Disable Firefox automatic updates

Christopher Soghoian has an excellent remote vulnerability disclosurereport concerning Firefox Add-ons. More than several extensions from various 3rd parties are vulnerable to man-in-the-middle attacks.

Q: Who is at risk?

A: Anyone who has installed the Firefox Web Browser and one or more vulnerable extensions. These include, but are not limited to: Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker.

Q: When am I at risk?

A: When you use a public wireless network, an untrusted Internet connection, or a wireless home router with the default password set.

He provides two fixes to the problem:

1. Disable extensions not obtained through https://addons.mozilla.org or through an authorized SSL enabled website. (Add-ons obtained through the official Mozilla add-on repository and/or secured, SSL enabled sites are not vulnerable to MITM attacks)
2. Disable automatic updates of Firefox Add-ons

I disable automatic updates for Firefox on my laptop through Edit>Preferences>Advanced>Update tab (Tools>Options>Advanced>Update tab for Windows users).

The thing that gets me about this vulnerability is it doesn't seem very probable. Around 75% of my computer illiterate friends use Firefox, and over 90% of them don't even know what an extension or add-on is, since they were so used to IE and are accustomed to that level of functionality. They still have the default news RSS feed in the bookmark toolbar and all bookmarks are under the top directory). It would take an attacker watching unsecured wifi networks or cafe hotspots all day long to find someone vulnerable to exploit. Doesn't seem very economical to me, when there are so many other vectors for attack.

Posted by Marcin on Thursday, May 31, 2007 in Security.