Security News > 2020 > January > Mozilla bans Firefox extensions for executing remote code

Mozilla bans Firefox extensions for executing remote code
2020-01-28 10:38

The nature of the banned extensions is difficult to say - Mozilla lists them on Bugzilla using only the IDs they used on addons.

The hard ban on extensions that execute remote code seems to have happened around the time pre-release versions of Firefox 72 hove into view, but this was only noticed by some developers and users when the company abruptly banned several page translation extensions in November.

That implies that, prior to November, extensions loading such code could operate with more freedom, specifically those that were being self-hosted as unlisted extensions rather than served via the AMO. That doesn't mean that every extension loading remote code in the past was doing so for malicious reasons, but it underlines how Mozilla is having to tighten controls in the face of growing abuse.

Last year it slapped a ban on extensions using obfuscated code, such as JavaScript code where the purpose or intention is in some way hidden.

As Mozilla points out, many extensions aren't written by well-known developers, so a deeper dive might be necessary.


News URL

https://nakedsecurity.sophos.com/2020/01/28/mozilla-bans-firefox-extensions-for-executing-remote-code/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Mozilla 29 13 631 583 266 1493