Ok, the fact is that nothing is IMPOSSIBLE. I am exploring the most likely vector because it is more likely. The reason being that in order for a simple patch of an active addon to be done must have so many conditions available that its NEARLY impossible that anyone would be that careless or clueless. Yes, THEORETICALLY, it is VERY possible to patch a set of addons that function in a particular fashion that fits their paradigm, check for the conditions needed to patch it, patch it and then run as part of that addon for as long as the lifecycle is planned. However, the most likely vector is via the web, which means unless somehow you are giving the website chrome level permissions and HD access to write (I/O access) then it cannot inject or patch squat that it can't access. However, if you were to be HIT OUTSIDE of a browser by a file of just able any executable type, then it can happen much easier, it WILL be invisible (so far as to now show up in the addon list) and yes will run without your knowledge until someone or something looking for it, finds it and cleans it out. Make better sense now?computerfreaker wrote:So are you saying nothing can hide from the addons list, just piggyback on a legitimate addon? Because it sounds like these goored infections are all hiding from the addons list, but it also sounds like you're saying nothing can hide from the list... I'd like to resolve that discrepancy, primarily just for the knowledge.GµårÐïåñ wrote:Basically someone could have analyzed a code for an extension and found a way to inject into or use it to run their own code, absolutely. HOWEVER, that being said, it will masquerade and install as "SOMETHING", what that is depends but it WILL be visible in the addons and you know you didn't put it there, you remove it.
One, completely off the top of my head example would be: A page loads a flash or java applet with a payload that is downloaded to your cache as part of the execution of the APP. Then when it is done, it will have an internal code that allows for the LOCAL execution to put it in your addons. Now, if its within the cache system (browser UI) then NoScripts ABE Local will kill that but say you didn't have it or was disabled or you somehow made it useless with another exemption or [insert whatever you did or could have done to open a compromising hole] then it will be able to do so very effectively. Now, does this mean that the website you trust screwed you intentionally, generally the answer is probably not. Why? They may be using a publicly available application to show the consumer something that has a vulnerability that can be injected by someone to hit their viewers. (think back to the formail.pl where the script was used by so many to handle mailing form results to themselves that it was exploited and used to send out spam on your behalf, it was pretty much terminated in most circles, but people still try to have this script uploaded somehow by YOU so they can go back and use it). Hope this clears up some of what I said and is easier to know what I meant.
I would be happy to be part of a PM discussion on this, no problem. Also keep in mind that when I write, I write only to what I find relevant and not too long and off topic. Since Tom experienced the same problem, however briefly, and I KNOW his habits and what he will and will not do, it eliminated quite a bit of possible assumptions from discussion and why I reached that conclusion and did not bother expanding the million other ways it can be done. If I was younger and healthier, I would whip up a few POCs for you to see but I don't have that kind of time right now. Cheers.
.)
.. but it's good to have it proven. Any evidence as to the *source*? ... probably not.