Malicious Firefox Extensions – continued

I worked with Phil on malicious firefox extensions – very briefly at SSTIC, in details on the lab’s blog, and in an unpublished short paper.

As some people asked, yes the issues have been reported to the Mozilla security team (thanks to JP Gaulier and Tristan Nitot). And the result is a bug report marked as invalid (which is normal, since what we wanted to communicate was not a bug report but rather design issues).

So basically the situation is: ActiveX is bad because there is absolutely no security policy. There is absolutely no security policy for Firefox extensions but it’s cool.

I’m out, I really need a double shot of espresso now.