How Web Apps Can Turn Browser Extensions Into Backdoors

Researchers show how rogue web applications can be used to attack vulnerable browser extensions in a hack that gives adversaries access to private user data.

Researchers have added another reason to be suspicious of web browser extensions. According to a recently published academic report, various Chrome, Firefox and Opera browser extensions can be compromised by an adversary that can steal sensitive browser data and plant arbitrary files on targeted systems.

“We identified a good number of extensions that can be exploited by web applications to benefit from their privileged capabilities,” wrote Université Côte d’Azur researcher Dolière Francis Somé, in an academic paper titled Empowering Web Applications with Browser Extensions (PDF).

A web application is a client-server computer program that a computing device runs in a web browser – such as an online form or browser-based word processor. That’s separate from a browser extension – a small software add-on for customizing a web browser with something like an ad-blocker or a web-clipping tool.

“[Browser extensions] have access to sensitive user information, including browsing history, bookmarks, credentials (cookies) and list of installed extensions,” Somé pointed out. “They have access to a permanent storage in which they can store data as long as they are installed in the user’s browser. They can trigger the download of arbitrary files and save them on the user’s device.”

That access is unique to web applications, which are subject to what are called a Same Origin Policy (SOP) that bars an app from reading and writing user data between domains. The research, however, demonstrates how a specially crafted web application can bypass SOP protections by exploiting privileged browser extensions.

“Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users,” according to the research.

The attack, according to researchers, would follow this example:

“An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The goal of the attacker is to interact with installed extensions, in order to access user sensitive information. It relies on extensions whose privileged capabilities can be exploited via an exchange of messages with scripts in the web application,” researchers wrote.

They added, “Even though content scripts, background pages and web applications run in separate execution contexts, they can establish communication channels to exchange messages with one another… APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications.”

Somé focused on a specific class of web extension called “WebExtensions API,” a cross-browser extensions system compatible with major browsers including Chrome, Firefox, Opera and Microsoft Edge. After analyzing 78,315 extensions that used the specific WebExtension API, it found 3,996 that were suspicious.

While it seems voluminous, Somé noted that research found a small number of vulnerable extensions overall, and that concern should be measured. However, “browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions.”

MICROSOFT PATCHES 20 CRITICAL VULNERABILITIES

Microsoft tackled 53 vulnerabilities with today’s Patch Tuesday bulletin. Remote code execution bugs dominated this month’s patches, representing 25 fixes. In total, 20 of Microsoft’s security fixes were rated critical.

Notable are four vulnerabilities with public exploits identified by Microsoft as CVE-2017-11848, CVE-2017-11827, CVE-2017-11883 and CVE-2017-8700. But, according to an analysis of Patch Tuesday fixes by Qualys, none of the four are being used in active campaigns.

Security experts say companies should prioritize patching a half-dozen scripting engine memory corruption vulnerabilities impacting Microsoft’s Edge and Internet Explorer 11 browsers running on versions of Windows 10, Windows 8.1 , Windows 7 and Windows Server (version 1709).

“A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” wrote Microsoft regarding CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873.

Microsoft said if exploited, an attacker could gain the same user rights as the current user. “In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website,” Microsoft wrote. “These websites could contain specially crafted content that could exploit the vulnerability.”

Researchers at Zero Day Initiative said that of the critical vulnerabilities it spotted, a distinct malware bypass theme emerged. It wrote, “CVE-2017-11830 patches a Device Guard security feature bypass vulnerability that would allow malware authors to falsely authenticated files… CVE-2017-11877 fixes an Excel security feature bypass vulnerability that fails to enforce macro settings, which are often used by malware developers.”

“Speaking of malware, this patch fixes a CVE (CVE-2017-11830) that allows Device Guard to incorrectly validates an untrusted file. This means attackers could make an unsigned file appear to be signed. Since Device Guard relies on a valid signature to determine trustworthiness, malicious files could be executed by making untrusted files seem trusted. This is exactly the sort of bug malware authors seek, as it allows them to have their exploit appear as a trusted file to the target,” ZDI wrote.

Part of Patch Tuesday also included an advisory (ADV170020), which is related to Microsoft Office Defense in Depth Update series. “ADV170020 is likely related to the malware abusing Dynamic Data Exchange, and this advisory may help restrict abusing this protocol feature,” wrote Zero Day Initiative researchers.

Despite a number of attacks that have used Dynamic Data Exchange fields in Office, Microsoft has remained insistent that DDE is a product feature and not a vulnerability.

Part of Patch Tuesday also includes something new, according to Greg Wiseman, Rapid7’s senior security researcher, who said Microsoft is applying fixes to some of its open source projects. “Sixteen of the Edge vulnerabilities have been resolved in ChakraCore, the open source part of Edge’s JavaScript engine,” Wiseman said. “.NET Core is being patched for a denial of service (DoS) vulnerability (CVE-2017-11770), and ASP.NET Core has fixes for DoS (CVE-2017-11883), privilege escalation (CVE-2017-11879), and information disclosure (CVE-2017-8700) vulnerabilities this month.”

Lastly, Qualys warns (CVE-2017-11882), a Microsoft Office memory corruption vulnerability rated as important, should be prioritized. “There may be POC code for this vulnerability, so it is recommended that you give the Office updates attention this month as well,” Qualys wrote.