Firefox Add-ons attacked

rezpower said:

now the question is what addons are safe to use and which addons should be removed exactly!

Uh, difficult question.
Second article says "It is not clear whether the flaw has actually affected any users, as the researchers demonstrated it only as a proof-of-concept."

So, don't panic, but who knows?

AndreTen said:

Not using listed? Or you don't use any add-on? Why do you think that those not listed are safe? This affects almost all of them!

I'm using only 3 that I've been using for years: Ghostery, Hide Tab Bar With One Tab and Status-4-Evar.

larc919 said:

I'm using only 3 that I've been using for years: Ghostery, Hide Tab Bar With One Tab and Status-4-Evar.

And the cited article wasn't telling, that not listed add-ons are safe. Just that one of the ten most popular isn't affected. Most of the other are not safe either.

From the article, you would need to download a malicious Add-On that would then exploit your already installed add-ons . So not much danger unless you download crap add-ons without reading reviews or otherwise get informed.

EricTheO said:

From the article, you would need to download a malicious Add-On that would then exploit your already installed add-ons . So not much danger unless you download crap add-ons without reading reviews or otherwise get informed.

I think, that for average user, the most dangerous can be PUPs which you install with other well rated programs. These can be stand alone programs as well as browser add-ons.
So I can't agree with you, that this is not a problem. Bad guys will always find their way.

AndreTen said:

Uh, difficult question.
Second article says "It is not clear whether the flaw has actually affected any users, as the researchers demonstrated it only as a proof-of-concept."

So, don't panic, but who knows?

Ars Technica calls it "proof of concept," too. These "proof of concept" articles are always amusing...;) Ever notice how the hackers who who develop these "concepts" (and so give the bad guys new ideas) are called "security researchers," while the guys who actually develop the hacks that the "proof of concept" publicizes are called "malicious hackers"? I see little difference between the two groups. They are all hackers.

But anyway, as with most "proof of concepts" it is highly unlikely this kind of thing might ever work well because so many elements have to be precisely aligned--elements over which the hacker has no control. There is no "safe" list, etc., because there exists no threat...;) No one has been exploited by this particular concept and may never be, so atm everything is "safe."

waltc said:

Ars Technica calls it "proof of concept," too. These "proof of concept" articles are always amusing... Ever notice how the hackers who who develop these "concepts" (and so give the bad guys new ideas) are called "security researchers," while the guys who actually develop the hacks that the "proof of concept" publicizes are called "malicious hackers"? I see little difference between the two groups. They are all hackers.

But anyway, as with most "proof of concepts" it is highly unlikely this kind of thing might ever work well because so many elements have to be precisely aligned--elements over which the hacker has no control. There is no "safe" list, etc., because there exists no threat... No one has been exploited by this particular concept and may never be, so atm everything is "safe."

Agree with the second part, but can't with the first.

Of course they (good and bad guys) are both hackers. I see your point, but security researchers are not making direct money with security holes they find. This can be some of the most brilliant scientist in their field. They have to publish papers and have to attend conferences. If they don't ... they loose position.

But security breach that is published is no real threat anymore. Company can fix it. So, there exists both, good and bad guys (hackers).

Of course, just my opinion :)