Mozilla changes security model to bolster extension protection

News by Rene Millman

Mozilla add-ons to work across multiple browsers

Mozilla has moved to secure its browser from rogue extensions by blocking unsigned add-ons.

As of 22 September, when Mozilla launches Firefox 41, Mozilla has said it will block all unsigned extensions, although users will still be able to override this protection if they want. 

In a blog post, Mozilla said the new signing process was necessary to stop users being exposed to malware through ad injections and malicious scripts.

“We currently use a blocklisting mechanism to defend against malicious add-ons, but additional measures are needed to better protect our users as some add-on developers have adapted to work around blocklisting,” said Kevin Needham in the same blog post.

“Starting in Firefox 42, add-on developers will be required to submit extensions for review and signing by Mozilla prior to deployment, and unsigned add-ons cannot be installed or used with Firefox. 

The changes will also mean that developers would be able to code extensions across a ranges of browsers; initially Chrome and Opera but also Microsoft Edge in the future. It is implementing a new extension API, called WebExtensions. This is largely compatible with the model used by Chrome and Opera. Mozilla said this would help in it reviewing extensions faster.

“This modern and JavaScript-centric API has a number of advantages, including supporting multi-process browsers by default and mitigating the risk of misbehaving add-ons and malware,” said Needham.

Mozilla would also be introducing a multi-process version of Firefox in December that separates rendering from content. Called ‘Electrolysis'; this will act as a sandbox to prevent malicious code attacking other parts of the browser and system.

“Using a separate rendering process lays the foundation enabling us to bring significant performance and security improvements to Firefox, but it also breaks some add-ons, especially those that modify content,” said Needham.

He added that the final release schedule for Electrolysis will be determined over the next several months as it tests the technology with more users.

Justin Clarke, director at Gotham Digital Science and London OWASP Chapter Leader told that the move may mean it is more likely that vulnerabilities in widely used plugins may be more easily exploitable on multiple platforms.

But he added that Mozilla is moving from a model where users could install anything they want, including plug-ins with undesirable behaviour or malware, to one where Mozilla will be reviewing plug-ins and extensions and signing them - with the browser only accepting signed plug-ins by default. 

“This will make some classes of attack much tougher to exploit, providing Mozilla's review process is good at catching malicious code - something they'll need to prove,” he said.

Wim Remes, manager of Strategic Security Services for Rapid7, told that Mozilla is not enabling developers to create add-ons that work across multiple browsers, but they are standardising the way add-ons can be developed for Firefox. 

“This means that Firefox APIs are more compatible with the APIs developers recognise from Chrome and Opera. This is positive for security. Developers will no longer have to maintain different code bases for all the browsers they develop for, and with fewer lines of code to maintain, the number of bugs should be reduced as well,” he said.

Clarke also welcomed the Electrolysis feature as by handling content in a separate sandboxed thread, it should be much harder to cause the core browser to crash, “something which may be desirable when crafting a browser exploit,” added Clarke. “This will all depend on how well sandboxed the content process is from the rest of the browser.”

Remes added that while Firefox already has some sandboxing features, it has been lagging behind the other major browsers, which have leveraged OS features extensively for sandboxing.

“With Electrolysis, Mozilla introduces a model that will increase security in its browser, and at the same time facilitates development for Firefox. In conclusion, this is a smart move by Firefox, with a positive potential impact across all stakeholders." 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews