You may have already heard of this, but there is a malware which goes around disguised as a Firefox extension. I have no details regarding the malicious code but to be honest, I am not surprised at all. In fact, I wonder why it took so long for the bad guys to figure that Firefox is an excellent malware delivery platform. Usually they are quicker.
A couple of months back, just before my BlackHat talk, I was planning to launch yet another of my experiments. [...]
One of the things that we enjoy the most, here at GNUCITIZEN, is finding issues in features. Unlike bugs, insecure features tend to be more severe and usually last longer due to uneasy and rather long decision making process on whether the feature should be continued or discontinued once and for all. In my previous post I outlined some of my concerns about the data: protocol. Today, I would like to draw your attention on the insecurities that come with my personal favorite: jar:. [...]
It seams that QuickTime media formats can cause Firefox to misbehave. The result of this vulnerability can lead to full compromise of the browser.
Before we move on, I have to say a few things. Last year I disclosed two QuickTime vulnerabilities here and here. The first vulnerability was fixed but the second one was completely ignored. I tried to bring the spot light on the second vulnerability one more time over here without much of success. [...]
Inspired by Michal Zalewski‘s recent Firefox bug hunt, I decided to give it a go and see what I can come up with. We all know how vulnerable Firefox and other browsers are. This is the reason why I am not particularly interested in finding specific browser bugs.
This vulnerability is not a reworked version of Jeremiah Grossman history hack. It is completely different and it should be treated as a new issue. [...]
Technika is a general purpose scripting platform for Firefox. It acts like a standard OS shell scripting environment. You can script everything from the currently viewed page, just like Greasemonkey, and everything in the chrome, just like any browser extensions but without need to restart the browser every time you make a change. The platform will be used as a base component to other projects, such as TSF (Technika Security Framework) and AttackAPI browser extension. [...]
The script can be downloaded from here. [...]