About the safety of extensions
September 22, 2007 § 1 Comment
Note: By popular demand, this is the translation of a column I first wrote in French. I intend to follow-up this column with more technical aspects of the difficulties related to ensuring the safety of extensions, and at a later stage, the state-of-the-art of the work of researchers in software safety.
Note: On m’a demandé de traduire une colonne écrite il y a quelques jours sur la sûreté des extensions. Plusieurs suites sont prévues, qui traiteront d’aspects plus techniques, puis de l’état de la recherche en matière de sécurité logicielle.
I’m using Firefox and I’m quite satisfied. From what I hear, in addition to being more user-friendly than Internet Explorer, Firefox is also largely safer. That’s a good start. That’s not a big achievement, mind you, as Internet Explorer has the long-standing tradition of being the least-safe piece of software around. Now, part of the success of Firefox is due to its large number of extensions, small, easy-to-write, programs, that add or improve features of the browser, or change its appearance, or translate it into different languages… There’s the rub.
A rub ? What rub ?
Not much: extensions have all rights. The developers of Firefox have made it possible to write extensions that will fix your spelling or your grammars as you write. They also made it possible to write extensions that will inform you whenever you receive a mail or that will let you chat with your friends. Well, by using the exact same techniques, I can write an extension that will wait until you write your bank password or your credit card number and then send me that information. The developers of Firefox have made it possible to write text processors with which you may save your documents on your hard drive. With the same techniques, I can write an extension that will format your hard drive.
Were I malicious, it could just write an extension you wish to install, say a small game, or a YouTube-enabled utility, or a password manager, or a schedule organizer — and add to that extension everything I need to get your confidential information or erase your hard drive. If I manage to get you to install my extension, you have lost — and for that, I don’t even need a bug in Firefox.
That’s not the only problem, mind you. Even assuming that Firefox somehow restricts what my extension can do or can’t do, it would be unreasonable to restrict my extension from deciding what it will display, or, say, perform such a benign task as loading a web page, wouldn’t it ? That’s a subtle error, albeit a dangerous one: if I can decide what my extension looks like, I can make it look like a message from your anti-virus, with a link to download and install an update — of course, it’s going to be a forged update and that update will install some bigger, badder program on your computer. I can make it look like your password manager, your accounting software, or even like your browser representing eBay’s website or your bank’s website. Just by playing on looks, I can therefore take control of your computer or get your important passwords. And if my extension can load web pages, I can use that to communicate with it, either for remote controlling your computer, or simply to receive stolen data. If I manage to get you to install my extension, you have lost again. And I still don’t need a bug in Firefox.
Just to set things straight: this is not specific to Firefox. Internet Explorer, Konqueror, Safari, Opera and all the other browsers around here, they all support a manner of extensions, through mini-programs that may be installed from a web page, and that modify the behavior of your browser. Quite often, the developers of these browsers have made it possible for these add-ons to do just about anything — good or bad.
Let’s take a look at the situation, browser by browser.
Browser by browser
Before proceeding, let’s agree on a bit of vocabulary: the technology used to write a mini-program is either “a sandbox” if the mini-program can’t do anything too dangerous, such as reading your files or formating your hard drive, unless you explicitly allow them to do so — or “unrestricted” if the mini-program doesn’t need your authorization. The technology may also be either “noticeable”, if it can’t be used to take the appearance of another piece of software, or “indistinguishable”, if it can look like any other of your programs already present on your computer.
For this comparison, we do not take into account temporary safety flaws, such as bugs. That’s a different issue.
Let us start with the most populous browser. A web page may contain at least four categories of mini-applications that will somehow be executed on your computer and modify the behavior of Internet Explorer :
Netscape plug-ins extend Internet Explorer with the ability to understand other types of contents. The best-known plug-ins are Windows Media Player, Quicktime or Flash. Any web page may instruct Internet Explorer to install a plug-in. Plug-ins are unrestricted and indistinguishable. This feature is inherited from the ancestors of Firefox.
- Les Browser Helper Objects, essentially identical to Netscape plug-ins. They are also unrestricted and indistinguishable.
Active X controls put full-blown pieces of software inside a web page. For instance, Windows Update, among other things, is an ActiveX control, but you may also find anti-virus controls that can check your computer from a web site, as well as any sort of applications. The computer science community considers ActiveX controls as an aberration, introduced for purely commercial purposes, for the sake of occupying the market, with no concern to wide and evident safety issues. ActiveX controls are unrestricted and indistinguishable.
Java or Flash applets (or mini-applications) also put pieces of software inside a web page. They are everywhere, including numerous on-line ads, and most on-line games. These applets are both sandboxed and noticeable, which makes them safe in the absence of bugs. This feature is inherited from the ancestors of Firefox.
In the future, Microsoft’s new Avalon technology promises a new category of mini-program installed by web pages inside Internet Explorer :
Silverlight applets, similar to Java or Flash applets (with which they share a technological base) or the yet-unmentioned XUL mini-applications (from which they are inspired). Silverlight applets are sandboxed but indistinguishable from other applications.
I will not include in that list Shell Commands, another form of mini-program able to modify the behavior of Internet Explorer, as these must be installed manually by the user, with an installer, just as normal applications.
So, how do the developers of Internet Explorer cope with the risk due to unrestricted or indistinguishable mini-programs ?
Asking the user.
Until recently, the philosophy of Microsoft stated that it was more important to display impressive web pages than to ensure any safety. Therefore, Internet Explorer used to install automatically Netscape plug-ins, Browser Helper Objects or ActiveX controls, as instructed by the web page — whether that web page was trustworthy or not.
After numerous years and under the increasing pressure of Firefox, this design has changed. Now, before installing, Internet Explorer first asks the user.
(Feature imported from Firefox)
Before installing an ActiveX control, recent versions of Internet Explorer may check the signature of that control, that is ask for a proof of the identity of the author of that control. This does not seem to apply to Netscape plug-ins or Browser Helper Objects.
Whenever the user downloads a signed mini-program, barring any accident, he may be sure of the developer or editor’s identity. If the mini-program turns out to be malicious, at least, there’s someone to sue. It’s a bit late, but it’s dissuasive.
Unfortunately, signatures are rather expensive (a few 100$ per program). In addition, it has been proved several times that obtaining false signatures is possible, if one can just manage to convince the company delivering the signature that one is a representative of, say, Microsoft. This has happened. Also, this won’t prevent the installation of accidentally dangerous extensions — something quite common, and not just under Internet Explorer. Finally, this won’t help against a company that doesn’t fear justice. Some companies don’t fear justice because they are essentially made of straw, created only long enough to propagate a virus that can then be used to, say, blackmail other companies. Other companies have enough billions of dollars to feel secure from the actions of individuals. Microsoft or Sony, for instance, have both been caught red-handed for similar practices.
For a long time, users of Internet Explorer could not find out which mini-programs were installed on their computer, nor could they uninstall them. Since August 2004, it is partly possible. This is a minimal measure, as it only applies to Browser Helper Objects, and since it can in no way block malicious mini-programs.
(Fonctionnalité imported from Firefox)
Watch the web
Since version 7, Internet Explorer monitors the web pages you visit and checks out if they have been referenced as dangerous. A page may be written down as dangerous either because some piece of software used internally by Microsoft has analyzed it as such, because the page shows traits often seen in attacks or because users have informed Microsoft of suspicions about this web page.
In my mind, this is the most efficient measure taken by Microsoft. Although not sufficient, it should be able to block most threats for most users, for the time being.
(Feature established in collaboration with the developers of Firefox, Opera and Konqueror)
Let someone else do the job
The ultimate argument given to users of Internet Explorer — or, rather, Windows users — is simple: “just use
an anti-virus/firewall/anti-spyware/dilithum-powered phase engine/…”
In other words, just pay someone to defend you where Microsoft has left you alone. If, either because you’re not aware, or despite your best precautions, you fall victim to some Internet parasite, it must be your fault. And not that of, say, Microsoft.
In addition, the efficiency of third-party software is limited by a simple factor: technologically, there is no difference between an unrestricted mini-program doing something useful and another one doing something evil. Windows Update or Windows Defender, for instance, may both modify your operating system to make it safer. Windows Update has also been used to modify your system to spy on you. In different circumstances, the same Windows Update could theoretically be used to take the control of your computer.
Let us reformulate: there is no rigorous and complete definition of the difference between a malicious mini-program and a useful one. The only manner of preventing malicious mini-programs from being too dangerous is to restrict by default all mini-programs.
This remark is one of the reasons why Microsoft is now offering Silverlight. As mentioned earlier, Silverlight is a technology akin to Java or Flash, and that may be used to create sandboxed mini-programs. One may assume that, eventually, Internet Explorer will stop accepting unrestricted mini-programs, and only use the safer Silverlight mini-programs. After more than 12 years of using the unsafe ActiveX technology to combat the safe Java of its competitors, Microsoft reinvents the concept.
As Java applets, Silverlight mini-programs may not read your files, modify the contents of your computer… unless you have given that specific authorization. On the other hand, just like Java applets, Silverlight mini-programs may communicate through Internet, and use that to load web sites, download files for you, fill forms on your behalf…
One last thing: where Java, Flash (and the other inspiration for Silverlight, XUL), have been designed to prevent their mini-programs from maskerading as applications already installed on your computer, Silverlight, as per Microsoft’s tradition of giving a higher priority to nice looks than to safety, seems to blur the lines and make mini-programs indistinguishable. The result ? The next time a dialog box opens and asks for your password, you won’t be sure to whom you’re giving confidential info…
(Feature strongly inspired from Firefox and its ancestors)
If Firefox has been designed with safety in mind, now that Internet Explorer has played catch up, barring bugs, both browsers have essentially the same kind of problems. That is, a web page may contain at least five categories of mini-programs that will run on your computer and modify the behavior of Firefox:
Netscape plug-ins, the same ones as Internet Explorer, with the same dangers.
Add-ons, comparable to Netscape plug-ins. The best-known extension is AdBlock, a filter that lets you see webpages without annoying ads. As Netscape plug-ins, add-ons are unrestricted and indistinguishable.
Search plug-ins permit using additional search engines from Firefox’s interface. These plug-ins are sandboxed and trivially noticeable.
Java or Flash applets, the same ones as Internet Explorer, still not dangerous.
Distant XUL applications put complex pieces of software on a web page, in a manner comparable to Silverlight. Distant XUL applications are sandboxed and noticeable.
So, how do the developers of Firefox take into account the risks with unrestricted mini-programs ?
Asking the user
Since the beginning, Firefox won’t install any unrestricted mini-program without the authorization of the user.
Just as ActiveX controls in Internet Explorer, Firefox extensions may be signed, with the same limitations. This does not seem to apply to Netscape plug-ins.
(Feature imported from Internet Explorer)
Since the beginning, Firefox has had an easy-to-read list of installed extensions, with the option of deactivating/uninstalling extensions. Until the release of Firefox 3, expected in November 2007, this does not apply to plug-ins..
Watch the web
Since version 2, Firefox watches the web, in a manner similar to Internet Explorer.
(Feature established in collaboration with the developers of Internet Explorer, Opera and Konqueror)
Community-led checking of extensions
Users of Firefox are encouraged to download extensions only from Mozilla Add-Ons. This web site, maintained by volunteers of the Mozilla community, lists most Firefox extensions. Every new extension starts in a test zone, a part of the web site reserved to volunteer testers. In order to get his extension out of the test zone and into the generally available area, a developer must obtain sufficient votes from testers. In order to do so, he must convince them that his extension is useful and safe. Among other things, testers are in charge of checking if this extension is being maintained, if people are working on it, ironing out bugs, answering questions and criticisms, improving it…
If an extension turns out buggy, Mozilla Add-Ons has facilities for offering updates to all users of that extension. Conversely, if an extension that was somehow approved turns out malevolent, the site may alert all users and suggest immediate uninstallation. To the best of my knowledge, this last feature has never proved necessary.
Mark the worlds
Whenever you execute a distant XUL application, for your visual comfort, that extension will look like applications installed on your computer. However, in order to prevent a malevolent developer from using this likeness to trick you into believing you’re using a different program, a few visual elements cannot be modified and underline the fact that you’re currently using a distant XUL application.
Unfortunately, under Firefox 1 and 2, these visual elements are limited to the status bar on the bottom of the window. Noticing that you’re in front of a distant XUL application therefore requires attention to details. Starting with Firefox 3, however, additional elements, including the address bar, will remain unmodifiable. This measure should make identification more immediate.
Once again, Opera is more minimalistic than its competitors. A web page may offer at least three types of mini-programs executed on your computer and that modify the behavior of Opera:
- Netscape plug-ins, once again.
Flash or Java applets, once again.
Widgets are web pages, with a different presentation. Widgets are sandboxed but are undistinghisable.
Note that Opera supports only one type of unrestricted mini-programs.
Asking the user
Since the beginning, Opera installs no plug-in or widget without the explicit authorization of the user — with the exception of widgets provided on the website of Opera and which I assume have been tested by Opera’s engineers.
Opera widgets may be easily uninstalled. Unfortunately, plug-ins may not.
Watch the web
Since version 9, Opera watches the web much like Internet Explorer or Firefox.
(Feature established in collaboration with the developers of Internet Explorer, Firefox and Konqueror)
The bottom line here, is that, while Opera is indeed the safest web browser from the point of view of bugs, its users may still be attacked through bogus plug-ins or widgets.
For Safari, four kinds of mini-programs :
Netscape plug-ins, always the same ones.
- WebKit plug-ins, hybrids between Netscape plug-ins and Firefox extensions, unrestricted and undistinguishable.
Java/Flash mini-applications, still safe.
- Widgets, comparable to Opera widgets, probably with the same dangers.
This list does not include AppleScripts, as these must be installed manually by the user, as any other application.
As I could not test Safari, I am unable to tell you more about how developers manage the risk due to mini-programs. From the documentation, it seems that WebKit plug-ins cannot be signed.
Here, Konqueror is even more minimalist than the other browsers, with:
- Netscape plug-ins, can’t live without them.
Flash or Java applets, they’re everywhere.
The developers of Konqueror seem to have taken no specific measure to manage the risk of Netscape plug-ins.
Watch the web
Konqueror watches the web much like Internet Explorer or Firefox.
(Feature established in collaboration with the developers of Internet Explorer, Firefox and Opera)
This column lists numerous measures taken to limit the danger of unrestricted mini-programs. Other approaches have been undertaken by research projects but, to the best of my knowledge, have not been deployed for end-users.
Are these measures sufficient ? Visibly not. None will guarantee anything. Even in the absence of bugs, if you do not watch carefully what you are installing, you are taking chances. Actually, even if you do, you are taking chances.
You know what ?
In case of problem, everyone will tell you it’s your fault.