Log4j Immunizer extension. Maybe something for the core product?
There is now since two days an Log4j Immunizer extension, which is not Mozilla vetted. The code is available on GitHub and what it does is it blocks attempts to connect to private IP networks if the request comes as a result from a page that is on a public IP network. This prevents drive-by based probes/attacks where a web site uses code to try to connect to internal private servers. It is simple enough code and it looks legit (and protects against more than just Log4j)
The people who have produced it are new (which is always suspicious). E.g. their GitHub account is two days old. Their web site describes them to be a startup of some kind in the cyber insurance business.
https://github.com/paladincyber/log4jprotector https://github.com/paladincyber/log4jprotector
Of course, if this is not a vetted extension, an update tomorrow can contain quite different code.
As it stands now:
- It it safe to use this extension to prevent this kind of flyby using the browser to probe internal services? (But turn off auto-update until it becomes a vetted extension)
- Would such a function not be a good security add-on for the core product anyway?
Diperbarui oleh gerben.wierda pada
Semua Balasan (1)
Hi
That add-on is currently available at:
https://addons.mozilla.org/en-US/firefox/addon/paladin-log4j-immunizer/
Whether it should be included in Firefox is a bigger question. The people who answer questions here, for the most part, are other users volunteering their time (like me), not Mozilla employees or Firefox developers. If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.
You can also file a bug report or feature request. See File a bug report or feature request for Mozilla products for details.