back to article Mozilla overlooked malware-laced Firefox add-ons

Two Firefox add-ons available for months on Mozilla's website infected users with malware that stole passwords and opened a backdoor on Windows machines, the open-source browser maker has confirmed. The add-ons, available on an experimental section of Mozilla's official add-on download site carried trojans that have been …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    The honeymoon is over

    My friends and family told me that I couldn't do any better and now I have a virus.

    1. Anonymous Coward
      Paris Hilton

      @The honeymoon is over

      You didn't happen to catch the pop-up window, when you installed the addon, warning you that addons may install malicious code on your computer? That you should only install addons from sources you trust? - Clearly your trust was misplaced. Don't blame Mozilla for that.

      No system is 100% secure, and Mozilla's addon filtering system is no exception.

      But between Firefox and... it's biggest competition... your odds are way better if you stick with Firefox.

      ... and if you are aiming fora 100% secure experience, avoid installing experimental addons. (Duhh....)

  2. Anonymous Coward
    WTF?

    No security for addons?

    How is it that an add-on can write to the filesystem, update the windows registry, or access passwords, either from firefox or files elsewhere on the system. It seems like any of these activities should be protected and require special authorization by the FF user.

    1. Ken Hagan Gold badge

      Re: No security for addons

      I'm sure someone will correct me if I'm wrong, but I always understood add-ons to be native code running in the Firefox process. That makes them no more secure than plug-ins or ActiveX controls.

      I trust Firefox itself, since its development process is wide open and its code is scrutinised by many smart people. One or two add-ons probably receive similar (less, but still adequate) scrutiny. The rest are to be avoided. I'm sure 99% are fine, but neither I nor anyone else have any practical way of detecting the 1% that aren't.

      The open source model actually makes the problem worse in this case. If I were a malware merchant, I'd definitely be spending time crafting flaws in Firefox add-ons. I'd pick an existing add-on that other people have poured time and effort into making attractive, and then I'd contribute a minor improvement of bug fix that contained a weakness that I knew how to exploit. My investment would be just the time spent adding that one flaw. Someone else does all the hard work of creating an attractive product and marketing it to my victims. What's not to like?

      1. Anonymous Coward
        Anonymous Coward

        Re: No security for addons

        Add-ons aren't necessarily themselves open source so you couldn't follow this strategy. And even if they were as soon as you submitted your exploit to the code tree it would be spotted by someone else on the project. Open source doesn't mean anyone can add their own stuff willy nilly.

      2. Keith Oldham
        Linux

        Re : Re: No security for addons

        Not native code as far as I'm aware

        Add-ons generally are Javascript - certainly all the usual suspects I run (NoScript, AdBlock, UserAgentSwitcher, XMarks , MetOffice sidebar) are.

        So I presume the trojan was loaded by obfuscated Javascript in the time-dishonoured manner.

    2. Big-nosed Pengie
      Gates Horns

      title

      In a real operating system they are, but we're talking about Windwoes here.

  3. Anonymous Coward
    Anonymous Coward

    meh

    Any sufficiently popular software that allows add-ons is going to end up with a few dodgy ones.

    Sucks that they were up there for months but at the end of the day that's the sacrifice you make for having a relatively free and open platform as opposed to an iPhonesque locked down one. And it just goes to emphasise the importance of showing discretion when installing any software on your system.

    People act like anything they get from certain sources must be harmless, as if criminals would never be able to sneak their warez onto Mozillas add-on site, or Facebook, or even the Apple app store.

    It's time to start giving people proper training in how to use the internet, maybe even scare them a little. People are way too complacent, they believe that as long as their browser is still running, that everything must be fine, meanwhile some criminal is plundering their bank account or what have you.

    1. Anonymous Coward
      Anonymous Coward

      No

      Sorry. These files were available direct from Mozilla, not from a third party. That Mozilla could not even be bothered to scan these addons is unforgiveable. It's not like it's hard to run an AV scan.

      It amusees me that Firefox evangelists will cite plugins like noscript an ABP as reasons why FF is so great, but ignore the bad ones.

      1. Anonymous Coward
        Anonymous Coward

        Re: No

        "It's not like it's hard to run an AV scan."

        Then you do it! That was precisely my point when I said people need to be educated on how to use the internet. Don't just expect that "someone else" will do it for you every single time.

        "It amusees me that Firefox evangelists will cite plugins like noscript an ABP as reasons why FF is so great, but ignore the bad ones."

        Why does that amuse you? Does it amuse you that a chef would buy a sharp knife and ignore all the cheap shitty knives available to him?

        Mozilla are giving you a set of tools to choose from, it's *your* job to choose the right ones because you are in charge of your computer and not Mozilla.

        1. Anonymous Coward
          Anonymous Coward

          Well I'm laughing.

          The reason that the Firefox fanbois are so amusing is that they cite noscript and ABP as strengths in their chosen browser. They are no more strengths of FF than third party AV software is a strength of Windows.

          The whole issue of the ease of installation of plugins in FF is a potentially huge security hole. Allowing users to install *any* form of software is always bad requiring admin creds to be input at install time. One of the things that makes MS software such a security minefield is the fact that it makes far too many things far too easy for users to do. FF plugins are an example of the same mentality.

        2. Anonymous Coward
          FAIL

          Is it a bird? Is it a plane? Nope, that was a passing buck.

          ""It's not like it's hard to run an AV scan."

          Then you do it! That was precisely my point when I said people need to be educated on how to use the internet. Don't just expect that "someone else" will do it for you every single time."

          Maybe Toyota should have thought of that excuse. "The customers should have checked their own throttle pedals, it's easy to do. They can't expect us to do it for them."

          There is a duty of care incumbent upon any supplier to QC the goods they supply. Simple as that.

          Probably not a good idea to deal with anybody who's main funding comes from Mountain View, some of Google's philosphy is bound to rub off sooner or later..

      2. Anonymous Coward
        FAIL

        RTFA

        Err... they did scan them, it's just that they failed to detect them. Where does it say they weren't scanned?

        Fail for your moronic fanboi comment

  4. Anonymous Coward
    Anonymous Coward

    ....or

    "... simply reinstall the operating system to be on the safe side"

    ROTFLMAO!

    1. Wortel

      heh

      You may laugh but even Microsoft advises so if your Windows install was compromised. The article should be here somewhere.

      And actually, they are right. Do you trust that machine now that it´s been compromised? your answer should be No.

      1. Big-nosed Pengie

        I fixed that for you.

        Do you trust that machine that's running Windows? your answer should be No.

  5. Ceiling Cat
    Grenade

    Sothink?

    Don't SoThink make a standalone version of their web-video downloader as well?

    Either way, this is why sites offering downloads should NEVER rely just one virus scanner.

    Personally, I have found that most of the "video downloader" plugins either don't work, or are spotty at best. I prefer a little command-line app called Clive (when I'm on my linux box, not sure if there's a win32/win64 port). It works with quite a few video sites, most notably YouTube. Just copypasta the addresses of the videos you want into a text file, then let Clive go through the list and download the vids you want.

    'Nade, just because.

    1. Anonymous Coward
      FAIL

      Video DownloadHelper

      works perfectly well. Perhaps that's why it's the most popular downloading addon, with more than half a million users?

  6. George 24
    Grenade

    Security

    Firefox is still very secure, the add-ons are another matter. Is firefox to blame for some unscrupulous mongrel using their platform to propagate viruses, trojans and malware? To a certain degree yes, but it is ultimately the responsibility of the end user to secure their systems.

    Firefox without any add-ons is more than adequate. Why would anyone install an experimental video downloader or password manager on a production system? Experimental means that it is no yet ready for full release for a whole range of reasons, same as beta software.

    Still Firefox should be more careful when posting add-on on their site.

    1. Anonymous Coward
      Anonymous Coward

      What's a Sandbox?

      "Is firefox to blame for some unscrupulous mongrel using their platform to propagate viruses, trojans and malware? To a certain degree yes, but it is ultimately the responsibility of the end user to secure their systems."

      Much in the same way that Microsoft shouldn't be responsible for the security of their OS? After all, the user is ultimately responsible, no?

      Mozilla is to blame because Firefox is coded in such a way as to allow plugins to install malware. Unless the malware-installation was a symptom of running an admin account...

    2. Ken Hagan Gold badge

      Re: Security

      "Firefox is still very secure, the add-ons are another matter."

      You could have made the same remark about IE and ActiveX at almost any point over the past decade. I'd advise against it, though. You'd be toasted by people pointing out that if your application encourages end-users to download code from third parties and run it with full privileges then your application is broken-by-design and no amount of careful coding will ever fix it.

      In fairness, at least FF add-ons are not downloaded and installed automatically in response to HTML on the page. Truly, only Microsoft were ever THAT stupid.

    3. Anonymous Coward
      Anonymous Coward

      Er, yes!

      "Is firefox to blame for some unscrupulous mongrel using their platform to propagate viruses, trojans and malware?"

      The answer is 100% yes when those addons are offered on Mozilla's own official site. No excuses, no mitigation.

  7. Joe 3
    Flame

    D'oh!

    If this was Apple or Microsoft, you FOSS types would be foaming at the mouths!

    Mozilla messed up here - Firefox makes it so easy to search for and install add-ons, it's like using the iPhone App Store and feels very official.

    In their defence there is a warning saying they don't guarantee the add-ons, but at the end of the day Mozilla is providing virus-ridden software under the Firefox brand.

    It does damage to Firefox, you know!

    1. Anonymous Coward
      Anonymous Coward

      Exactly

      Well said Joe.

      As much as MS have screwed up many times with their security, it is the "holier than thou" attitude of FOSS movement that riles me.

      It's great that so many people give their time freely, and unfreely, to such a good initiative but at the end of the day they have become complacent and a honeypot for lazy freetards who appreciate the value of nothing and deserve everything that they get with this episode.

      1. Anonymous Coward
        FAIL

        "holier than thou"

        Hello? The "FOSS movement" isn't a monolithic entity, you know? And many people who use and recommend Firefox are likely to be (and are probably already) critical of the way that Firefox add-ons can circumvent the perceived security of the browser and do whatever they like in the host environment. People who are familiar with the technology don't install random toolbars because they know what the risks are; those risks aren't obvious to the average user. The solution isn't as some people claim, which is the idiotic notion of some kind of "computer driving licence" where people are burdened with yet more arbitrary factoids about the insecurity of various applications - all of which distracts from more serious issues such as social engineering - but it is to firm up the security model of applications like Web browsers.

        In fact, genuine advocates of Free (and open source) Software welcome the scrutiny that these cases bring. By grouping everyone under a single label and pretending that there's some kind of cheerleading operation in progress you expose your own prejudices - ones presumably carried over from whatever unrequited devotion you may have for some proprietary master. But I suppose deconstructing such cases to oversimplified "he said, she said" exchanges, sprinkled with clichés ("holier than thou"), with at most two "conflicting" parties, is a way to keep it all manageable for people who don't want to think about the matter in any great depth and who would rather be entertained while waiting for something else to come along.

        1. Anonymous Coward
          Anonymous Coward

          re "holier than thou"

          You have to remember that in a "forum" like this opinions are generally polarised. There are few posting that are system agnostic and a genuinely interested in *computing*, most are largely from fans of one system over another, which is quite pathetic. For instance, on this page there are a number of post that have been written by F/LOSS advocates that contradict yours. Too many of you actually take this far too seriously.

  8. Neeblor

    Fail

    Any idea which plugins were infected?

    1. Anonymous Coward
      Anonymous Coward

      Fail → #

      @neeblor

      How about reading the article?

    2. Thomas Duffin 2

      Fail?

      Yes you did

  9. Anonymous Coward
    Gates Halo

    IE8 FTW

    Firefox has no protected mode support, making it the most vulnerable browser on earth. Won't touch FF with a ten-foot pole.

  10. Tarthen
    Linux

    But... don't addons run as user?

    What I want to know is - why are people running Firefox under the Windows Administrator account.

    Linux, because by Ubuntu box didn't have this problem.

    1. Paul Shirley
      Flame

      Windows Administrator account

      ...they use it because Windows is damn near unusable from a user account.

      If Mozilla want to get serious about security they can quite easily make Mozilla downgrade its permissions as it starts, before plugins get a chance to do anything. Right now I have to do that externally with the DropMyRights app.

      The wailing when clueless users discover they can't access most of the filesystem, run installers or fire up external apps with any hope of success is a powerful disincentive to enforcing that. If its optional the clueless will opt out - how else can you explain use of Internet Exploit engine?

      1. Anonymous Coward
        Anonymous Coward

        Err...

        "Windows is damn near unusable from a user account."

        Err, no, it is very useable as a user. Anyone with half a brain runs Windows as a user and installs software via UAC elevation of priviliges or as the administrator either by runas or logoff/logon again. It's not difficult only a very few badly written programs don't work. It may have been the case that software written for Win95 wouldn't work on all NT systems without the admin account, but that was fifteen years ago.

  11. Anonymous Coward
    Stop

    caveat emptor

    if you're stupid enough to add them it's your own fault

  12. Matt_W

    Would...

    ...have running FF sandboxed helped?

  13. Lars Silver badge

    @Joe

    This seems to be a Windows problem as Linux and Apple are not affected.

    I seems to me that it is always easier to find a weakness in Windows than in any other OS ever.

    Program written to exploit those weaknesses are then named according to what they do.

    Windows is the proud object of some 1.000.000 programs exploiting weaknesses found i Windows.

    They are mostly called viruses.

    In this Firefox fuck-up Firefox allowed such an exploit program written for Windows to sneak into third party add-ons you can download from Firefox.

    Bad still, but the problem was not in the Firefox code but in how they managed to accept a third party program into the list of add-on programs you can download.

    1. Joe 3
      WTF?

      Your point being?

      Hey, I like Firefox, and I like the FOSS ethos too. What I don't like is the blind fanboyism that absolves Mozilla of any wrongdoing here.

      I'm sure the reason that the viruses targetted Windows is because it's just not worth bothering writing viruses for Mac OS or Linux, there are more Windows users so it makes sense to target that OS.

      I don't use Windows by the way, and am no big MS fan, so I'm not sticking up for them either, but Mozilla was at fault here and they shouldn't be excused just because you like them.

      1. Lars Silver badge
        Happy

        Your point was

        "If this was Apple or Microsoft, you FOSS types would be foaming at the mouths!"

        And my point is that this is all about Microsoft software (not FOSS) unless of course virus programs are considered FOSS (good question actually). Mozilla is not FOSS either as FOSS is about software still Mozilla failed in this case but not with their software.

        And now you have this:

        " I'm sure the reason that the viruses targetted Windows is because it's just not worth bothering writing viruses for Mac OS or Linux, there are more Windows users so it makes sense to target that OS."

        That is the only sentence left for Microsoft to lean on.

        Still 90 % of the worlds super computers run LInux, large virus problems?.

        Internet web servers are +50% Apache and Linux. Would it not be equally interesting to attack them as Windows.

        Google, The Wall Street and plenty of very big and strategic companies are running Linux.

        Microsoft is very strong on the desktop but not all that strong in servers, and not strong at all in data centers. Where, after all, the most interesting data is held.

        Microsoft could have, and should have, started from scratch, writing a new modern OS (most likely a Unix type OS) years ago.

        What they have chosen to do is to patch and "make up" something that is vulnerable in it design and probably contains lots of old code (do not invent the wheel again, says the boss at Microsoft to his programmers)

        I admit I could have expressed my opinions without referring to you.

        Sorry for that.

      2. Bilgepipe
        FAIL

        Hahaha

        "I'm sure the reason that the viruses targetted Windows is because it's just not worth bothering writing viruses for Mac OS or Linux, there are more Windows users so it makes sense to target that OS."

        Oh, "you're sure?" They target Windows because it's the weakest, most insecure OS ever. The whole "market share=viruses" idea is bunk, perpetuated by Windows apologists who can't accept the truth - their OS sucks like a Dyson.

  14. Lars Silver badge

    @Joe again

    If your car rusts to rubbish you certainly blame the car producer and not the rain.

  15. Winkypop Silver badge
    Megaphone

    Plug Ins

    You pays your money, you takes your chances...

  16. kissingthecarpet
    Gates Horns

    Experimental only

    a)At least only the experimental section of the site was affected.

    b)If FF didn't offer a windows version, you probably wouldn't hear about security issues from one year to the next. Crashes caused by media sites,yes, but silly security flaws not so much.

    c) Perhaps they should have a "certified" section of the add-on site with signed add-ons, maybe like Debian's repositories

    1. Mark 65

      Exactly

      As it says this was in the experimental section which I would read to be Beta test at best. If you're going to download and use experimental third party addons from people you either don't know or whose reputation is unknown to you then I'd be using it in a VM at most.

      People who download stuff like this and use it without a care end up getting what they deserve.

      To give the ubiquitous car analogy, would you chuck a set of experimental tyres made by some unknown chinese manufacturer on your sports car just because they're sold by the guy at the market you've always bought your seat covers off of?

  17. kissingthecarpet
    Linux

    @AC Re:Exactly

    But GNU/Linux users ARE literally holier than thou (or you). If you switch to GNU/Linux you will go to heaven when you die & have a harem of 2^8 - 1 virgins to attend to your every whim until all the IPv6 addresses run out.

  18. Alistair
    Flame

    fanboi bashing

    Considering the facts of the article:

    a) two addons in the "experimental" section of the site were infected

    b) the "experimental" section of the site is clearly labelled "You really shouldnt do this unless you know what your doing"

    c) the viruses were in two specific downloads.

    Lets contemplate some rational thought:

    Does not matter one iota what operating system you run you need to have at least one clue in head to use the interwebs.

    Mozilla provides a single point of reference for getting addons, themes, skins, yadda yadda yadda ... to (roughly) the tune of 20,000 addons, some of which comprise rather a lot of files. If they provide local distribution through their site they scan the files on **upload** - -this failed for ...two addons in a specific section of the site.

    1) they DO scan the files. At the time of upload presumably their scanner missed these files for any **number** of reasons.

    2) you as a user ---- DIDN'T scan the files on download??? too bad so sad, wipe yer friggin' hard drive, learn a freepin' lesson, and go get any number of free, or cheap or expensive, your choice, AV tools.

    3) you want to b***ch at the mozilla folks for missing it? --- DO THE MATH -- and then look at the layers of complexity and tell me that you (who isnt smart enough to run an AV scanner) is going to setup an HTTP/FTP uploader to cvs/svn/git/(whatever repository system in use) that does inline active scanning?

    4) (again) it matters not one iota what operating system you run -- if an FF addon is hijackable in MS its hijackable in linux and macoxs as well, perhaps not with identical affect, but its still **possible**

    IE 8 is a nice try. Point - the render engine still runs in SYSTEM context.

  19. SisterClamp

    @kissingthecarpet

    I can't think of anything more boring than (2^8)-1 virgins...unless it's 2^8 virgins. As with most things in life, give me real experience anytime!

  20. Anonymous Coward
    Megaphone

    Another great reason to use Opera

    None of these insecure extensions problems. All the decent Firefox extensions (AdBlockPlus, NoScript, GreaseMonkey) are already built in, optimized, and automatically updated when Opera updates.

    Opera 10.50 beta is very close, and it's simply awesome, it kills Firefox in performance, it even beats Chrome.

    http://img51.imageshack.us/img51/9443/42505951.png

  21. Bilgepipe
    FAIL

    Fail

    Mozilla have made the same blunder Microsoft did with Windows 2000 and onwards - adding certified plugins only as trusted is not enforced. I can add any old plugin I like no matter where it came from, without it being certified, just by ignoring the warning about untrusted add-ons. In a few years Mozilla will make add-ons certified-only - just like Microsoft did with Vista and its drivers - in an attempt to clear up the global security mess they created themselves. Hilarity will ensue.

    Don't just learn by your mistakes, learn by the mistakes of others.

  22. MarkOne
    Grenade

    Firefox Extensions - the New ActiveX

    Meet the new boss, same as the old bos.....

  23. MyHeadIsSpinning
    Boffin

    Mozilla is not 100% to blame

    Mozilla is partially to blame, but it updated it's scanners and detected the malware. Mozilla then removed it.

    They did what they were supposed to do; they might have been quicker about it, and updating their scanners more often wouldn't hurt, but they did what they should have done.

    As for comparisons between the responsibility Mozilla has towards Firefox users and the responsibility Microsoft has to Windows OS users...well yes, exactly the same.

    They both update their scanners for example, they both update their software. Regularly.

    They both draw the line for responsibility when you open an email, download an add-on, download a plug-in, download any third party software; quite rightly.

    Mozilla makes Firefox, Microsoft makes Windows etc; so why should they accept responsibility for the viral or malware content of third party software which you have downloaded, unwittingly or otherwise?

    Hell, didn't anybody who downloaded this crapware read the comments and ratings before downloading? Didn't they do any reading about it first? That in itself is not a fullproof method of preventing the downloading of cruft/malware, but it is a start.

    The job of Mozilla towards Firefox users, and the job of Microsoft towards their users, is quite simply to make their software work and for it to be a secure as possible. That is it.

    There is currently no way any software made by anybody to be completely secure at all times.

    The best any user can do is to keep their antivirus and anti spyware and anti malware and firewalls up to date, clean out their cruft and scan regularly. Oh - and try not to download any obvious trojans or crapware.

  24. Psymon
    Grenade

    @ Fraser

    "It's not difficult only a very few badly written programs don't work."

    I wish it were true. I've run a great number of large networks that have required very draconian lock-down policies, like schools, call centers, prisons etc. and you would be astounded at the swathe of badly written software that breaks because you've locked it out of a system file or setting it shouldn't have any business fiddling with in the first place.

    FF, Opera, and Chrome all break golden rules of how software should operate within a windows environment. Funnily enough, the greatest proportion of offenders come from the FOSS stables.

    It seems as if FOSS developers write software for the windows platform with some level of disdain. It's this disdain for following the CORRECT convensions that means FF breaks under roaming or mandatory profiles, (it will attempt to dump its temp cache on the sever at logout because it stores its temp files in the wrong folder).

    Naturally, FF can't update itself in the locked down environment, because it tries to write back to its own program files folder. Which unibrowed developer still thinks this is acceptable behaviour?!? You install a windows service to perform updates to your software, and you use BITS to download the files so you don't flood my network with data packets.

    Finally and most importantly, if you have developed any software that stores any form of configuration or preference setting OUTSIDE the registry, you need to be put out to pasture, shot, and then boiled down into glue. There is simply no excuse for this type of behaviour.

    I'm sure you THINK you have a valid reason. You don't. Developing for the windows platform? software configuration is stored in the registry. No ifs, no buts. Ok? Ok. It's not the the 80s anymore!

    It's because FF stores its proxy settings in a retarted location of the hard disk, that it can't be configured en mass. That's why, when you say to your friendly neibourhood sysadmin "Hey, me and my 2000 work collegues wanna use Firefox instead of IE" his appropriate responce should be to kick your teeth in, and then urinate on your still twitching corpse as a warning to others.

    Don't get me wrong, I use and enjoy Firefox, and have done for years, but because of its amateurish design, it has no place in a profesional environment

    1. Anonymous Coward
      Anonymous Coward

      hmm...

      It's is a fair while since I've done any packaging but the last envrionment I did this for was a heavily locked down affair. We found that the most stuff would work, maybe with a few acl tweaks here and there, having said that it's entirely possible that we were getting software that was generally better written what with being a fairly large company.

      There is still the point that any old end user shouldn't be using admin accounts to run their software, if you're not in a domain it's even less of an excuse because there is no roaming profile or other users to take into account.

This topic is closed for new posts.

Other stories you might like