Slashdot Mirror
Can Mozilla-Based Browsers be Hijacked?
Chibi Merrow asks: "Matt Hartley in his latest GnomeReport speaks of supposed browser hijacker programs that are now targeting Mozilla FireFox instead of IE. While this is in a way cool (since that means the browser's now considered mainstream), it's also hard to believe. It doesn't help that his article is very light on details. Now there have been some discussion about spyware masquerading as valid extensions; but they require user intervention to install. Most people think of a browser hijack as something that automatically installs itself. Has anyone ever encountered an actual self installing browser hijacker/spyware program that has targeted Mozilla Firefox, or is this a bunch of FUD?"
One of the reasons that IE is so susceptible to this sort of thing is because of ActiveX - an inherent security hole. While xpinstall is similar, it will always require clear user input to get the extension installed.
And lets not forget the obvious - IE6 is always going to be bad for this. Mozilla gets updated each and every day and has a regular release schedule.
I know who I'd rely on for the latest and greatest security tech.
Free iPods - now in the UK!
That in of itself makes it more insecure. I mean, it uses Windows' SSL whereas Mozilla has its own SSL. It has Windows remember passwords whereas Mozilla has a password manager. Mozilla just being a stand alone app makes it safer in that regard. And even a recent exploit caused by an issue with file extension spoofing vulnerability was an issue only with IE. Mozilla still showed the file's name in its entirety.
www.crack-locater.com tries to get you to install a couple of .xpi extensions into Mozilla... I naturally clicked "Cancel", so I couldn't tell you what they did...
The revolution will not be televised. It won't be on a friggin blog either
I love Firefox and Thunderbird. But everytime I install an extension I really wonder: Why does noone bother to sign their extensions ? As the browser complains that the extension is not signed a mechanism to do that must be there.
Why would they even bother to attack a browser with such a low marketshare?
On a Linux-based system this would only affect the current user unless running Mozilla as root. But on a Windows system, depending on the version of Windows, the damage would be equivalent to that in an IE exploitation would it not?
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
I've only come across a couple of porn sites that try to install something using the XPI facility, but you get prompted to install it. It was amidst a rats' nest of other dialogs popping up (not "popup" windows, just dialogs asking me to install extensions to handle all kinds of exotic filetypes and JavaScript alert() boxes), so I almost missed it.
Liberty in your lifetime
It's interesting to note that these security hacks and loop holes are not just restricted to "windows".
As other OS's and app's become more popular we will see a rise in breaches and attempted breaches of these systems.
No matter if your an Admin of a "microsoft", "Sun", "Linux" system. Security should still be on your agenda regardless of system.
For problems, seek only the simplest solution, complexity brings with it more problems.
Take a look atp atch ed/index.html e ye.com/html/Research/Upcoming/index.h tml
http://www.safecenter.net/UMBRELLAWEBV4/ie_un
http://pivx.com/larholm/unpatched/
http://www.malware.com/index2.html
http://www.e
http://www.guninski.com/browsers.html
And for Mozilla, see
http://bugzilla.mozilla.org/
(search for "security" and sort by Severity)
How many bugs of type "silent delivery & execution of code" can you find for MS IE? How many in for Mozilla?
Is that I submitted a story about a website trying to install mal-ware through Mozilla 2 months ago, and it never got published. While I'm not trying to bitch about the editors, because it probably didn't seem that important, it's hilarious that now because someone has written "an article", which appears to be rambling, it's a large issue. Oh bla di.
OK, well, AVG on my main system was screaming at me this morning, found a trojan browser-hijacker.
;)
So what right?
Well, I haven't had a virus in _years_ now, AND, (here's the kicker), I do NOT run IE, EVER. Firefox exclusively and previous incarnations for years previous.
And no, it most deffinately did not come in through email.
So apparently, the article is correct.
(As well, I NEVER click ok or the like unless I KNOW i initiated installation of something myself, and I haven't seen anything like that anyways in the past few weeks.)
I'd love some more details and a patch
No Comment.
Im sure if one hacks around hard enough a security hole can be found in any browser. I'd like to hope the non-bloat nature of Mozilla and its open-source goodness would ensure to an extent that its inherently very secure, and that potential holes are fixed rapidly. However I think that one also has to take into account the operating system the browser is running on and whether any Mozilla exploits are dangerous accross different platforms. My guess is that though Mozilla is enjoying a good market share at the moment, any exploits that may arise are going to target the operating system, in most cases that will be Windows. Its pretty dificult to run arbitrary code on linux or OSX without being very stupid.
..
Even so, using Mozilla on windows is a sensible thing to do from a security perspective since it provides another layer of security. IE, is so tied into the OS in this regard, but Mozilla is more of a seperate entity.
nick
Electronic Music Made Using Linux http://soundcloud.com/polyp
I saw one xpi try to install on cracks.am. I was happy and mad at the same time. It's mainstream!!!
Chris
Oh man, you almost had me there!
I run Opera (IDs as IE) on a Slackware-based IBM laptop. Here is today's hijack string my Opera user got in his shell as I was browsing sites for heat pipes from a Google search:
Warning: Actions not found: addBookmark, viewBookmark, copy, undefined-key, find, findAgain, history, loadImages, openURL, mailNew, new, openFile, print, exit, reload, saveAs, paste, delete, cut, undo, historyItem, back, forward, abort, PageUp, PageDown
Didn't bother to determine which site did this as it doesn't bother me, but it was interesting to see.
Everything in the Universe sucks: It's the law!
"While this is in a way cool (since that means the browser's now considered mainstream)"
actually it just means that hackers are finally starting to realize that people using IE rarely have data worth accessing. If someone's using FireFox, chances are they're bright enough to have some cool data.
On our webserver, we're only getting about 1.5% of 50,000 hits per day that our Firebird/Firefox, so it's still far from mainstream.
Any program that is complex enough to have user input and system/user output is going to be possibly exploitable.
So yes, I believe it may be possible to exploit Mozilla.
But I also believe that the exploit will be known almost as soon as it hits the streets rather than being kept quiet until the devs get around to fixing it.
And if the devs don't quickly fix it I trust that the community will, because it is in their own interests.
The last 2 paragraphs are because Mozilla is open, IE is closed, plain and simple.
Not to mention that I don't believe that Mozilla is -as- vulnerable to exploits as IE nor will such exploits be as serious due to purposeful lack of OS integration.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
http://public.searchbarcash.com/v2/prompt.php?p=9F D0986F08B7A3A78E58EA0BA7D7954967FEF1419B066DF507A3 4BFBE0441883698566F3B68DF40448AC9A8309A1DE98CFEADA A19AB062C96BF6FCB02431F41783FD95A9751819B0D69E4766 069F882D40938F635FA9C5E34D3FAA84DC818401D6DE0D8818 FE60E4F0CAC3638AA07AB3EC36C9F96DC232EBC4C884963972 446AAFECB8026C6FE467D0
from http://www.bkahuna.scripterz.org/dg-tproxy.html
raj
Sarovar.org Hosting for open source projects in Indi
etc.
So what you're saying is:
Check all of these 3rd-party sites that I have chosen which list a bunch of security holes for Explorer. How evil! Now check a specific query that I have chosen. See! No bugs!
Well, duh. If you get to pick the evidence, you can prove whatever you want. I'll try my hand at this game. Try this page. 9 serious security issues in the November 2003 update. And I was even nice and kept it on Mozilla's own site. These are the vulnerabilities that were fixed in the last release. Good job, but that isn't any better than the IE story.
BTW, I wasn't very impressed with the vulnerabilities on the pages you linked to. Some of them are "vulnerabilities that must be executed in the My Computer domain" (um, the My Computer domain means you are a program on the local computer, so how is that a vulnerability?), others that exploit holes in 3rd party plugins, and others that require the user to click OK a couple of times. I'm really not sure how you can consider any of those as real problems with IE. Sure, they're opportunities for social engineering, but those aren't security flaws any more than any other program that allows you to download code from the Internet. Yep -- FTP is an insecure program, because if you type "GET program.exe", then double click on program.exe, it runs code on your computer!
The ones that actually seem to be dangerous and due to actual problems with Explorer and not false alarms or 3rd-party issues, well they don't seemt to work very well. Perhaps they've been patched?
Honestly, I use both IE and FireFox. They both have pros and cons. They both have security issues. But neither one has a clear advantage in terms of security. Hackers are creative, and they come up with new attacks every day. No code is perfect, but it seems that everybody is doing the best they can do.
Time flies like an arrow. Fruit flies like a banana.
Webalizer stats for May:
1 39346847 78.96% MSIE 6.0
2 4523223 9.08% Mozilla/5.0
3 2250067 4.52% MSIE 5.5
4 710608 1.43% MSIE 5.0
5 696715 1.40% MSIE 5.01
Ok, I know some browsers other than Mozilla disguise as Mozilla/5.0, but their number should be really insignificant.
And no, it's not very geeky site, it's a forum for R/C enthusiasts.
the auto download feature in firefox is great. But what about those site that automatically redirect to an executable file?
A user visits the site, and the autodownload kicks in; the file being so small it will not pop up the download window. Later on, the user looks at his desktop and sees an executable. he double clicks.
I think the autodownload should be disabled for links that the user hasn't clicked on. If the site is pushing a download, the browser should prompt the user.
it has been reported, but the devs don't seem to agree.
If I would be a web browser designer/engineer, I'd force a privilege degradation for browser process. Just like web server runs under user apache and ftp runs under ftp, browser would be running under user "browser". Saving stuff only to some dedicated "download" area, no-no executable filesystem by default with proper quarantine checks. So the user should manually move stuff into his property to execute it, if she wants to. Or run it in other jail.
.desktop shortcuts to run as a different user.
Technically, it is possible to do it on KDE desktop for example, with a little shell scripts and/or
Perhaps a distro aggregators should prepare such environment for moron users by default.
There you are, staring at me again.
The other day I saw one that wasn't self installing, however had the mozilla firefox extensions.. Maybe the mozilla developers should have security levels on the extensions so that certain ones can be permanently blocked so u dont accidently install them, after the 10th time its popped up.. Would also be nice if there was a untrusted extensions database too, that means that if someone chooses to use it, that some known dodgy applets would be blocked (which contain spyware or whatever).. But to avoid any legal problems, just let users mark stuff as spyware, and when a certain threshold is reached.. block it in the database.
One of the major problems with Windows and IE isn't so much the quality of the code, but the fact that everyone is running the same code, hell even the same binary. Hence the worms can be spread so easily.
Mozilla/Firewombat have so many different versions floating about that a large scale exploit would be very difficult to pull off.
The fact that mozilla's ssl implementation is new and probably less tested will never make it more of a target than IEs or windows, even if mozilla became as popular. (So long as mozilla is forever in active development.)
Unless I've missed something, bug 238684 (http://bugzilla.mozilla.org/show_bug.cgi?id=23868 4) greatly reduced this risk. As I read the bug/patch, it makes it impossible for a page to "automatically" ask you to download an XPI; you have to actually click a link or take some other real action. I'm sure clever spyware authors will get around this new protection eventually, but it's a step in the right direction. It was checked in about a month ago, so it'll be in Mozilla 1.7 and beyond and I would assume Firefox 0.9 and beyond.
Rock over London, Rock on Chicago. Wheaties: Breakfast of Champions.
There are many old/new tricks for MS IE that allows
malicious scripts to cross MS IE security zones too.
MS IE is an increasing target for the attackers, just
like MS Outlook was/is. Just wait and see.
There are many old/new tricks for Mozilla that allows (sic)
malicious scripts to cross Mozilla security zones too.
(Well, they aren't called security zones, but some scripts get more privileges than others.)
Mozilla is an increasing target for the attackers, just
like every other program that touches a network was/is. Just wait and see.
(Grin.)
Time flies like an arrow. Fruit flies like a banana.