Can Mozilla-Based Browsers be Hijacked?

Chibi Merrow asks: "Matt Hartley in his latest GnomeReport speaks of supposed browser hijacker programs that are now targeting Mozilla FireFox instead of IE. While this is in a way cool (since that means the browser's now considered mainstream), it's also hard to believe. It doesn't help that his article is very light on details. Now there have been some discussion about spyware masquerading as valid extensions; but they require user intervention to install. Most people think of a browser hijack as something that automatically installs itself. Has anyone ever encountered an actual self installing browser hijacker/spyware program that has targeted Mozilla Firefox, or is this a bunch of FUD?"

No ActiveX

[colinramsay]

One of the reasons that IE is so susceptible to this sort of thing is because of ActiveX - an inherent security hole. While xpinstall is similar, it will always require clear user input to get the extension installed.

And lets not forget the obvious - IE6 is always going to be bad for this. Mozilla gets updated each and every day and has a regular release schedule.

I know who I'd rely on for the latest and greatest security tech.

Re:No ActiveX

[obeythefist]

There's always a risk that any application that's handling data, especially unclean internet data, can be the victim of a buffer overflow. Here's where the open source nature of Mozilla beats MSIE hands down, the code is open to scrutiny which means that someone somewhere has probably already looked after most of the exploits already. That's the theory, anyway.

Re:No ActiveX

[cookd]

That means nothing. In any computer product that is intended for use by non-computer-experts, the developer needs to keep this in mind: You cannot trust the end user to make good decisions regarding computer security.

Here is what I mean. My dad clicks on a link. The front page says "Click here to install the software necessary to view this web site." So he clicks. He gets a scary message, warning about potential viruses and trusting and digital signatures and stuff. None of it makes sense. Essentially, it gets translated into the following question:

Do you want to visit the web site? OK / Cancel.

XpInstall is just as vulnerable as ActiveX in this regard. People are dumb. Just like you don't care enough to read the full EULAs with all their legal mumbo-jumbo, most computer users won't really consider the warning.

And, by the way, ActiveX also requires an OK before installing, just like XPI. There are buffer overflows or cross-site scripting attacks that can bootstrap an attack without ActiveX (and to which Mozilla is just as vulnerable), but ActiveX itself doesn't offer any way to auto-install software without the user's agreement, unless the user changes the Internet Security settings.

ActiveX == Browser Plugins. Mozilla allows plugins, so there is NO difference.

IE gets updated whenever a security flaw is found. And the user is prompted to download the update. I don't get alerts when FireFox needs an update -- I go to the website once in a while. You tell me which method is more likely to keep my dad's computer secure.

Re:No ActiveX

[WIAKywbfatw]

And lets not forget the obvious - IE6 is always going to be bad for this. Mozilla gets updated each and every day and has a regular release schedule.

Let's get one thing straight: this sort of browser hijacking isn't aimed at defeating technically-minded people like you or I, it's aimed at non-technical users, such as friends and relatives we might have encouraged to switch away from Microsoft Internet Explorer, or people who've installed Mozilla Firefox from a magazine cover disc, etc.

For the most part, these non-technical users aren't going to be actively updating their software on a regular basis. They're not going to be looking out for potential security risks and their solutions because they thought that they were leaving all that behind when they switched over from MSIE. In all probability, many if not most of these users won't even know that they've been hijacked if and when that happens.

To suggest that browser hijacking doesn't have the potential to be a major problem for Mozilla users is rather short-sighted. Being dismissive about it is like adopting a "head in the sand" security policy, and no better than a "security through obscurity" one.

Re:No ActiveX

[Curtman]

• IE gets updated whenever a security flaw is found. And the user is prompted to download the update. I don't get alerts when FireFox needs an update -- I go to the website once in a while. You tell me which method is more likely to keep my dad's computer secure.

You're wrong. Mozilla, and Firefox both inform you about about updates. take a look at the URL 'about:config' and filter for 'update_notifications'. Unless you changed something, update_notifications.enabled will be set to true, and when a new version is released, you'll be brought to the moz homepage when a new version is available. You'll also see a setting there for frequency to check for updates, and a time of the last check.

Re:No ActiveX

[ccady]

ActiveX itself doesn't offer any way to auto-install software without the user's agreement, unless the user changes the Internet Security settings.

AFAIK Mozilla never allows you to auto-install without a warning.

IE gets updated whenever a security flaw is found.

B.S.

Re:No ActiveX

[4of12]

You cannot trust the end user to make good decisions regarding computer security.

You are so right.

It makes me think the better overall policy is to make flexible easy upgrades scarier.

But make the initial installation as capable as possible so most users won't ever feel a need to do an insecure upgrade.

In the Mozilla and FOSS world things are still not much better than in the Windows world as far as security is concerned. A lot of the current problems with Linux security policies are masked by a 1337 userbase, but widespread deployment could lead to problems like this.

Re:No ActiveX

[mhesseltine]

There's always a risk that any application that's handling data, especially unclean internet data, can be the victim of a buffer overflow. Here's where the open source nature of Mozilla beats MSIE hands down, the code is open to scrutiny which means that someone somewhere has probably already looked after most of the exploits already. That's the theory, anyway.

That's the theory. In practice, however, that still doesn't necessarily work. Look, for example, at the recent buffer overflow found in CVS, software that's been open since its inception and been around for a long time. Also, look at the latest problems with OpenSSH, again a package that has been around for quite a while, and one that people should be *very* security concious about.

While the idea that the code being open forces the bugs to be found and removed, that only works if someone with the skill to find the bug, and the willingness and skill to fix the bug does so.

Re:No ActiveX

[llefler]

There's always a risk that any application that's handling data, especially unclean internet data, can be the victim of a buffer overflow.

Insightful? Not even close. Buffer overflows aren't a given. They aren't a fact of life. Quite simply, all you have to do is simple bounds checking. If you allocate a 4k buffer, don't try to copy 6k to it. Buffer overflows are a 'feature' of C/C++. There are plenty of other languages that don't have that problem.

Unchecked buffers are the result of poor program design. No programmer, or company, should say that they are security conscious if they haven't done a code review and fixed them.

Re:No ActiveX

[rthille]

Your post made me think that the user prompt really needs to be: "Do you trust this website with full control over your computer?"
But the problem is with the browser. If the browser were designed to be able to per-domain sandbox even plugins (a shit load of work I know, and it would limit their functionality), then a user could install a plugin downloaded from a site, view that site, and all the plugin could do would be screw with the data from that site. I guess what I'm advocating is that plugins be written in java, or at least execute in a java-sandbox like environment.

IE is part of Windows

[Gary+Destruction]

That in of itself makes it more insecure. I mean, it uses Windows' SSL whereas Mozilla has its own SSL. It has Windows remember passwords whereas Mozilla has a password manager. Mozilla just being a stand alone app makes it safer in that regard. And even a recent exploit caused by an issue with file extension spoofing vulnerability was an issue only with IE. Mozilla still showed the file's name in its entirety.

Re:IE is part of Windows

Integration into the OS makes the scope of IE vulnerabilites larger, but it doesn't necessarily make IE less safe. Microsofts neglect towards known vulnerabilities is a problem, but a similar attitude would hit Mozilla just as hard.

An example: For a short time, several themers chose to distribute Mozilla skins in XPI form, because that allowed users to install them without additional files. The now preferred way of installing skins requires the help of a script, either in the browser (theme installer extension) or on a webpage. The latter method does not give skins access to JavaScript and is considered safe. XPIs can do a lot more: The installation process can run arbitrary code on the target system and even skins which are installed this way can later on access browser resources and relay them to an external attacker.

Re:IE is part of Windows

[Curtman]

• Why not just make a plugin that has an installer or a self-extract zip file or something of that nature?

Haha. That's exactly what they did do. To quote the manual:

An XPI file is nothing more than a ZIP file with its own installation script. Using a ZIP utility, you can archive the xfly directory and preserve the subdirectory structure so it's installed in the user's chrome directory as it is in your own. Make sure that the ZIP file, whatever it's called, contains the top-level xfly subdirectory as part of this structure. If it is a JAR file you are distributing for your package, make the JAR file (xfly.jar) the top level, with the content, skin, and locale directories contained within

Re:IE is part of Windows

[sql*kitten]

it uses Windows' SSL whereas Mozilla has its own SSL

Actually, this is exactly contrary to SSL philosophy. When asked "why doesn't SSL/SSH do such-and-such", developers reply that they want to concentrate on the crypto layer and other applications can use that layer to provide their own services (for example, sftp is layered on top of ssh, VNC uses ssh to provide its crypto, etc). So, there's one crypto system to maintain and patch, not two or even n.

It's Unix philosphy too, building useful things from small tools that do one thing well. The Mozilla people lost sight of that pure vision LONG ago, and reimplemented everything from scratch. Kinda missing the point of libraries altogether.

Re:IE is part of Windows

[Curtman]

Who ever said the packaging for ActiveX should be more complicated?

I love that bit where they say

• The .cab file format is a nonproprietary compression format, also known as MSZIP, that is based on the Lempel-Ziv data-compression algorithm. (Other compression formats might also be supported later.)

I'd hate to see what Microsoft considers to be proprietary, because .cab and 'MSZIP' would fit my definition pretty closely.

Re:IE is part of Windows

[Curtman]

First off, Mozilla does support signed components, and has for a long time.
And are you fucking kidding me? MSZIP? And you don't think that's proprietary? Lets take a stroll down memory lane:

• CAB History
• 
  
  In 1977, Abraham Lempel and Jacob Ziv devised and published a paper on their new compression method, LZ77. In 1982, James Storer and Thomas Szymarski released their LZSS variant. In the early 1980s, Microsoft required some form of data compression for their installation media to cut down on the number of disks needed to install MS-DOS and Microsoft Windows, so they took Haruhiko Okumura's implementation of LZSS. Their compressed files had a SZDD signature.
  
  In 1989, Phil Katz put the deflate method in the public domain. Microsoft started using the algorithm to compress their installation media. The signature changed to KWAJ.
  
  In the early 1990s, various people invented new forms of disk formatting for the IBM PC, increasing the amount of space on a disk despite the PC's inflexible floppy disk controller. Once again, Microsoft products were getting bigger and bigger, so Microsoft took one of these disk formats and called it DMF, or Windows formatted disks.
  
  For most of the early 1990s, Jonathan Forbes had been writing fast versions of LZH archivers on the Amiga. In 1995, he and Tomi Poutanen devised an LZH adaption known as LZX. Its main benefits beyond deflate were a compact way of encoding large match offsets, and ramping up the size of the LZ sliding window. Furthermore, their Amiga implementation included file merging (known as solid archiving in RAR), where file data was grouped into large blocks, instead of files being individually compressed. This file merging technique also appeared in other new archivers around that time. By coincidence, Microsoft devised a new installation media which used file merging! This time, they were cabinet files or CABs. They included two compression methods - MSZIP (aka deflate) and Quantum, a large-window LZ compressor using arithmetic coding, licensed from its author David Stafford.
  
  In 1997, Jonathan Forbes went to work for Microsoft. Soon enough, cabinet files started supporting a modified form of LZX. But finally, Microsoft published an official specification for cabinet files, MSZIP and LZX. They did not detail Quantum, and their LZX specification contained errors to such extent that it was not possible to create a working compressor or decompressor from the specification.
  
  In 2000, Stuart Caie embarked on writing a CAB unpacker for Dirk Stöcker's XAD system. He discovers all of the above, including the LZX specification errors, but eventually comes up with a working LZX extractor. Being a generous devil, and wanting help with the remaining Quantum extractor, he converts his XAD client into a command-line CAB decompressor. In 2002, Matthew Russotto kindly researches and writes the Quantum extractor.
  
  In 2003, Stuart Caie launches a new library designed to support all major Microsoft compression formats, called libmspack.

Now what definition of proprietary can you concoct to make MSZIP non-proprietary?

Yes, i've seen it

[Joff_NZ]

www.crack-locater.com tries to get you to install a couple of .xpi extensions into Mozilla... I naturally clicked "Cancel", so I couldn't tell you what they did...

Re:Yes, i've seen it

[Joff_NZ]

Yes, you're right.. it was a misspelling, the site in question is www.crack-locator.com
Guess I should have checked that

Re:Yes, i've seen it

[Curtman]

Hah, all I got was this.

Re:Yes, i've seen it

[gazbo]

Here we go: I manually downloaded and unpacked the XPI file, to see the JS installer and an exe. Here's what AVG had to say about it.

Semi-OT: Why are extensions not signed ?

[Wudbaer]

I love Firefox and Thunderbird. But everytime I install an extension I really wonder: Why does noone bother to sign their extensions ? As the browser complains that the extension is not signed a mechanism to do that must be there.

Re:Semi-OT: Why are extensions not signed ?

Signing extensions doesn't really help unless you have hierarchical or p2p trust relationships. Even then someone would have to identify bad code and revoke the trust relationship with the author.

Let's say I sign my extension with a private key named "George.Brampton@yahoo.com". How does that make you more confident that the extension is legit?

The only thing which signing would accomplish is making redistribution safer for people who actually check the signatures against the public keys on the authors website.

Re:Semi-OT: Why are extensions not signed ?

[ManxStef]

Surely you could get MozDev to be (one of) the top level Certificate Authority(s) though, seeing as it's already the main repository for plugins. Maybe XULPlanet and a few others too, along the same lines as the SSL cert. verification model. Establish some trusted bodies and give them the issuing responsibilities.

Get these bodies to issue a cert. to each project and provide a mechanism for signing code, then plug the above CA servers into Mozilla, Firefox, etc., write some checking code (displaying warnings for unsigned code, for example) then you're done :)
Not quite that easy in practice though, I guess?

Re:not enough users...

[Gary+Destruction]

IIS has a lower market share that Apache, yet it's attacked all the time. I think someone's trying to prove a point with the firefox extension malware.

Only thing I've seen...

[J'raxis]

I've only come across a couple of porn sites that try to install something using the XPI facility, but you get prompted to install it. It was amidst a rats' nest of other dialogs popping up (not "popup" windows, just dialogs asking me to install extensions to handle all kinds of exotic filetypes and JavaScript alert() boxes), so I almost missed it.

Re:Difference between Linux and Windows

[Gary+Destruction]

Theoretically, running as a non-privileged user on an NT-based system would prevent damage to system files or the registry. It would also prevent raw socket access which is only available to the administrator account. But most developers don't take the security into account and most people don't run 2000/XP as non-admin. O&O software is the first software maker I've seen that takes non-admin user accounts into consideration. They actually ask during setup who you want to have access to the program and its settings.

Not Just Windows anymore....

[keoghp]

It's interesting to note that these security hacks and loop holes are not just restricted to "windows".

As other OS's and app's become more popular we will see a rise in breaches and attempted breaches of these systems.

No matter if your an Admin of a "microsoft", "Sun", "Linux" system. Security should still be on your agenda regardless of system.

Re: E gets updated whenever a security flaw is fou

[orbman]

Take a look at
http://www.safecenter.net/UMBRELLAWEBV4/ie_unp atch ed/index.html
http://pivx.com/larholm/unpatched/
http://www.malware.com/index2.html
http://www.ee ye.com/html/Research/Upcoming/index.h tml
http://www.guninski.com/browsers.html

And for Mozilla, see
http://bugzilla.mozilla.org/
(search for "security" and sort by Severity)

How many bugs of type "silent delivery & execution of code" can you find for MS IE? How many in for Mozilla?

What's really funny....

[Fuzzle]

Is that I submitted a story about a website trying to install mal-ware through Mozilla 2 months ago, and it never got published. While I'm not trying to bitch about the editors, because it probably didn't seem that important, it's hilarious that now because someone has written "an article", which appears to be rambling, it's a large issue. Oh bla di.

Wow, talk about timing!

[GeckoX]

OK, well, AVG on my main system was screaming at me this morning, found a trojan browser-hijacker.

So what right?
Well, I haven't had a virus in _years_ now, AND, (here's the kicker), I do NOT run IE, EVER. Firefox exclusively and previous incarnations for years previous.

And no, it most deffinately did not come in through email.

So apparently, the article is correct.

(As well, I NEVER click ok or the like unless I KNOW i initiated installation of something myself, and I haven't seen anything like that anyways in the past few weeks.)

I'd love some more details and a patch ;)

OS dependancy?

[polyp2000]

Im sure if one hacks around hard enough a security hole can be found in any browser. I'd like to hope the non-bloat nature of Mozilla and its open-source goodness would ensure to an extent that its inherently very secure, and that potential holes are fixed rapidly. However I think that one also has to take into account the operating system the browser is running on and whether any Mozilla exploits are dangerous accross different platforms. My guess is that though Mozilla is enjoying a good market share at the moment, any exploits that may arise are going to target the operating system, in most cases that will be Windows. Its pretty dificult to run arbitrary code on linux or OSX without being very stupid.

Even so, using Mozilla on windows is a sensible thing to do from a security perspective since it provides another layer of security. IE, is so tied into the OS in this regard, but Mozilla is more of a seperate entity.

nick ..

I've seen it

[alatesystems]

I saw one xpi try to install on cracks.am. I was happy and mad at the same time. It's mainstream!!!

Chris

Related info

[eyepeepackets]

I run Opera (IDs as IE) on a Slackware-based IBM laptop. Here is today's hijack string my Opera user got in his shell as I was browsing sites for heat pipes from a Google search:

Warning: Actions not found: addBookmark, viewBookmark, copy, undefined-key, find, findAgain, history, loadImages, openURL, mailNew, new, openFile, print, exit, reload, saveAs, paste, delete, cut, undo, historyItem, back, forward, abort, PageUp, PageDown

Didn't bother to determine which site did this as it doesn't bother me, but it was interesting to see.

Not necessarily

[nes11]

"While this is in a way cool (since that means the browser's now considered mainstream)"

actually it just means that hackers are finally starting to realize that people using IE rarely have data worth accessing. If someone's using FireFox, chances are they're bright enough to have some cool data.

On our webserver, we're only getting about 1.5% of 50,000 hits per day that our Firebird/Firefox, so it's still far from mainstream.

If it has user input and output ...

[Jahf]

Any program that is complex enough to have user input and system/user output is going to be possibly exploitable.

So yes, I believe it may be possible to exploit Mozilla.

But I also believe that the exploit will be known almost as soon as it hits the streets rather than being kept quiet until the devs get around to fixing it.

And if the devs don't quickly fix it I trust that the community will, because it is in their own interests.

The last 2 paragraphs are because Mozilla is open, IE is closed, plain and simple.

Not to mention that I don't believe that Mozilla is -as- vulnerable to exploits as IE nor will such exploits be as serious due to purposeful lack of OS integration.

Re:Difference between Linux and Windows

[mikehoskins]

And then there is the issue of NTFS vs. FAT-32. With FAT-based filesystems, even on NT/2000/XP, everything runs as root. On NTFS-based filesystems, there is something of a security layer.

The next time you see a bootable C:\ drive formatted to FAT-32, note this: The OS, IE, and most apps are unprotected and can be compromised. In other words, in this configuration, IE is STILL running as root/administrator.

It's very odd that for backward compatibility reasons that M$ chose to leave FAT-32 insecure and that a file system can make an app insecure. This is most certainly not how Unix/Linux native filesystems behave.

Now why do people have FAT-32 on their bootup partitions on NT-based filesystems? Simple: It makes it really easy to image and to backup/resore to/from lots of software -- even old imaging and backup/restore apps based on non-NT OSes work with FAT-32. You could, in effect, use Windows 98/Me to image a bunch of NT/2000/XP machines in this configuration.

For example, the company I work for bought a COMPAQ desktop machine preloaded with XP. It came with a single partion (C:\) that was bootable and was formatted with FAT-32.

So, do you plan to buy that new NT-based operating system preinstalled? You had better check to see if any of your partitions that run software or store data use FAT-32.

Fortunately, there is a built-in utility to convert from FAT-32 to NTFS:

C:\WINNT\system32>convert /?
Converts FAT volumes to NTFS.

CONVERT volume /FS:NTFS [/V]

volume Specifies the drive letter (followed by a colon),
mount point, or volume name.
/FS:NTFS Specifies that the volume to be converted to NTFS.
/V Specifies that Convert should be run in verbose mode.

C:\WINNT\system32>

Re:Please learn how to make links.

[John+Harrison]

The problem is that /. mangles URLs by randomly inserting spaces, so it is considered good etiquette to input links as HTML.

Re: E gets updated whenever a security flaw is fou

[cookd]

So what you're saying is:

Check all of these 3rd-party sites that I have chosen which list a bunch of security holes for Explorer. How evil! Now check a specific query that I have chosen. See! No bugs!

Well, duh. If you get to pick the evidence, you can prove whatever you want. I'll try my hand at this game. Try this page. 9 serious security issues in the November 2003 update. And I was even nice and kept it on Mozilla's own site. These are the vulnerabilities that were fixed in the last release. Good job, but that isn't any better than the IE story.

BTW, I wasn't very impressed with the vulnerabilities on the pages you linked to. Some of them are "vulnerabilities that must be executed in the My Computer domain" (um, the My Computer domain means you are a program on the local computer, so how is that a vulnerability?), others that exploit holes in 3rd party plugins, and others that require the user to click OK a couple of times. I'm really not sure how you can consider any of those as real problems with IE. Sure, they're opportunities for social engineering, but those aren't security flaws any more than any other program that allows you to download code from the Internet. Yep -- FTP is an insecure program, because if you type "GET program.exe", then double click on program.exe, it runs code on your computer!

The ones that actually seem to be dangerous and due to actual problems with Explorer and not false alarms or 3rd-party issues, well they don't seemt to work very well. Perhaps they've been patched?

Honestly, I use both IE and FireFox. They both have pros and cons. They both have security issues. But neither one has a clear advantage in terms of security. Hackers are creative, and they come up with new attacks every day. No code is perfect, but it seems that everybody is doing the best they can do.