It goes without saying that any given piece of computer code—be it an app, a part of your operating system, or even a browser plug-in—may contain flaws that could leave your PC open to attack. But a team of researchers from Northwestern University have come across a new method of attack that can take advantage of holes in one or more installed Firefox add-ons.
According to the team’s research paper (
PDF), this newly discovered attack “leverages capability leaks from legitimate extensions to avoid the inclusion of security-sensitive API calls within the malicious extension itself.”
Put another way: Firefox doesn’t enforce any isolation between the add-ons you install,
as Ars Technica notes, which could potentially result in security problems. As a result of this lack of isolation, researchers say, an attacker could write a malicious Firefox add-on that appears harmless, but can use security flaws in other installed add-ons to do its bidding.
In this sort of attack, the malicious add-on itself might not raise and security red flags, but it may still be able to wreak havoc on your PC.
