News worthy

Many Firefox extensions are vulnerable to man-in-the-middle attacks. Many blogs have picked up on the story. I’m glad this issue is finally getting attention. While we are likely not to see wide-spread exploitation, this issue needs serious attention. Let’s not forget how badly ActiveX controls have been abused in the past.   As Firefox gains users, we’ll see more malware posing as Firefox extensions.  Firefox extension developers need to do a better job signing their code.

What I find interesting is that this issue has been known for sometime. I can never predict what will be news worthy. It’s all about how you present the issue. Several people at Microsoft were talking about this over two years ago. Previous discussion on the issue never used the “V word”. It wasn’t until Chris Soghoian used the word “vulnerability” (rightly so) that this issue got the attention it probably should have received years ago.

Users (and sometimes developers) don’t understand DNS spoofing, trust, man-in-the-middle, certificates, BGP, AS Numbers, etc. But people do understand the concept of a vulnerability.