News
Lieberman Software president warns on Firefox 10 silent update feature
November 2011 by Lieberman Software
Responding to reports that Mozilla is planning to implement silent background updates in the upcoming version of Firefox 10, Lieberman Software has warned that the feature could be very bad news on the security front.
According to Philip Lieberman, President and Chief Executive Officer of Lieberman Software, while many IT security systems will have to be
reconfigured to allow background updates to Firefox - which is not a good
thing in the first place - there is danger that hackers could subvert the
update system to allow them backdoor access to the users’ computer.
"Auto-updating can be a welcome feature for many computer users, but the
feature does need to let the user know what is happening. Having your
software quietly update in the background - presumably on a modular code
basis - is not something that all IT security professionals will welcome,"
he said.
"If, as I think appears quite likely, hackers start reverse engineering the
Firefox background updating system - and remember we are talking about open
source software here - then it is only a matter of time before they subvert
this auto-updating mechanism to inject malware," he added.
The Lieberman Software president went on to say that, at the MalCon security
conference taking place in Mumbai later this week, well-known code cracker
Peter Kleissner - who developed the Stoned bootkit back in 2008 - is
scheduled to reveal the first Windows 8 bootkit.
This Stoned Lite bootkit, he explained, will reportedly allow code loaded
from the Master Boot Record on the PC’s hard disk to remain in place all the
way through the Windows 8 boot-up and loading purpose
(http://bit.ly/uVBbpo).
It is coding technology like this, says Lieberman, which could allow the
Firefox background updating system to be subverted, as he notes that we are
talking about ultra low-level code that actually sits under the Windows 8
operating system itself.
"It doesn’t take a programming genius to figure out that - against the
backdrop of a Windows 8 bootkit - it shouldn’t be difficult to subvert a
background updater for a piece of open source software like Firefox 10," he
said.
"Having a Windows 8 bootkit that exists is bad enough, but at least IT
security professionals can set up their system controls to only allow access
to the update processes when a suitable admin account logs in. This is the
principle of admin accounts - which need to be protected using privileged
account management technology - that ensures an extra layer of security on
corporate systems," he said.
"But with the prospect of having to allow for Firefox 10 updating itself
silently and in the background, I suspect that many IT security
professionals will raise the alarm. And for the very good reason that this
is a recipe for a hacker security incursion in the background," he added.
