Feeds

back to article Mozilla overlooked malware-laced Firefox add-ons

Two Firefox add-ons available for months on Mozilla's website infected users with malware that stole passwords and opened a backdoor on Windows machines, the open-source browser maker has confirmed. The add-ons, available on an experimental section of Mozilla's official add-on download site carried trojans that have been …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

The honeymoon is over

My friends and family told me that I couldn't do any better and now I have a virus.

0
11
Paris Hilton

@The honeymoon is over

You didn't happen to catch the pop-up window, when you installed the addon, warning you that addons may install malicious code on your computer? That you should only install addons from sources you trust? - Clearly your trust was misplaced. Don't blame Mozilla for that.

No system is 100% secure, and Mozilla's addon filtering system is no exception.

But between Firefox and... it's biggest competition... your odds are way better if you stick with Firefox.

... and if you are aiming fora 100% secure experience, avoid installing experimental addons. (Duhh....)

0
0
WTF?

No security for addons?

How is it that an add-on can write to the filesystem, update the windows registry, or access passwords, either from firefox or files elsewhere on the system. It seems like any of these activities should be protected and require special authorization by the FF user.

6
0
Gold badge

Re: No security for addons

I'm sure someone will correct me if I'm wrong, but I always understood add-ons to be native code running in the Firefox process. That makes them no more secure than plug-ins or ActiveX controls.

I trust Firefox itself, since its development process is wide open and its code is scrutinised by many smart people. One or two add-ons probably receive similar (less, but still adequate) scrutiny. The rest are to be avoided. I'm sure 99% are fine, but neither I nor anyone else have any practical way of detecting the 1% that aren't.

The open source model actually makes the problem worse in this case. If I were a malware merchant, I'd definitely be spending time crafting flaws in Firefox add-ons. I'd pick an existing add-on that other people have poured time and effort into making attractive, and then I'd contribute a minor improvement of bug fix that contained a weakness that I knew how to exploit. My investment would be just the time spent adding that one flaw. Someone else does all the hard work of creating an attractive product and marketing it to my victims. What's not to like?

1
1
Gates Horns

title

In a real operating system they are, but we're talking about Windwoes here.

2
2
Anonymous Coward

Re: No security for addons

Add-ons aren't necessarily themselves open source so you couldn't follow this strategy. And even if they were as soon as you submitted your exploit to the code tree it would be spotted by someone else on the project. Open source doesn't mean anyone can add their own stuff willy nilly.

1
1
Silver badge
Linux

Re : Re: No security for addons

Not native code as far as I'm aware

Add-ons generally are Javascript - certainly all the usual suspects I run (NoScript, AdBlock, UserAgentSwitcher, XMarks , MetOffice sidebar) are.

So I presume the trojan was loaded by obfuscated Javascript in the time-dishonoured manner.

1
0
Anonymous Coward

meh

Any sufficiently popular software that allows add-ons is going to end up with a few dodgy ones.

Sucks that they were up there for months but at the end of the day that's the sacrifice you make for having a relatively free and open platform as opposed to an iPhonesque locked down one. And it just goes to emphasise the importance of showing discretion when installing any software on your system.

People act like anything they get from certain sources must be harmless, as if criminals would never be able to sneak their warez onto Mozillas add-on site, or Facebook, or even the Apple app store.

It's time to start giving people proper training in how to use the internet, maybe even scare them a little. People are way too complacent, they believe that as long as their browser is still running, that everything must be fine, meanwhile some criminal is plundering their bank account or what have you.

6
3
Anonymous Coward

No

Sorry. These files were available direct from Mozilla, not from a third party. That Mozilla could not even be bothered to scan these addons is unforgiveable. It's not like it's hard to run an AV scan.

It amusees me that Firefox evangelists will cite plugins like noscript an ABP as reasons why FF is so great, but ignore the bad ones.

4
6
Anonymous Coward

Re: No

"It's not like it's hard to run an AV scan."

Then you do it! That was precisely my point when I said people need to be educated on how to use the internet. Don't just expect that "someone else" will do it for you every single time.

"It amusees me that Firefox evangelists will cite plugins like noscript an ABP as reasons why FF is so great, but ignore the bad ones."

Why does that amuse you? Does it amuse you that a chef would buy a sharp knife and ignore all the cheap shitty knives available to him?

Mozilla are giving you a set of tools to choose from, it's *your* job to choose the right ones because you are in charge of your computer and not Mozilla.

8
0
FAIL

RTFA

Err... they did scan them, it's just that they failed to detect them. Where does it say they weren't scanned?

Fail for your moronic fanboi comment

5
1
Anonymous Coward

Well I'm laughing.

The reason that the Firefox fanbois are so amusing is that they cite noscript and ABP as strengths in their chosen browser. They are no more strengths of FF than third party AV software is a strength of Windows.

The whole issue of the ease of installation of plugins in FF is a potentially huge security hole. Allowing users to install *any* form of software is always bad requiring admin creds to be input at install time. One of the things that makes MS software such a security minefield is the fact that it makes far too many things far too easy for users to do. FF plugins are an example of the same mentality.

0
1
FAIL

Is it a bird? Is it a plane? Nope, that was a passing buck.

""It's not like it's hard to run an AV scan."

Then you do it! That was precisely my point when I said people need to be educated on how to use the internet. Don't just expect that "someone else" will do it for you every single time."

Maybe Toyota should have thought of that excuse. "The customers should have checked their own throttle pedals, it's easy to do. They can't expect us to do it for them."

There is a duty of care incumbent upon any supplier to QC the goods they supply. Simple as that.

Probably not a good idea to deal with anybody who's main funding comes from Mountain View, some of Google's philosphy is bound to rub off sooner or later..

2
1
Anonymous Coward

....or

"... simply reinstall the operating system to be on the safe side"

ROTFLMAO!

6
0

heh

You may laugh but even Microsoft advises so if your Windows install was compromised. The article should be here somewhere.

And actually, they are right. Do you trust that machine now that it´s been compromised? your answer should be No.

2
0

I fixed that for you.

Do you trust that machine that's running Windows? your answer should be No.

3
3
Grenade

Sothink?

Don't SoThink make a standalone version of their web-video downloader as well?

Either way, this is why sites offering downloads should NEVER rely just one virus scanner.

Personally, I have found that most of the "video downloader" plugins either don't work, or are spotty at best. I prefer a little command-line app called Clive (when I'm on my linux box, not sure if there's a win32/win64 port). It works with quite a few video sites, most notably YouTube. Just copypasta the addresses of the videos you want into a text file, then let Clive go through the list and download the vids you want.

'Nade, just because.

0
0
FAIL

Video DownloadHelper

works perfectly well. Perhaps that's why it's the most popular downloading addon, with more than half a million users?

1
0
Grenade

Security

Firefox is still very secure, the add-ons are another matter. Is firefox to blame for some unscrupulous mongrel using their platform to propagate viruses, trojans and malware? To a certain degree yes, but it is ultimately the responsibility of the end user to secure their systems.

Firefox without any add-ons is more than adequate. Why would anyone install an experimental video downloader or password manager on a production system? Experimental means that it is no yet ready for full release for a whole range of reasons, same as beta software.

Still Firefox should be more careful when posting add-on on their site.

2
5
Anonymous Coward

What's a Sandbox?

"Is firefox to blame for some unscrupulous mongrel using their platform to propagate viruses, trojans and malware? To a certain degree yes, but it is ultimately the responsibility of the end user to secure their systems."

Much in the same way that Microsoft shouldn't be responsible for the security of their OS? After all, the user is ultimately responsible, no?

Mozilla is to blame because Firefox is coded in such a way as to allow plugins to install malware. Unless the malware-installation was a symptom of running an admin account...

4
2
Gold badge

Re: Security

"Firefox is still very secure, the add-ons are another matter."

You could have made the same remark about IE and ActiveX at almost any point over the past decade. I'd advise against it, though. You'd be toasted by people pointing out that if your application encourages end-users to download code from third parties and run it with full privileges then your application is broken-by-design and no amount of careful coding will ever fix it.

In fairness, at least FF add-ons are not downloaded and installed automatically in response to HTML on the page. Truly, only Microsoft were ever THAT stupid.

2
0
Anonymous Coward

Er, yes!

"Is firefox to blame for some unscrupulous mongrel using their platform to propagate viruses, trojans and malware?"

The answer is 100% yes when those addons are offered on Mozilla's own official site. No excuses, no mitigation.

6
1
Flame

D'oh!

If this was Apple or Microsoft, you FOSS types would be foaming at the mouths!

Mozilla messed up here - Firefox makes it so easy to search for and install add-ons, it's like using the iPhone App Store and feels very official.

In their defence there is a warning saying they don't guarantee the add-ons, but at the end of the day Mozilla is providing virus-ridden software under the Firefox brand.

It does damage to Firefox, you know!

9
4
Anonymous Coward

Exactly

Well said Joe.

As much as MS have screwed up many times with their security, it is the "holier than thou" attitude of FOSS movement that riles me.

It's great that so many people give their time freely, and unfreely, to such a good initiative but at the end of the day they have become complacent and a honeypot for lazy freetards who appreciate the value of nothing and deserve everything that they get with this episode.

4
4
FAIL

"holier than thou"

Hello? The "FOSS movement" isn't a monolithic entity, you know? And many people who use and recommend Firefox are likely to be (and are probably already) critical of the way that Firefox add-ons can circumvent the perceived security of the browser and do whatever they like in the host environment. People who are familiar with the technology don't install random toolbars because they know what the risks are; those risks aren't obvious to the average user. The solution isn't as some people claim, which is the idiotic notion of some kind of "computer driving licence" where people are burdened with yet more arbitrary factoids about the insecurity of various applications - all of which distracts from more serious issues such as social engineering - but it is to firm up the security model of applications like Web browsers.

In fact, genuine advocates of Free (and open source) Software welcome the scrutiny that these cases bring. By grouping everyone under a single label and pretending that there's some kind of cheerleading operation in progress you expose your own prejudices - ones presumably carried over from whatever unrequited devotion you may have for some proprietary master. But I suppose deconstructing such cases to oversimplified "he said, she said" exchanges, sprinkled with clichés ("holier than thou"), with at most two "conflicting" parties, is a way to keep it all manageable for people who don't want to think about the matter in any great depth and who would rather be entertained while waiting for something else to come along.

5
0
Anonymous Coward

re "holier than thou"

You have to remember that in a "forum" like this opinions are generally polarised. There are few posting that are system agnostic and a genuinely interested in *computing*, most are largely from fans of one system over another, which is quite pathetic. For instance, on this page there are a number of post that have been written by F/LOSS advocates that contradict yours. Too many of you actually take this far too seriously.

1
0

Fail

Any idea which plugins were infected?

0
10
Anonymous Coward

Fail → #

@neeblor

How about reading the article?

3
0

Fail?

Yes you did

0
0
Gates Halo

IE8 FTW

Firefox has no protected mode support, making it the most vulnerable browser on earth. Won't touch FF with a ten-foot pole.

1
12
Linux

But... don't addons run as user?

What I want to know is - why are people running Firefox under the Windows Administrator account.

Linux, because by Ubuntu box didn't have this problem.

7
1
Silver badge
Flame

Windows Administrator account

...they use it because Windows is damn near unusable from a user account.

If Mozilla want to get serious about security they can quite easily make Mozilla downgrade its permissions as it starts, before plugins get a chance to do anything. Right now I have to do that externally with the DropMyRights app.

The wailing when clueless users discover they can't access most of the filesystem, run installers or fire up external apps with any hope of success is a powerful disincentive to enforcing that. If its optional the clueless will opt out - how else can you explain use of Internet Exploit engine?

0
0

Err...

"Windows is damn near unusable from a user account."

Err, no, it is very useable as a user. Anyone with half a brain runs Windows as a user and installs software via UAC elevation of priviliges or as the administrator either by runas or logoff/logon again. It's not difficult only a very few badly written programs don't work. It may have been the case that software written for Win95 wouldn't work on all NT systems without the admin account, but that was fifteen years ago.

3
0
Stop

caveat emptor

if you're stupid enough to add them it's your own fault

3
2

Would...

...have running FF sandboxed helped?

0
0
Silver badge

@Joe

This seems to be a Windows problem as Linux and Apple are not affected.

I seems to me that it is always easier to find a weakness in Windows than in any other OS ever.

Program written to exploit those weaknesses are then named according to what they do.

Windows is the proud object of some 1.000.000 programs exploiting weaknesses found i Windows.

They are mostly called viruses.

In this Firefox fuck-up Firefox allowed such an exploit program written for Windows to sneak into third party add-ons you can download from Firefox.

Bad still, but the problem was not in the Firefox code but in how they managed to accept a third party program into the list of add-on programs you can download.

5
1
WTF?

Your point being?

Hey, I like Firefox, and I like the FOSS ethos too. What I don't like is the blind fanboyism that absolves Mozilla of any wrongdoing here.

I'm sure the reason that the viruses targetted Windows is because it's just not worth bothering writing viruses for Mac OS or Linux, there are more Windows users so it makes sense to target that OS.

I don't use Windows by the way, and am no big MS fan, so I'm not sticking up for them either, but Mozilla was at fault here and they shouldn't be excused just because you like them.

3
2
Silver badge
Happy

Your point was

"If this was Apple or Microsoft, you FOSS types would be foaming at the mouths!"

And my point is that this is all about Microsoft software (not FOSS) unless of course virus programs are considered FOSS (good question actually). Mozilla is not FOSS either as FOSS is about software still Mozilla failed in this case but not with their software.

And now you have this:

" I'm sure the reason that the viruses targetted Windows is because it's just not worth bothering writing viruses for Mac OS or Linux, there are more Windows users so it makes sense to target that OS."

That is the only sentence left for Microsoft to lean on.

Still 90 % of the worlds super computers run LInux, large virus problems?.

Internet web servers are +50% Apache and Linux. Would it not be equally interesting to attack them as Windows.

Google, The Wall Street and plenty of very big and strategic companies are running Linux.

Microsoft is very strong on the desktop but not all that strong in servers, and not strong at all in data centers. Where, after all, the most interesting data is held.

Microsoft could have, and should have, started from scratch, writing a new modern OS (most likely a Unix type OS) years ago.

What they have chosen to do is to patch and "make up" something that is vulnerable in it design and probably contains lots of old code (do not invent the wheel again, says the boss at Microsoft to his programmers)

I admit I could have expressed my opinions without referring to you.

Sorry for that.

3
1
FAIL

Hahaha

"I'm sure the reason that the viruses targetted Windows is because it's just not worth bothering writing viruses for Mac OS or Linux, there are more Windows users so it makes sense to target that OS."

Oh, "you're sure?" They target Windows because it's the weakest, most insecure OS ever. The whole "market share=viruses" idea is bunk, perpetuated by Windows apologists who can't accept the truth - their OS sucks like a Dyson.

1
0
Silver badge

@Joe again

If your car rusts to rubbish you certainly blame the car producer and not the rain.

0
0
Silver badge
Megaphone

Plug Ins

You pays your money, you takes your chances...

1
0
Gates Horns

Experimental only

a)At least only the experimental section of the site was affected.

b)If FF didn't offer a windows version, you probably wouldn't hear about security issues from one year to the next. Crashes caused by media sites,yes, but silly security flaws not so much.

c) Perhaps they should have a "certified" section of the add-on site with signed add-ons, maybe like Debian's repositories

1
0
Silver badge

Exactly

As it says this was in the experimental section which I would read to be Beta test at best. If you're going to download and use experimental third party addons from people you either don't know or whose reputation is unknown to you then I'd be using it in a VM at most.

People who download stuff like this and use it without a care end up getting what they deserve.

To give the ubiquitous car analogy, would you chuck a set of experimental tyres made by some unknown chinese manufacturer on your sports car just because they're sold by the guy at the market you've always bought your seat covers off of?

0
0
Linux

@AC Re:Exactly

But GNU/Linux users ARE literally holier than thou (or you). If you switch to GNU/Linux you will go to heaven when you die & have a harem of 2^8 - 1 virgins to attend to your every whim until all the IPv6 addresses run out.

6
1
Bronze badge
Flame

fanboi bashing

Considering the facts of the article:

a) two addons in the "experimental" section of the site were infected

b) the "experimental" section of the site is clearly labelled "You really shouldnt do this unless you know what your doing"

c) the viruses were in two specific downloads.

Lets contemplate some rational thought:

Does not matter one iota what operating system you run you need to have at least one clue in head to use the interwebs.

Mozilla provides a single point of reference for getting addons, themes, skins, yadda yadda yadda ... to (roughly) the tune of 20,000 addons, some of which comprise rather a lot of files. If they provide local distribution through their site they scan the files on **upload** - -this failed for ...two addons in a specific section of the site.

1) they DO scan the files. At the time of upload presumably their scanner missed these files for any **number** of reasons.

2) you as a user ---- DIDN'T scan the files on download??? too bad so sad, wipe yer friggin' hard drive, learn a freepin' lesson, and go get any number of free, or cheap or expensive, your choice, AV tools.

3) you want to b***ch at the mozilla folks for missing it? --- DO THE MATH -- and then look at the layers of complexity and tell me that you (who isnt smart enough to run an AV scanner) is going to setup an HTTP/FTP uploader to cvs/svn/git/(whatever repository system in use) that does inline active scanning?

4) (again) it matters not one iota what operating system you run -- if an FF addon is hijackable in MS its hijackable in linux and macoxs as well, perhaps not with identical affect, but its still **possible**

IE 8 is a nice try. Point - the render engine still runs in SYSTEM context.

0
4

@kissingthecarpet

I can't think of anything more boring than (2^8)-1 virgins...unless it's 2^8 virgins. As with most things in life, give me real experience anytime!

0
0
Megaphone

Another great reason to use Opera

None of these insecure extensions problems. All the decent Firefox extensions (AdBlockPlus, NoScript, GreaseMonkey) are already built in, optimized, and automatically updated when Opera updates.

Opera 10.50 beta is very close, and it's simply awesome, it kills Firefox in performance, it even beats Chrome.

http://img51.imageshack.us/img51/9443/42505951.png

1
2
FAIL

Fail

Mozilla have made the same blunder Microsoft did with Windows 2000 and onwards - adding certified plugins only as trusted is not enforced. I can add any old plugin I like no matter where it came from, without it being certified, just by ignoring the warning about untrusted add-ons. In a few years Mozilla will make add-ons certified-only - just like Microsoft did with Vista and its drivers - in an attempt to clear up the global security mess they created themselves. Hilarity will ensue.

Don't just learn by your mistakes, learn by the mistakes of others.

0
0
Grenade

Firefox Extensions - the New ActiveX

Meet the new boss, same as the old bos.....

0
1
Boffin

Mozilla is not 100% to blame

Mozilla is partially to blame, but it updated it's scanners and detected the malware. Mozilla then removed it.

They did what they were supposed to do; they might have been quicker about it, and updating their scanners more often wouldn't hurt, but they did what they should have done.

As for comparisons between the responsibility Mozilla has towards Firefox users and the responsibility Microsoft has to Windows OS users...well yes, exactly the same.

They both update their scanners for example, they both update their software. Regularly.

They both draw the line for responsibility when you open an email, download an add-on, download a plug-in, download any third party software; quite rightly.

Mozilla makes Firefox, Microsoft makes Windows etc; so why should they accept responsibility for the viral or malware content of third party software which you have downloaded, unwittingly or otherwise?

Hell, didn't anybody who downloaded this crapware read the comments and ratings before downloading? Didn't they do any reading about it first? That in itself is not a fullproof method of preventing the downloading of cruft/malware, but it is a start.

The job of Mozilla towards Firefox users, and the job of Microsoft towards their users, is quite simply to make their software work and for it to be a secure as possible. That is it.

There is currently no way any software made by anybody to be completely secure at all times.

The best any user can do is to keep their antivirus and anti spyware and anti malware and firewalls up to date, clean out their cruft and scan regularly. Oh - and try not to download any obvious trojans or crapware.

0
0

Page:

This topic is closed for new posts.