MozillaZine

Extension vulnerability debacle (Sage)

Announce and Discuss the Latest Theme and Extension Releases.
colfer

User avatar
 
Posts: 638
Joined: December 4th, 2002, 9:34 am
Location: Bear

Post Posted November 20th, 2009, 2:11 pm

Sage 1.4.3, the current version available at addons.mozilla.org, https://addons.mozilla.org/en-US/firefox/addon/77 , has had a known serious vulnerability for 1.5 years. Now it has been publicized on Slashdot, yet the extension is still avalable at a.m.o. with the slightest of warnings ("Let me install this experimental add-on"). This is wrong, wrong.

http://it.slashdot.org/story/09/11/20/1 ... Extensions
http://www.net-security.org/secworld.php?id=8527

The author of the extension has been repeatedly told by Mozilla's people on Bugzilla how to fix the problem, which allows malicious RSS feeds to control the browser's chrome and own the user's computer, but he continues to apply half fixes in order to allow better "user experience". The Mozilla people continue to allow him to delay applying a real fix, and meanwhile allow the extension to stay on a.m.o with the checkbox warning!

Questions:
* Why should a.m.o. host this sort of flawed extension, however popular?
* Can Mozilla actively disable this extension if installed, or is that only for bad plugins?

Ngamer01

User avatar
 
Posts: 1009
Joined: November 3rd, 2007, 8:37 am
Location: Louisiana

Post Posted November 20th, 2009, 7:01 pm

AMO is already at work trying to resolve the problem, however the bug that tracks this issue at Mozilla's Bugzilla is marked as security-sensitive. Once this security-sensitive bug is resolved, Sage will either be acted against OR remain as is if by chance the author gets a security update out that fixes the security issue before the AMO staff is left no choice but to take action.

Sage has been given many chances, so since AMO is only now taking action, Sage's author has one last chance to save the add-on from being acted against.

EDIT - Update: Sage has been removed from public on AMO and relegated to the Sandbox. Which means Sage's author is out of chances. Sage will probably be blacklisted and/or removed from AMO now.

colfer

User avatar
 
Posts: 638
Joined: December 4th, 2002, 9:34 am
Location: Bear

Post Posted November 21st, 2009, 9:58 am

Does "Sandbox" just mean the user has to check the box "Let me install this experimental add-on"? If so, I don't think that is sufficient. The user is not warned about the widely publicized vulnerability.

Ngamer01

User avatar
 
Posts: 1009
Joined: November 3rd, 2007, 8:37 am
Location: Louisiana

Post Posted November 22nd, 2009, 12:45 pm

The sandboxing of Sage is only the first step. Next up will be removing Sage from AMO and/or adding all vulnerable versions of Sage to the add-on blocklist.

Though if it gets to the point Mozilla adds Sage to the blocklist, that will solve your problem of people not being warned about Sage as if somebody tries downloading Sage after it's added to the blocklist, Firefox will warn people if they try to/do install an unsecured version of Sage.

Though this blocklist won't stop any future versions of Sage if by chance the author of Sage issues new updates (especially to fix the security problems) or somebody else out there on the net forks Sage and fixes the problems with it.

herks
 
Posts: 3
Joined: December 4th, 2009, 11:05 am

Post Posted December 4th, 2009, 11:11 am

colfer wrote:The author of the extension has been repeatedly told by Mozilla's people on Bugzilla how to fix the problem, which allows malicious RSS feeds to control the browser's chrome and own the user's computer, but he continues to apply half fixes in order to allow better "user experience".


Can you point me to where these bug fix suggestions exist? My google searches aren't coming up with anything. Thanks.

Ngamer01

User avatar
 
Posts: 1009
Joined: November 3rd, 2007, 8:37 am
Location: Louisiana

Post Posted December 4th, 2009, 5:04 pm

If there were suggestions, I'd imagine they were sent through e-mail, IM, or through the security sensitive bug(s) filed at Mozilla's Bugzilla itself.

So your request is impossible to fulfill unless by chance Mozilla removes the security sensitive flag(s) from the bug(s) affecting Sage that were filed at Mozilla's Bugzilla.

Ngamer01

User avatar
 
Posts: 1009
Joined: November 3rd, 2007, 8:37 am
Location: Louisiana

Post Posted December 7th, 2009, 1:29 pm

I know I'm double posting, but Sage apparently has a new host now. -> sagerss.com

There are no new updates there though. The last update is still listed from 2008, so don't download anything from that site until the author updates Sage that fixes the vulnerability problems. (This is why I didn't make sagerss.com an actual link.)

herks
 
Posts: 3
Joined: December 4th, 2009, 11:05 am

Post Posted January 25th, 2010, 11:28 am

Sage 1.4.4 was released yesterday. The site says "This is a maintenance release to address a security issue." However, https://www.mozdev.org/bugs/show_bug.cgi?id=20610 is still not fixed. He says a 3.6 compatible version will be available soon. Maybe the fix will be in there.

DanieXJ
 
Posts: 2
Joined: June 20th, 2008, 2:25 pm

Post Posted January 26th, 2010, 5:56 pm

This is really an annoying thing, since Sage does just what I wanted, and didn't try to do anything extra.

It also explains what happened a couple of months ago when I clicked on one of my feeds and suddenly I had a Trojan trying to install itself.

I really hope that the creator decides to really fix the security issue, 'cause it really was a good (for the most part) extension.

Return to Extension/Theme Releases


Who is online

Users browsing this forum: Median and 2 guests