Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spyware Disguises Itself as Firefox Extension

timothy posted about 8 years ago | from the not-yet-linux-compatible dept.

247

Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."

cancel ×

247 comments

Sorry! There are no comments related to the filter you selected.

Not a vulnerability. (5, Informative)

Short Circuit (52384) | about 8 years ago | (#15792636)

Note that this isn't a Firefox vulnerability.

The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

Re:Not a vulnerability. (5, Funny)

kfg (145172) | about 8 years ago | (#15792709)

I refuse to use this trojan until it's ported to Linux.

We have to send a message to developers that we want our apps native.

KFG

Re:Not a vulnerability. (5, Funny)

140Mandak262Jamuna (970587) | about 8 years ago | (#15793038)

Come on, You dont even have to be a script kiddie to write malware for Linux.

This is how it works:

First create an executable that will do bad things. It could even be a csh script. Then send emails to all and sundry like this and attach that file"

Dear Linuxuser,

This is a virus/trojan/worm/malware for Linux. It works on the honor system. Please forward the attachment to all addresses in your .mailrc first and then save it to disk, chmod +x and sudo it. Thank you.

Attachment: malware

make it open source (5, Funny)

kdemetter (965669) | about 8 years ago | (#15793279)

just send the source code in a nice tarball .

that way it's open source and people can improve it .

Re:Not a vulnerability. (5, Funny)

zo1dberg (939135) | about 8 years ago | (#15793081)

This is the one thing that keeps people from running Linux on their desktops! We normal users don't want to fiddle around with the commandline and stuff like that, we need a point-and-click-interface to compromise the security of our computers! Trust me, until this is fixed, Linux has no hope of ever becoming a serious competitor to Windows.

Re:Not a vulnerability. (5, Funny)

Not The Real Me (538784) | about 8 years ago | (#15793199)

Good point.

A friend of mine has certifications as an MCSE and a CNE. When I tell him to run "ipconfig /all" and "route print" (on his WinXP machine), the look of consternation and confusion on his face is priceless.

Re:Not a vulnerability. (-1, Troll)

Anonymous Coward | about 8 years ago | (#15793277)

"We normal users don't want to fiddle around with the commandline and stuff..."

Normal users don't visit and comment on /. What commadline stuff are you talking about?

Linux has no hope of ever becoming a serious competitor to Windows."

So, who cares? What's this obssesion of having to use the same OS as everybody else?

Re:Not a vulnerability. (0, Troll)

$RANDOMLUSER (804576) | about 8 years ago | (#15792715)

Exactly. Just chalk this up as more McAfee anti-OSS FUD.

Re:Not a vulnerability. (0)

Anonymous Coward | about 8 years ago | (#15792813)

As opposed to Microsoft anti-closed source FUD?

Re:Not a vulnerability. (5, Informative)

kfg (145172) | about 8 years ago | (#15792868)

McAfee do not describe it as a Firefox exploit. They describe it as a VBS exploit originally written to target IE, i.e., a Windows exploit.

KFG

Rats (1)

mrxak (727974) | about 8 years ago | (#15793031)

And here I came to watch all the firefox fanbois have to swallow their pride and admit their favorite browser had a problem. Oh well, better luck next time hax0rs! And just for the record, I'm using firefox right now and think it's far better than the alternative, it's just that I like watching people squirm.

Still, what does this say about IE, that people are now using it to infect firefox? Is IE getting that unpopular now?

Emphasis on that. (4, Informative)

khasim (1285) | about 8 years ago | (#15792745)

This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

This does not exploit any vulnerability in Firefox.

If your OS is not secure, no app running on it can be secured.

Re:Emphasis on that. (2, Funny)

Short Circuit (52384) | about 8 years ago | (#15792778)

If your OS is not secure, no app running on it can be secured.

Ssh...don't tell the RIAA.

Re:Emphasis on that. (-1)

trifish (826353) | about 8 years ago | (#15793043)

> This is an Outlook/IE "virus"

No, it's a regular Firefox extension hosted on the official mozdev.org site. See http://numberedlinks.mozdev.org/ [mozdev.org]

Re:Emphasis on that. (4, Informative)

_Sprocket_ (42527) | about 8 years ago | (#15793162)

That's the legitimate extension. This trojan is not it.

RE: Emphasis on that. (5, Informative)

KURAAKU Deibiddo (740939) | about 8 years ago | (#15793166)

Actually, if you read the article more closely (and similar articles that have appeared in no shortage of other places), the malware pretends to be the numberdlinks extension. Your post implies that the actual extension is malware, and this is untrue.

Additionally, if you read the Slashdot blurb, it's explained pretty clearly there.

Basically, if you click on e-mail attachments without knowing what they are, it's your own fault if your computer becomes infested with viruses and spyware.

Re: Emphasis on that. (2, Interesting)

trifish (826353) | about 8 years ago | (#15793347)

Ok, I stand corrected. Anyway, it is still a valid concern that any Firefox extension could actually be a Trojan horse.

Re:Emphasis on that. (5, Insightful)

dedazo (737510) | about 8 years ago | (#15793192)

This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

This is an user-executed email attachment with a trojan. It will happily be executed from Outlook Express, IE, Eudora and Thunderbird. McAfee mentions they've seen one version trying to exploit a three year old IE vulnerability. If you haven't patched that, well then you deserve to get nailed.

This does not exploit any vulnerability in Firefox

It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.

If your OS is not secure, no app running on it can be secured.

If your OS is being operated by a user that executes attachments from "WalMart" that read "helo, teh attcachements for yuo pleasures" then your OS is not secure.

BTW, this progression is interesting. When FF came out just installing it would make the world safe, because it was invulnerable and impervious. Now I also have to switch operating systems? And when someone finds another exploit in SSH

Re:Not a vulnerability. (1)

Fred_A (10934) | about 8 years ago | (#15792805)

Nobody said it was a Firefox vulnerability.

Oh sorry, I forgot, nobody actually reads the articles here...

Re:Not a vulnerability. (0)

Anonymous Coward | about 8 years ago | (#15792846)

That's why I made the post...to clear things up for people who don't RTFA. Even still, there are people posting further down who don't get it.

Re:Not a vulnerability. (2, Funny)

lowrydr310 (830514) | about 8 years ago | (#15792857)

The headline makes it seem like Firefox is bad because there's a new piece of spyware that takes advantage of it.

Darn, I knew this was going to happen sooner or later. Time to switch to IE. oh, wait a minute...

Re:Not a vulnerability. (3, Insightful)

DrXym (126579) | about 8 years ago | (#15792851)

Well yes it is. Firefox extensions are an easy way to trojan a system. Anyone can write an extension and put it up on the addons site and there isn't even the requirement that it be signed. There is no enforcement of trust at all except for a primitive domain whitelist system. I think it would be fairly trivial to produce a malicious extension. Worse, you could even craft one that works on Linux, OS X and Windows in one fell swoop, since you have unfettered access to all of the XPCOM objects running in Firefox.

My feeling is that Firefox desperately needs to implement some kind of trust model. I can understand why that might not be RSA PKCS since the system is crap for small publishers. But something is needed. Even a trust model based on PGP signing would be of benefit.

I'm sure some would argue that no one looks at signatures anyway, which might be an exaggeration, but it does have some truth. It is certainly no excuse for offering no trust model at all, or for Firefox UI designers to not be able to produce some simple traffic light trust system with sensible defaults to simplify it for those who can't or won't look at the certs.

Re:Not a vulnerability. (1)

gowen (141411) | about 8 years ago | (#15792947)

I think it would be fairly trivial to produce a malicious extension. Worse, you could even craft one that works on Linux, OS X and Windows in one fell swoop, since you have unfettered access to all of the XPCOM objects running in Firefox.
Maybe. BUT THIS ISN'T IT. The possibility of a piece of auto-installing firefox malware doesn't magically mean this malware is such a beast.

Re:Not a vulnerability. (0)

Anonymous Coward | about 8 years ago | (#15793050)

Why even bother with Firefox, you can run any freaking exe file you want in windows by clicking on it or typing the name of it at your cmd prompt. Applications should not be the place to enforce the requirements you are suggesting. If the data was something that FIREFOX was resposible for like checking inputs and validating data, then I'd fully agree with you. Firfox with the abilities you described would be an advantage but that would be a band-aid.

Re:Not a vulnerability. (1)

arose (644256) | about 8 years ago | (#15793115)

Well yes it is. Firefox extensions are an easy way to trojan a system.
  1. Not more then any other software you install.
  2. This isn't really an extension, more like a modified version of Firefox.

Re:Not a vulnerability. (2, Insightful)

archen (447353) | about 8 years ago | (#15793137)

I think you'll still end up with the same problems though. Where does firefox keep it's list of trusts? In the registry, or a config file? People will want to develop/install plugins that aren't signed so you'll need to be able to make exceptions. Where will the settings for the exceptions be stored? In the registry or config file?

I think this just gives you a false sense of security. If you're OS were secure and you knew for a fact that no one else could ever write to the firefox config files or the registry, you could sign things just fine. But this isn't a man in the middle attack, but more like a "man in the backroom" attack. And that's exactly what this spywhere does.

Re:Not a vulnerability. (2, Insightful)

Drachemorder (549870) | about 8 years ago | (#15793245)

Any piece of software capable of running executable code is vulnerable to trojans. Anyone can write an executable program to do nasty stuff, and there's no reasonable way for an application to tell the difference. Firefox can't figure out on its own that an extension which deletes files or sends email is malicious, because such functionality can conceivably be useful. The only real solution is to educate people about running untrusted executable code, and Firefox already takes every reasonable precaution to do so. So much so, in fact, that it's a bit annoying when you really do want to install an extension. Trojans are a form of social engineering; with enough effort you can convince most people you're trustworthy, and there's very little that can be done to prevent that sort of activity, except perhaps educating people about the possibility.

So the problem isn't the software. It's the people using the software. As more people learn about Firefox, we'll just have to accept that some of them are going to be stupid. It's a statistical inevitability. You can fix security holes all day, but you can't fix stupid.

Signatures don't matter here (3, Insightful)

sterno (16320) | about 8 years ago | (#15793327)

You are talking about a situation where an executable has been run with your priveleges. It can do anything it wants to, especially in Windows where most people run as Administrators. It can disguise itself as a firefox extension, sure. But it could also modify the firefox binary, or simply install a sniffer running as a service, or format your drive, or any number of nasty things.

The only place a singature would matter in this case is when the trojan executable was run. If you are executing attached executables from an e-mail, then no amount of signature verification is going to protect you. The reality is that no technical process can exist that will prevent this kind of attack so long as users can install their own software.

Re:Not a vulnerability. (4, Insightful)

dschuetz (10924) | about 8 years ago | (#15792856)

Note that this isn't a Firefox vulnerability. The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

Of course, this presupposes that Firefox hackers can manage to get their extensions signed, and if that's possible, then the malware authors could do the same. Unless...FF gets distributed with a mozilla.org CA cert, and extensions accepted and published on the mozilla site(s) get signed with that cert, then every "legitimate" extension from the mozilla sites will be verifiable at runtime. The user could opt out of that with an "allow execution [not installation] of unsigned extensions" preference setting, but the majority of users would be protected, so long as the malware doesn't also set that preference for the user. :)

(though even that last bit could be guarded against by creating a personal key to sign the config with, and every time you make a "security relevant configuration change" to the browser's settings, you have to re-sign the file.)

Re:Not a vulnerability. (4, Insightful)

KiloByte (825081) | about 8 years ago | (#15792941)

... or until the trojan makes a trivial change in FireFox's binary.

Once you're pwned, you're pwned. If you give someone free reign on your box, he can do anything to any file writeable by you.

Re:Not a vulnerability. (5, Insightful)

greed (112493) | about 8 years ago | (#15792955)

While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

Once someone's system is compromised, they can replace or alter the FireFox binary which verifies the signatures, replace libnssckbi.so, libsoftokn3.so, whatever.

You can't win at that point. If you're storing your operating system and executables on writable media, it can never be trusted to that level. The hardware would have to cryptographically verify the boot loader on disk, which would verify the kernel, which would then be able to verify everything it executes--FireFox alone can't do it.

(Say, what was that hardware-based Trusted Computing stuff supposed to do? In addition to ramming DRM down everyone's PCI bus, wasn't there system verification too?)

Re:Not a vulnerability. (1)

Arker (91948) | about 8 years ago | (#15792858)

Note that this isn't a Firefox vulnerability.

Pretty much. It may be possible for the firefox developers to block this on their end, by inserting some kludges for the windows builds, but the exploit itself is an exploit of Windows/IE, and won't affect Firefox on a sane system. (Not even on Windows, if IE is thoroughly removed and a sane email program used.)

It is a vulnerability. (2, Insightful)

mobby_6kl (668092) | about 8 years ago | (#15792870)

Firefox isn't doing anything to prevent it, so it's a Ff vulnerability.

At least, that's how it works for other software.

Re:It is a vulnerability. (0)

Anonymous Coward | about 8 years ago | (#15792988)

So, by your logic, if I write a plugin for, say Photoshop that does something evil it's Adobe's responsibility?

On what freaking planet does that make any sense?

Re:It is a vulnerability. (1)

DoctorDyna (828525) | about 8 years ago | (#15793221)

Funny, but I seem to remember alot of comments emerging from Slashdot about it being Microsoft's fault whenever there is anything like this targeted at IE.

Re:It is a vulnerability. (1)

DahGhostfacedFiddlah (470393) | about 8 years ago | (#15793335)

being Microsoft's fault whenever there is anything like this targeted at IE

That's right - because it's an OUTLOOK BUG.

Re:It is a vulnerability. (1)

Phillup (317168) | about 8 years ago | (#15793237)

At least, that's how it works for other software.

How does "other software" keep me from tweaking the registry?

Re:Not a vulnerability. (1)

Sebastopol (189276) | about 8 years ago | (#15793091)

Well, seeing that firefox does a 5... 4... 3... 2.. 1... timeout to install unsigned extensions, perhaps they should crack down a bit more on authenticity, and only provide extensions registered on their site or something similar.

I think this is a FF problem, just like with other SW that gets hacked.

Re:Not a vulnerability. (1)

AugustZephyr (989775) | about 8 years ago | (#15793203)

Long live the Fox. (Stupid windows security flaws).

Re:Not a vulnerability. (1)

StormReaver (59959) | about 8 years ago | (#15793238)

"Note that this isn't a Firefox vulnerability."

I consider the entire Firefox extension mechanism one big vulnerable open door. On Windows, it's no big deal. There is no vulnerability that Firefox enables under Windows that Windows itself doesn't already provide. Under other operating systems with correct separation of programs and data, though (such as anything Unix-like), the extension mechanism is bypassing the operating system's protections.

Linux systems provide applications in root-protected directories, providing protection against userland software (such as viruses) modifying program files. Install Firefox, though, and extensions go into unprotected user directories. This opens the door for viruses to propagate through Firefox itself.

Cryptographically signing extensions won't matter much either, as the people who don't understand how to manage signed packages represent the vast majority of Firefox users.

FUD (0, Troll)

knifeyspooney (623953) | about 8 years ago | (#15792640)

But the malicious extension can only bypass the normal Firefox checks if your system is already infected with a friendly virus, which will only infect your system through Internet Explorer!

Re:FUD (1)

LurkerXXX (667952) | about 8 years ago | (#15792702)

That's for marking your post that is pure FUD as FUD with the title.

The trojan is being distributed through spam emails. It has zero to do with Internet Explorer.

Someone please mod this troll to oblivion.

Re:FUD (0)

Anonymous Coward | about 8 years ago | (#15792749)

The trojan is being distributed through spam emails. It has zero to do with Internet Explorer.
In his defence, TFA does also say
However, McAfee say that they have also seen attempts to install FormSpy using the three-year old VBS/Psyme exploit in Microsoft Internet Explorer.
But it sounds like the emailed exe is the main way so he is a FUD-spreading troll, yes.

Re:FUD (0)

Anonymous Coward | about 8 years ago | (#15792783)

The trojan is being distributed through spam emails. It has zero to do with Internet Explorer.


Partly correct. McAfee also notes attempts to install this using an IE vulnerability.

Re:FUD (1)

CarpetShark (865376) | about 8 years ago | (#15792935)

What you don't seem to realise is that IE is embedded in microsoft's email clients, and they therefore share most of the same issues.

Re:FUD (3, Insightful)

LurkerXXX (667952) | about 8 years ago | (#15792970)

What you don't seem to realize is that IE isn't embedded in 3rd party email clients like Thunderbird and Eudora, but the attachment will still hammer Firefix when you run it, just as it will in Outlook.

Re:FUD (2, Insightful)

Firehed (942385) | about 8 years ago | (#15793169)

As with anything else, this requires you to be enough of a moron to run an attachment received in a spam message (which theoretically requires you to be enough of a moron to actually read your spam). It's much more of a PEBKAC problem than a vulnerability of any piece of software. I don't know about Eudora, but I've found Thunderbird's spam filtering to be excellent, something not even offered the last time I used a MS-made client, which hypothetically reduces the risk of you running the thing, though that's pushing it.

It's probably worth considering that most people smart enough to have switched to Firefox are also smart enough not to think "oooh, cool, free file, better see what it does!!!1".

Re:FUD (1)

LurkerXXX (667952) | about 8 years ago | (#15793247)

Really? Thunderbird does a pretty rotten job of sorting out spam on my machine. I think it's one of the worse filter's I've used.

Re:FUD (0)

Anonymous Coward | about 8 years ago | (#15793336)

I used to think that TB had medicore spam filtering until I realized that you have to mark both spam and non-spam messages (eg: highlight messages -> right-click -> mark as not spam) to properly train it. Once I started doing that I'd say TB detection accuracy jumped from about 50% to 95%.

FUD-A matter of trust. (0)

Anonymous Coward | about 8 years ago | (#15792780)

True but it's still a back-door. Programs need to seperate internal*, which it trusts, and external, which it shouldn't trust. Just because it's on YOUR machine doesn't mean it should be trusted.

*Internal:inside the program.
  External:Data coming into the program.

Re:FUD (1)

JimDaGeek (983925) | about 8 years ago | (#15792957)

I don't want to sound like a parrot, however your point is spot-on. If this were a Firefox vuln. it would affect FF on Linux and Mac. However, it only affects Microsoft Windows users.
From www.mozillazine.org

Downloader-AXM is distributed as a Windows executable attached to a spoof email purporting to be a order confirmation message from Wal-Mart. However, McAfee say that they have also seen attempts to install FormSpy using the three-year old VBS/Psyme exploit in Microsoft Internet Explorer.

If anything, this sounds like a flaw in Microsoft products. If I wrote a Trojan that got in through IE or via an Outlook email attachment that goes and blows up Photoshop CS, would it be a Photoshop CS vuln. or a Microsoft vuln.?


The sad thing is that there are a lot of Joe Users out there that bought a computer with Win XP home on it (non-sp2) and they have no firewall and no automatic updates. So exactly how is Joe Users supposed to know about updates? I thought Microsoft Windows XP "Just Works"? It sounds like Microsoft Windows XP "Just Works" only if you are computer savvy, a corporate end user with sysadmins to keep systems updated or stay on a 1 year upgrade cycle. Mac and every major Linux distro has automatic updates on out of the box and have had it this way for a few years. I guess the only Windows XP users that have a somewhat safe and updated computer are those that recently purchased a new computer with SP2. Though those systems still put all users in the Administrator group by default so I don't know if even buying the "latest and greatest" from MS helps.

Re:FUD (1)

plague3106 (71849) | about 8 years ago | (#15793067)

I don't want to sound like a parrot, however your point is spot-on. If this were a Firefox vuln. it would affect FF on Linux and Mac. However, it only affects Microsoft Windows users.

Sorry you're reasoning here is just wrong. There most certainly can be a vunerablity IN FF that only affects the windows version.

Re:FUD (1)

uarch (637449) | about 8 years ago | (#15792990)

But the malicious extension can only bypass the normal Firefox checks if your system is already infected with a friendly virus
Oh, well if its a friendly virus...

I can see the next MS vs Apple add:
Mac: PCs were infected with over 1230985981723 viruses last year!
PC: Yeah, but they were all friendly.

MozillaZine Has More (5, Informative)

Anonymous Coward | about 8 years ago | (#15792642)

This MozillaZine article [mozillazine.org] has lots more on the trogan horse, including instructions for spotting if you have it.

Personally... (4, Informative)

celardore (844933) | about 8 years ago | (#15792657)

Personally I only download FF extensions from the official site.
https://addons.mozilla.org/extensions.php?app=fire fox [mozilla.org]

Re:Personally... (2, Informative)

Anonymous Coward | about 8 years ago | (#15792781)

Thats not whats going on. This trojan isn't installed as an extension, it comes as a regular old .exe in an email, which when you run it, then edits the firefox configuration files to add itself into the extension list without going through the normal extension process.

Re:Personally... (3, Insightful)

celardore (844933) | about 8 years ago | (#15792884)

In that case... Who runs an exe they receive in an email? Unless I'm expecting it, and know the sender, I certainly won't.

Education must be the answer then. I learned not to open random executables from unknown sources many years ago. People apparently click them though. Teach a man to use the internet, and he'll be safe for a day. Teach a man to know the internet and he'll be safe for a lifetime.

Re:Personally... (0)

Anonymous Coward | about 8 years ago | (#15793116)

Shouldn't it start 'Teach a man to use the internet, and he'll have a virus in a day'?

Is numberedlinks legit? (1)

dwayner79 (880742) | about 8 years ago | (#15792667)

The article is not clear. If not, get it off the Moz site. If so, sux to be them.

Answered my own question: (1)

dwayner79 (880742) | about 8 years ago | (#15792719)



The mozillazine site says: "Within Firefox, the trojan pretends to be the legitimate numberedlinks extension."

Much clearer. and sux to be them.

Re:Is numberedlinks legit? (2, Informative)

savala (874118) | about 8 years ago | (#15792794)

The article is not clear. If not, get it off the Moz site. If so, sux to be them.

It is: "presenting itself as a legitimate existing extension called numberedlinks".

The McAfee characteristics page [nai.com] (2nd tab - stupid that that isn't directly linkable) also says:

The original component installs the following files:
* %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\n umberedlinks.jar

FormSpy installs these additional files:
* %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\n umberedlinks.jar (modified - FormSpy)

.....rrruuuuummmmmble... (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15792682)

MINDQUAKE!!!

Hmmmm (3, Interesting)

robpoe (578975) | about 8 years ago | (#15792686)

Basically, what you're saying, is I must open an EXE from a non Walmart "Walmart" email, or I have to use IE?

Nothing to see here, move along..

This is not a Firefox problem... (0)

Anonymous Coward | about 8 years ago | (#15792689)

This is not a Firefox problem, it is a Windows problem. You need to open an email attachment, which installs the Trojan into Firefox. The email client must execute the Trojan with admin rights for this to work. Same old, same old...

and? (0)

fullphaser (939696) | about 8 years ago | (#15792706)

Yes, but with Opera you wouldn't have this problem would you? (responce from firefox user) No, because opera doesn't have extensions > widgets != extensions (responce from IE user) what is opera? All rather bad, but there have been bad little extensions out there for a while haven't there?

Re:and? (4, Funny)

hotdiggitydawg (881316) | about 8 years ago | (#15792762)

(response from Lynx user) *cough* ActiveX *cough* *snigger*

Break extension (5, Funny)

Anonymous Coward | about 8 years ago | (#15792729)

In next version of Firefox, the extension will be broken anyways. Mozilla breaks extension every new release. :D

Thankfully, I'm running IE (5, Funny)

Anonymous Coward | about 8 years ago | (#15792732)

Which makes me invulnerable to snooping for credit card numbers as all my accounts are empty and my credit rating is ruined.

What does MS say? (1)

Teun (17872) | about 8 years ago | (#15792740)

We claim Prior Art for The old "it's not a bug, it's a feature" ploy.
Please contact our legal department.

Foutunately... (-1, Troll)

Anonymous Coward | about 8 years ago | (#15792747)

Re:Foutunately... (0)

Anonymous Coward | about 8 years ago | (#15793042)

Actually, you got the link wrong. Here is where the real patch exists. [mybookmarkmanager.com] ;)

How does it work? (2, Insightful)

Klaidas (981300) | about 8 years ago | (#15792754)

Does it install simply by browsing, or does it need to open an .exe? Or do you install it like a normal extension?
If it's #1, it's bad
If it's #2, not so bad - a simple virus
If it's #3 - hey, who install extension from non-oficial sources?

Re:How does it work? (1)

shayborg (650364) | about 8 years ago | (#15792849)

You have to run an EXE that is attached to a spam e-mail. If you're running executables attached to spam, God help you -- this is the least of your worries.

Re:How does it work? (1)

ZiakII (829432) | about 8 years ago | (#15792862)

Does it install simply by browsing, or does it need to open an .exe? Or do you install it like a normal extension?
If it's #1, it's bad
If it's #2, not so bad - a simple virus
If it's #3 - hey, who install extension from non-oficial sources?


Does this user not RTFA? Or is he trying to just get karma? Or where they just trying to get a first post?
If it's #1, typical slashdot reader
If it's #2, stupid karma whore
If it's #3 - god, I hope not they where way to slow

Re:How does it work? (0)

Anonymous Coward | about 8 years ago | (#15793345)

Jesus Christ...

Where - Where did they go? Where are my keys? Where is the pub?

Were - They were over there. We were driving.

To - Go to the store. Bring it to me.

Too - They were way too slow. Too much information.

Why is mozdev.org still... (0)

bermabloeme (990995) | about 8 years ago | (#15792798)

listing it?

And part of their entry: Numberedlinks was originally developed by Shawn Betts, who now works on conkeror, a keyboard-driven browser with built in numbered links functionality.

Mr. Betts,

If you're not reponsible for the trojan, I suggest you start doing some damage control to make sure that your name isn't sullied.

Because, if you are going for work, and someone Googles your name, they will make the connection. And you will be labeled a hacker/cracker whether you like it or not; innocent or not.

And, until this is settled, I will consider anything you develop to be suspect.

Re:Why is mozdev.org still... (1)

gad_zuki! (70830) | about 8 years ago | (#15792855)

It disguises itself as numberedlinks. If that guy does get a bad rep it'll be because of lazy people like you who cannot be bothered to read an article on mozdev before starting a witch burning.

Re:Why is mozdev.org still... (0, Flamebait)

bermabloeme (990995) | about 8 years ago | (#15792897)

If that guy does get a bad rep it'll be because of lazy people like you who cannot be bothered to read an article on mozdev

Where on mozdev.org does it mention this issue?!? Right now, all it shows is the typical download page.

And, why isn't there a big fucking WARNING saying that there is a problem?!

So, what you're saying is that EVERYTHING on mozdev.org and mozilla.org should be suspect? And I should research everything that I may download from those organzations because they may be tainted? I don't have the time. I have a life.

Or for that matter, anything that's produced by F/OSS?

Really, how far do I have to go?

Re:Why is mozdev.org still... (1, Informative)

Anonymous Coward | about 8 years ago | (#15792925)

I think you misunderstand. There is a legitimate extension called numberedlinks that you can install from mozdev and is not evil. This trojan extension masquerades as numberedlinks but only gets installed if you open the evil email attachment.

Re:Why is mozdev.org still... (3, Insightful)

radish (98371) | about 8 years ago | (#15792929)

Hate to break it to you but ALL software is potentially bad. You have to decide how much you trust it based on who wrote it, whether that's verifiable, your own inspection of the source, whatever. In the case of F/OSS you do at least have to option of inspecting the source. You have no such luxury with non-free software, in which case you simply have to decide how much you trust the publisher.

Re:Why is mozdev.org still... (1, Informative)

Anonymous Coward | about 8 years ago | (#15792954)

If you had read this article [mozillazine.org] , you'd see that in clear text is states:
Within Firefox, the trojan pretends to be the legitimate numberedlinks extension.

The extension itself is not the problem. The trojan creator just decided to have his extension pose as another in an attempt to be "inconspicous".

Clueless (0)

Anonymous Coward | about 8 years ago | (#15793015)

Wow. You are fucking clueless.

Imagine you write an extension named "MyHelpfulExtension" to help people. It is good and not a problem. It is listed on MozDev.

Then, a bad person makes a virus called "MyHelpfulExtension". It installs itself secretly on many users machines.

Then, some jackass starts saying that you wrote a virus because it has the same name as your good extension.

How would that make you feel?

Ho-hum.... (1)

Farfnagel (898722) | about 8 years ago | (#15792921)

Somebody wake me up when there's an email virus that affects my Linux box.

Re:Ho-hum.... (0)

Anonymous Coward | about 8 years ago | (#15793103)

WAKE UP!!!

Re:Why is mozdev.org still... (0)

Anonymous Coward | about 8 years ago | (#15792942)

Wow dude, this might be the most clueless thing I've read all month.
By the way, perfect sig (for you).

Re:Why is mozdev.org still... (2, Insightful)

Anonymous Coward | about 8 years ago | (#15793075)

you will be labeled a hacker/cracker whether you like it or not; innocent or not.

And, until this is settled, I will consider anything you develop to be suspect.


Then that makes you part of the problem, asshole. It's not the legitimate author's responsibility to police every malicious programmer and make sure that they are not using the same name as something that is legitimate. If he has the name of his extension legally registered, and the author of the malware gets identified, then the legitimate author can sue for infringement, but that's the only recourse he has. He just has to hope that malinformed assholes like yourself are the minority.

The tip of the iceberg... (2, Insightful)

Anonymous Coward | about 8 years ago | (#15792866)

People seem to be awfully dismissive of this, but it poses a real problem. Given the number of available vectors, even careful Firefox users can get struck by virus/spyware/other attacks (even OpenSHH has critical security vulnerabilities from time to time, and it is specifically designed for security). More sophisticated extension hacks aren't too far away. Given the level of extensibility offered via extensions, it sounds plausible that extensions may be delist themselves from the extension manager (a la rootkit techniques). Even if the Moz team had the foresight to prevent such a hack, it is pretty trivial to simply infect an existing extension. Simply inject your hostile javascript code into the extension files to get loaded along with the host extension. Maybe modify existing javascript that is provided in a default installation, such as the search engine plugins. Plus, you get the added benefit of cross platform compatability for your Firefox hacks.

This is the proverbial shot across the bow. Perhaps it's time for crytographically signed extensions? It may not protect from someone explicitly installing a hostile extension, but it may prevent the self-installation of this kind of software from succeeding.

that's it, I'm switching to Internet Explorer (3, Funny)

Anonymous Coward | about 8 years ago | (#15792904)

I've had it. That's it, I'm switching to Internet Explorer. You can play with your crappy browser but I'm done with it.

Whether everyone likes it or not... (1)

ModernGeek (601932) | about 8 years ago | (#15793310)

...the public will have this sort of response if more and more things like this are reported the way they are. They will think numberedlinks is an extension that will come in through firefox.

Crapshoot (1)

Billosaur (927319) | about 8 years ago | (#15792912)

Ok, so you get the virus in an email... what if you don't have Firefox? Blasphemy, I know. More importanly, if you do have Firefox, are you necessarily going to be running Outlook to catch this bug in the first place?

Re:Crapshoot (1)

corbettw (214229) | about 8 years ago | (#15793035)

Sure, there are lots of people who use Firefox and Outlook. I'm one, and so is everyone else in my department. We have to use Outlook for work, and we choose to use Firefox as our browser (usually with the IE extension to view parts of the intranet that use ActiveX). Happily, our anti-spam systems on both the gateways and the Exchange servers are configured to strip out .exe files (and most other attachments), so we (probably) won't fall prey to this thing.

Spyware Disguised as an MSIE Extension (5, Funny)

krell (896769) | about 8 years ago | (#15792927)

It could have been worse, like spyware disguised as a Microsoft Internet Explorer extension. That's sort of like Nixon wearing a Nixon mask.

RTFA (5, Informative)

sensei85 (989372) | about 8 years ago | (#15792981)

Again with people jumping to conclusions. The trojan is loaded when you open an .exe attached to an e-mail from "Wal-mart". Lesson to be learned: never open random .exe attachments. Ever. Problem solved.

For those of you screaming that "numberedlinks" should be removed from the mozilla site, that wouldn't fix the problem. The original extension is perfectly safe and NOT a trojan. This one is just spoofing it by installing itself with the same name.

A little more careful reading and some common sense go a long way

Re:RTFA (1)

deviceb (958415) | about 8 years ago | (#15793102)

If i am:
a) useing outlook
b) reading email from --> walmart?? c) executing a alien file.. ..

then i deserve a virus & maybe a std w/ a rash.

SpreadIE7.com (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15793023)

At the release of IE 6.0, there were parties all over the world. Let's do it again for IE 7.

How should we organize it? What can Microsoft do to facilitate (materials, swag, a planning site?)

Do any of you know of existing web-based services that would work for planning a set of world-wide parties? The IE 6.0 party planning tool seems to have disappeared.

Should we have a theme? Can you host a party? Let's chat!

haha...I love it.. (0)

Anonymous Coward | about 8 years ago | (#15793083)

Firefox allows one of it's directories to be home to malware and right out of the gate, the whining about how insecure IE is begins...

If firefox did security checks on the files that were supposedly part of extensions, this wouldn't be a problem...I write all my apps to verify activities of all files they could potentially use..why can't the guys at firefox do that...

I guess they aren't ever going to get around to fixing that nasty little bug that allows me to use javascript in a webpage to write to firefox's config files....

sigh..oh well....

but you zombies go right on ahead thinking firefox is invulnerable...makes my life more enjoyable...

Firefox is horribly vulnerable; I have proof. (4, Interesting)

mmell (832646) | about 8 years ago | (#15793110)

On a machine which I maintain for my SO and children, M$ XP Pro is installed. The default browser is FireFox, which I have managed to convince my SO and children to use.

My daughter (with a limited user account, no less) viewed a malicious advertising banner while logged into MySpace.com. I'm quite sure she clicked "yes" to running a WMF exploit.

She has a limited account. End of story, you say? Nope, read on . . .

My wife logged in a couple days later. A popup baloon warned her that the machine was infested and she should "click here to fix the problem". Well, she installed AntiVirusGolden v3.3 (from her not-so-limited user account). Who can blame her? I wouldn't have fallen for it (I already had CA's EZ-Antivirus installed and more or less trusted it), but it looked like a valid course of action to her, so the next thing I knew there were nearly a dozen payloads whanging around the rusty innards of my SO's computer - some acquired on the spot, others dropped there during the following week, I'm sure.

That machine now runs Linux (like the rest of my home network). I'd like to thank the wonderful malware authors at AntivirusGolden for giving me the leverage I needed to convince my SO to give up on Windows and use a somewhat more securable OS.

Oh, but I'll continue to use Firefox, now that I've closed that horrible WMF exploit that it has! You'd think the Firefox development team would know better than to trust end-users with the option to execute WMF's. Hmmph!

*(The above is intentionally sardonic; but the basic facts are true)*

Re:Firefox is horribly vulnerable; I have proof. (1)

DarkDragonVKQ (881472) | about 8 years ago | (#15793213)

That's my evil plan for when I have a family. I'll make them all use Linux till they're tech smart, then I'll let them use whatever OS they want.

Re:Firefox is horribly vulnerable; I have proof. (2, Insightful)

Itninja (937614) | about 8 years ago | (#15793306)

How does this make FF 'horribly vulnerable'? The WMF flaw is, by definition, a Windows problem not a FF one. That's like saying your new alarm system is flawed because someone left the front door unlocked.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>