Malicious Mozilla Firefox add-ons blocked: used by at least 455K users

Mozilla discloses that two extensions installed by many users blocked the download of security updates

Mozilla reports on two add-ons that were misusing the proxy API to stop security updates

Two web browser add-ons that 455 000 users have used, found misusing the Proxy API to stop downloads of the security updates on the browser.^[1] Bypass and Bypass XM interfered with the Mozilla Firefox functions to prevent users from getting needed browser updates.

Thes access to proxy web requests means that the threat actor possibly could control the Firefox browser connections to the web and later implement any other malicious procedures, infiltrating the browser and the machine. Mozilla disclosed^[2] the issue in the post made by Rachel Tublitz and Stuart Colville:

These add-ons interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content.

Since these add-ons were downloaded by this many users, the company blocked these extensions and paused the approvals of other add-ons that used the proxy API to prevent additional encounters and issues.^[3] This is a temporary solution that will be canceled when all the users get the fix for this problem.^[4]

Add-ons control Firefox connection to the internet

The issue was detected back in June when the misuse of the proxy API was discovered. Add-ons control how the browse is connecting to the internet, so the process of updating the application is corrupted. The blockage of other applications and browser add-ons that rely on the proxy API can create issues for the developers of legitimate add-ons.

Right now, mitigations have taken place to prevent more damage and issues, installation of malicious add-ons. Mozilla Firefox includes changes starting with Firefox 91.1. Requests of the needed security updates can be made properly, and those upgrades get delivered to protect users.

Users should keep their Firefox up to date and make sure to have the Microsoft Defender or third-party antivirus tool running. Getting the latest version of a web browser – Firefox 93 can also help. Recent versions come with the updated blocklists to have all the malicious extensions and add-ons already disabled.

Web browser providers make sure to improve the protection

Recently Mozilla and Google announced coming close to finalizing the proper Sanitizer API for their web browsing products to ensure the protection against cross-site scripting attacks.^[5] Sanitize API from Firefox and Chrome browsers should help developers to protect apps from the usage of malicious JavaScript code.

Sanitizing the dynamic markup checks for the harmful pieces and can block the malicious threat. This can be a major change and improvement to web security. This Sanitizer API is the specification that gives browsers native support to block the malicious code from the markup that is added to websites.

This is the work in progress that was first proposed at the beginning of 2021. Google, Mozilla, Cure53, and the maintainer of the DOMPurify library joined their forces to make this happen. This addition not only improves the security of the browser but can also improve the accessibility and speed of web browsing tools.

The Sanitizer API is not the mechanism for all web programs that could make a huge difference. Nevertheless, this is the complement for other security techniques that are built-in browsers already. It aims to prevent these DOM-based attacks, so developers can use the built-in option instead of relying on HTML providers like with Trusted Types.^[6]