Firefox 3 Alpha Blocks Malware, Secures Plug-in Updates

转载 2007年09月26日 10:41:00

Mozilla Corp. updated the preview of Firefox 3.0 to alpha 8 Thursday, unveiling for the first time to users several security features it's talked up for months.

Among the security provisions debuting in the new alpha of "Gran Paradiso," the code name for Firefox 3.0, are built-in anti-malware warnings and protection against rogue extension updates, according to documentation Mozilla posted to its Web site.

The malware blocker, which was first mocked up in June, will block Web sites thought to contain malicious downloads. The feature, a companion to the phishing site alert system in the current Firefox 2.0, will use information provided by Google Inc. to flag potentially-dangerous sites, warn anyone trying to reach those URLs with Firefox and automatically block access to the site.

Mozilla also pointed to a URL that demonstrates the new malware blocker for alpha 8 users.

Also taking a bow is a check meant to prevent plug-ins' automatic updates from sending users to malicious sites where they might be infected by attack code or drive-by downloads.

Firefox relies on small plug-ins -- called "extensions" in the Mozilla vernacular -- for much of its power and flexibility. Several thousand extensions have been written, the vast bulk of them by outside developers, that do everything from boost browsing speed to block irritating Flash animations. Firefox regularly checks to see if the installed extensions are up to date, and if not, automatically pulls in the newest version and installs it.

"Firefox automatically checks for updates to add-ons using a URL specified in the add-on's install manifest," Mozilla spells out in a developer's document. "Currently there are no requirements placed on these URLs. In particular, [they are not] required to be https. This allows either the update manifest or the update package to be compromised, potentially resulting in the injection of malicious updates. A demonstration of one form of compromise is already public."

Most extensions are hosted on Mozilla's own servers -- at the servers feeding its Add-ons site -- but some are not; it's those off-site extensions that Mozilla wants to lock down.

To stymie attacks through a compromised extension update, Mozilla will require updates -- both the actual update package and the much smaller "manifest," or notification of an update -- to be delivered over an SSL-secured connection. Or the update must be digitally signed.

The change doesn't affect the initial installation of an extension, something Mozilla recognized. "[This] has no impact on the security of initial add-on installs," it told developers in the online guide.

This newest preview, which can be downloaded in versions for Windows, Mac OS X and Linux from the Mozilla site, still comes with a warning to end users. "Alpha 8 is intended for Web application developers and our testing community. Current users of Mozilla Firefox should not use Gran Paradiso Alpha 8," the browser's release notes.

Mozilla has not officially committed to a release date for the final version of Firefox 3.0.




  • 2008年05月27日 12:21
  • 4.03MB
  • 下载

Install Linux Malware Detect (LMD) in RHEL, CentOS and Fedora

In my earlier article I’ve explained you all about how to protect Apache server fromMalicious and DO...
  • Viidiot
  • Viidiot
  • 2013年09月21日 08:52
  • 1151

netty 5.0.0 Alpha3 all in one jar包

  • 2016年06月01日 22:23
  • 4.7MB
  • 下载


  • 2013年05月09日 22:15
  • 564KB
  • 下载

解决 YUM Repository updates is listed more than once in the configuration 的问题

今天搞了两个小时,总算吧上面问题搞定了. 情况1(不是重点,只是开始):  fedora17下面的, 以前yum update都算正常,今天是巨慢啊,下载速度总是在不到1K 或者 1K多一点那跳,这...

updates is listed more than once in the configuration 的解决

觉得记性渐渐变差了,决定把遇到的问题记录下来。 最近更新的时候,update后都会先出现 Repository updates is listed more than once in the co...
  • pknming
  • pknming
  • 2016年09月18日 14:36
  • 1096

SAP BW – Implementing Delta Updates in the Financial Domain

Challenges with delta updates  Delta updates in SAP BW are used when we have to update our data tar...
您举报文章:Firefox 3 Alpha Blocks Malware, Secures Plug-in Updates