Can Mozilla-Based Browsers be Hijacked?

Chibi Merrow asks: "Matt Hartley in his latest GnomeReport speaks of supposed browser hijacker programs that are now targeting Mozilla FireFox instead of IE. While this is in a way cool (since that means the browser's now considered mainstream), it's also hard to believe. It doesn't help that his article is very light on details. Now there have been some discussion about spyware masquerading as valid extensions; but they require user intervention to install. Most people think of a browser hijack as something that automatically installs itself. Has anyone ever encountered an actual self installing browser hijacker/spyware program that has targeted Mozilla Firefox, or is this a bunch of FUD?"

IE is part of Windows

[Gary+Destruction]

That in of itself makes it more insecure. I mean, it uses Windows' SSL whereas Mozilla has its own SSL. It has Windows remember passwords whereas Mozilla has a password manager. Mozilla just being a stand alone app makes it safer in that regard. And even a recent exploit caused by an issue with file extension spoofing vulnerability was an issue only with IE. Mozilla still showed the file's name in its entirety.

Re:IE is part of Windows

[Curtman]

• Why not just make a plugin that has an installer or a self-extract zip file or something of that nature?

Haha. That's exactly what they did do. To quote the manual:

An XPI file is nothing more than a ZIP file with its own installation script. Using a ZIP utility, you can archive the xfly directory and preserve the subdirectory structure so it's installed in the user's chrome directory as it is in your own. Make sure that the ZIP file, whatever it's called, contains the top-level xfly subdirectory as part of this structure. If it is a JAR file you are distributing for your package, make the JAR file (xfly.jar) the top level, with the content, skin, and locale directories contained within

Yes, i've seen it

[Joff_NZ]

www.crack-locater.com tries to get you to install a couple of .xpi extensions into Mozilla... I naturally clicked "Cancel", so I couldn't tell you what they did...

Re:Yes, i've seen it

[Joff_NZ]

Yes, you're right.. it was a misspelling, the site in question is www.crack-locator.com
Guess I should have checked that

Re:Yes, i've seen it

[gazbo]

Here we go: I manually downloaded and unpacked the XPI file, to see the JS installer and an exe. Here's what AVG had to say about it.

Only thing I've seen...

[J'raxis]

I've only come across a couple of porn sites that try to install something using the XPI facility, but you get prompted to install it. It was amidst a rats' nest of other dialogs popping up (not "popup" windows, just dialogs asking me to install extensions to handle all kinds of exotic filetypes and JavaScript alert() boxes), so I almost missed it.

Re:Difference between Linux and Windows

[Gary+Destruction]

Theoretically, running as a non-privileged user on an NT-based system would prevent damage to system files or the registry. It would also prevent raw socket access which is only available to the administrator account. But most developers don't take the security into account and most people don't run 2000/XP as non-admin. O&O software is the first software maker I've seen that takes non-admin user accounts into consideration. They actually ask during setup who you want to have access to the program and its settings.

Re: E gets updated whenever a security flaw is fou

[orbman]

Take a look at
http://www.safecenter.net/UMBRELLAWEBV4/ie_unp atch ed/index.html
http://pivx.com/larholm/unpatched/
http://www.malware.com/index2.html
http://www.ee ye.com/html/Research/Upcoming/index.h tml
http://www.guninski.com/browsers.html

And for Mozilla, see
http://bugzilla.mozilla.org/
(search for "security" and sort by Severity)

How many bugs of type "silent delivery & execution of code" can you find for MS IE? How many in for Mozilla?

Re:No ActiveX

[ccady]

ActiveX itself doesn't offer any way to auto-install software without the user's agreement, unless the user changes the Internet Security settings.

AFAIK Mozilla never allows you to auto-install without a warning.

IE gets updated whenever a security flaw is found.

B.S.

Wow, talk about timing!

[GeckoX]

OK, well, AVG on my main system was screaming at me this morning, found a trojan browser-hijacker.

So what right?
Well, I haven't had a virus in _years_ now, AND, (here's the kicker), I do NOT run IE, EVER. Firefox exclusively and previous incarnations for years previous.

And no, it most deffinately did not come in through email.

So apparently, the article is correct.

(As well, I NEVER click ok or the like unless I KNOW i initiated installation of something myself, and I haven't seen anything like that anyways in the past few weeks.)

I'd love some more details and a patch ;)

Related info

[eyepeepackets]

I run Opera (IDs as IE) on a Slackware-based IBM laptop. Here is today's hijack string my Opera user got in his shell as I was browsing sites for heat pipes from a Google search:

Warning: Actions not found: addBookmark, viewBookmark, copy, undefined-key, find, findAgain, history, loadImages, openURL, mailNew, new, openFile, print, exit, reload, saveAs, paste, delete, cut, undo, historyItem, back, forward, abort, PageUp, PageDown

Didn't bother to determine which site did this as it doesn't bother me, but it was interesting to see.