Page 1 of 1
Sage allows changes to NoScript settings
Posted: Wed Nov 25, 2009 4:24 am
by therube
Just to point out ... (& unconfirmed by me) ...
Zero-day Flaws in Firefox Extensions Found - dslreports.com
"A flaw in Sage, for instance, allows a malicious RSS feed to change your NoScript settings, adding sites to NoScript's whitelist."
http://www.dslreports.com/forum/r23387213-Zeroday-Flaws-in-Firefox-Extensions-Found
AMO:
Sage 1.4.3
Re: Sage allows changes to NoScript settings
Posted: Wed Nov 25, 2009 6:00 am
by Alan Baxter
Posted 20 Nov 2009 02:11 pm MST (UTC-7)
Extension vulnerability debacle (Sage) • mozillaZine Forums
colfer wrote:Sage 1.4.3, the current version available at addons.mozilla.org,
https://addons.mozilla.org/en-US/firefox/addon/77 , has had a known serious vulnerability for 1.5 years. Now it has been publicized on Slashdot, yet the extension is still avalable at a.m.o. with the slightest of warnings ("Let me install this experimental add-on"). This is wrong, wrong.
http://it.slashdot.org/story/09/11/20/1 ... Extensions
http://www.net-security.org/secworld.php?id=8527
The author of the extension has been repeatedly told by Mozilla's people on Bugzilla how to fix the problem, which allows malicious RSS feeds to control the browser's chrome and own the user's computer, but he continues to apply half fixes in order to allow better "user experience". The Mozilla people continue to allow him to delay applying a real fix, and meanwhile allow the extension to stay on a.m.o with the checkbox warning!
Questions:
* Why should a.m.o. host this sort of flawed extension, however popular?
* Can Mozilla actively disable this extension if installed, or is that only for bad plugins?