.

Mozilla is currently revamping the add-on framework in Firefox. The new system will improve security, preventing add-ons from accessing each others’ functions and data.