Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can Mozilla-Based Browsers be Hijacked?

Posted by Cliff on from the any-exploits-out-there dept.

Chibi Merrow asks: "Matt Hartley in his latest GnomeReport speaks of supposed browser hijacker programs that are now targeting Mozilla FireFox instead of IE. While this is in a way cool (since that means the browser's now considered mainstream), it's also hard to believe. It doesn't help that his article is very light on details. Now there have been some discussion about spyware masquerading as valid extensions; but they require user intervention to install. Most people think of a browser hijack as something that automatically installs itself. Has anyone ever encountered an actual self installing browser hijacker/spyware program that has targeted Mozilla Firefox, or is this a bunch of FUD?"

6 of 102 comments (clear)

  1. What's really funny.... by Fuzzle · · Score: 2, Interesting

    Is that I submitted a story about a website trying to install mal-ware through Mozilla 2 months ago, and it never got published. While I'm not trying to bitch about the editors, because it probably didn't seem that important, it's hilarious that now because someone has written "an article", which appears to be rambling, it's a large issue. Oh bla di.

  2. Re:IE is part of Windows by sql*kitten · · Score: 3, Interesting

    it uses Windows' SSL whereas Mozilla has its own SSL

    Actually, this is exactly contrary to SSL philosophy. When asked "why doesn't SSL/SSH do such-and-such", developers reply that they want to concentrate on the crypto layer and other applications can use that layer to provide their own services (for example, sftp is layered on top of ssh, VNC uses ssh to provide its crypto, etc). So, there's one crypto system to maintain and patch, not two or even n.

    It's Unix philosphy too, building useful things from small tools that do one thing well. The Mozilla people lost sight of that pure vision LONG ago, and reimplemented everything from scratch. Kinda missing the point of libraries altogether.

  3. OS dependancy? by polyp2000 · · Score: 2, Interesting

    Im sure if one hacks around hard enough a security hole can be found in any browser. I'd like to hope the non-bloat nature of Mozilla and its open-source goodness would ensure to an extent that its inherently very secure, and that potential holes are fixed rapidly. However I think that one also has to take into account the operating system the browser is running on and whether any Mozilla exploits are dangerous accross different platforms. My guess is that though Mozilla is enjoying a good market share at the moment, any exploits that may arise are going to target the operating system, in most cases that will be Windows. Its pretty dificult to run arbitrary code on linux or OSX without being very stupid.

    Even so, using Mozilla on windows is a sensible thing to do from a security perspective since it provides another layer of security. IE, is so tied into the OS in this regard, but Mozilla is more of a seperate entity.

    nick ..

    --
    Electronic Music Made Using Linux http://soundcloud.com/polyp
  4. I've seen it by alatesystems · · Score: 2, Interesting

    I saw one xpi try to install on cracks.am. I was happy and mad at the same time. It's mainstream!!!

    Chris

  5. Re:Wow, talk about timing! by AngryWookiee · · Score: 1, Interesting

    I had similar experince just the other day using Firefox on Windows. My McAfee virus scan went crazy telling me that there was a javascript (no suprise that it was javascript but I can't ever remember having somethink like this happen with Firefox) file trying to run and the path that it was pointing to was in the mozilla directory, McAfee was unable to quartine or delete it (even though I went to another page and went to Privacy options and clicked the clear cache button) so I had to do it manually. The file was some type of javascript file (according to McAfee Virus Scan) but I could not see it for myself, McAfee was pointing to C:\Documents and Settings\UserName\Application Data\Phoenix\Profiles\default\9mwg5m76.slt\Cache\_ CACHE_001_\somename.js

    I have also had one occasion where Firefox would start to download an executable file and ask me where I would like to save it, I just cancelled out of it, but none the less it was trying to download an exe file.

    My computer has been running slowly since then which makes me think that there may be some type of virus, trojan, or spyware running but McAfee virus scan and Spybot tell me different.

  6. Re:Semi-OT: Why are extensions not signed ? by Anonymous Coward · · Score: 1, Interesting

    I think it's around $200 for a ActiveX cert, not ridiclously expensive.

    But, others have pointed out, it would actually be better to create a signing authority at MozDev rather than have stuff signed by Joe Blow.

    what reasons does he have to sign it

    As Mozilla-based malware becomes more popular, Mozilla WILL have to change the install policy to require signed components. Just look at the path Microsoft took -- For IE3, signed ActiveX was optional, for IE4 it became required, and XP SP2 will have a bunch of other restrictions.

    If you want to install a plugin, just make sure you trust the provider

    "Trust, but Verify" -- without code signing, you can't do the latter part. Right now the evil doers could easily pretend to be Mozilla.org.