Slashdot Mirror
Can Mozilla-Based Browsers be Hijacked?
Chibi Merrow asks: "Matt Hartley in his latest GnomeReport speaks of supposed browser hijacker programs that are now targeting Mozilla FireFox instead of IE. While this is in a way cool (since that means the browser's now considered mainstream), it's also hard to believe. It doesn't help that his article is very light on details. Now there have been some discussion about spyware masquerading as valid extensions; but they require user intervention to install. Most people think of a browser hijack as something that automatically installs itself. Has anyone ever encountered an actual self installing browser hijacker/spyware program that has targeted Mozilla Firefox, or is this a bunch of FUD?"
There's always a risk that any application that's handling data, especially unclean internet data, can be the victim of a buffer overflow. Here's where the open source nature of Mozilla beats MSIE hands down, the code is open to scrutiny which means that someone somewhere has probably already looked after most of the exploits already. That's the theory, anyway.
I am government man, come from the government. The government has sent me. -- G.I.R.
That in of itself makes it more insecure. I mean, it uses Windows' SSL whereas Mozilla has its own SSL. It has Windows remember passwords whereas Mozilla has a password manager. Mozilla just being a stand alone app makes it safer in that regard. And even a recent exploit caused by an issue with file extension spoofing vulnerability was an issue only with IE. Mozilla still showed the file's name in its entirety.
www.crack-locater.com tries to get you to install a couple of .xpi extensions into Mozilla... I naturally clicked "Cancel", so I couldn't tell you what they did...
The revolution will not be televised. It won't be on a friggin blog either
I love Firefox and Thunderbird. But everytime I install an extension I really wonder: Why does noone bother to sign their extensions ? As the browser complains that the extension is not signed a mechanism to do that must be there.
That means nothing. In any computer product that is intended for use by non-computer-experts, the developer needs to keep this in mind: You cannot trust the end user to make good decisions regarding computer security.
Here is what I mean. My dad clicks on a link. The front page says "Click here to install the software necessary to view this web site." So he clicks. He gets a scary message, warning about potential viruses and trusting and digital signatures and stuff. None of it makes sense. Essentially, it gets translated into the following question:
Do you want to visit the web site? OK / Cancel.
XpInstall is just as vulnerable as ActiveX in this regard. People are dumb. Just like you don't care enough to read the full EULAs with all their legal mumbo-jumbo, most computer users won't really consider the warning.
And, by the way, ActiveX also requires an OK before installing, just like XPI. There are buffer overflows or cross-site scripting attacks that can bootstrap an attack without ActiveX (and to which Mozilla is just as vulnerable), but ActiveX itself doesn't offer any way to auto-install software without the user's agreement, unless the user changes the Internet Security settings.
ActiveX == Browser Plugins. Mozilla allows plugins, so there is NO difference.
IE gets updated whenever a security flaw is found. And the user is prompted to download the update. I don't get alerts when FireFox needs an update -- I go to the website once in a while. You tell me which method is more likely to keep my dad's computer secure.
Time flies like an arrow. Fruit flies like a banana.
I've only come across a couple of porn sites that try to install something using the XPI facility, but you get prompted to install it. It was amidst a rats' nest of other dialogs popping up (not "popup" windows, just dialogs asking me to install extensions to handle all kinds of exotic filetypes and JavaScript alert() boxes), so I almost missed it.
Liberty in your lifetime
Theoretically, running as a non-privileged user on an NT-based system would prevent damage to system files or the registry. It would also prevent raw socket access which is only available to the administrator account. But most developers don't take the security into account and most people don't run 2000/XP as non-admin. O&O software is the first software maker I've seen that takes non-admin user accounts into consideration. They actually ask during setup who you want to have access to the program and its settings.
And lets not forget the obvious - IE6 is always going to be bad for this. Mozilla gets updated each and every day and has a regular release schedule.
Let's get one thing straight: this sort of browser hijacking isn't aimed at defeating technically-minded people like you or I, it's aimed at non-technical users, such as friends and relatives we might have encouraged to switch away from Microsoft Internet Explorer, or people who've installed Mozilla Firefox from a magazine cover disc, etc.
For the most part, these non-technical users aren't going to be actively updating their software on a regular basis. They're not going to be looking out for potential security risks and their solutions because they thought that they were leaving all that behind when they switched over from MSIE. In all probability, many if not most of these users won't even know that they've been hijacked if and when that happens.
To suggest that browser hijacking doesn't have the potential to be a major problem for Mozilla users is rather short-sighted. Being dismissive about it is like adopting a "head in the sand" security policy, and no better than a "security through obscurity" one.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Take a look atp atch ed/index.html e ye.com/html/Research/Upcoming/index.h tml
http://www.safecenter.net/UMBRELLAWEBV4/ie_un
http://pivx.com/larholm/unpatched/
http://www.malware.com/index2.html
http://www.e
http://www.guninski.com/browsers.html
And for Mozilla, see
http://bugzilla.mozilla.org/
(search for "security" and sort by Severity)
How many bugs of type "silent delivery & execution of code" can you find for MS IE? How many in for Mozilla?
ActiveX itself doesn't offer any way to auto-install software without the user's agreement, unless the user changes the Internet Security settings.
AFAIK Mozilla never allows you to auto-install without a warning.
IE gets updated whenever a security flaw is found.
B.S.
J'aime mieux les méchants que les imbéciles, parce qu'ils se reposent. -- Alexandre Dumas
OK, well, AVG on my main system was screaming at me this morning, found a trojan browser-hijacker.
;)
So what right?
Well, I haven't had a virus in _years_ now, AND, (here's the kicker), I do NOT run IE, EVER. Firefox exclusively and previous incarnations for years previous.
And no, it most deffinately did not come in through email.
So apparently, the article is correct.
(As well, I NEVER click ok or the like unless I KNOW i initiated installation of something myself, and I haven't seen anything like that anyways in the past few weeks.)
I'd love some more details and a patch
No Comment.
I run Opera (IDs as IE) on a Slackware-based IBM laptop. Here is today's hijack string my Opera user got in his shell as I was browsing sites for heat pipes from a Google search:
Warning: Actions not found: addBookmark, viewBookmark, copy, undefined-key, find, findAgain, history, loadImages, openURL, mailNew, new, openFile, print, exit, reload, saveAs, paste, delete, cut, undo, historyItem, back, forward, abort, PageUp, PageDown
Didn't bother to determine which site did this as it doesn't bother me, but it was interesting to see.
Everything in the Universe sucks: It's the law!
"While this is in a way cool (since that means the browser's now considered mainstream)"
actually it just means that hackers are finally starting to realize that people using IE rarely have data worth accessing. If someone's using FireFox, chances are they're bright enough to have some cool data.
On our webserver, we're only getting about 1.5% of 50,000 hits per day that our Firebird/Firefox, so it's still far from mainstream.
Any program that is complex enough to have user input and system/user output is going to be possibly exploitable.
So yes, I believe it may be possible to exploit Mozilla.
But I also believe that the exploit will be known almost as soon as it hits the streets rather than being kept quiet until the devs get around to fixing it.
And if the devs don't quickly fix it I trust that the community will, because it is in their own interests.
The last 2 paragraphs are because Mozilla is open, IE is closed, plain and simple.
Not to mention that I don't believe that Mozilla is -as- vulnerable to exploits as IE nor will such exploits be as serious due to purposeful lack of OS integration.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
That's the theory. In practice, however, that still doesn't necessarily work. Look, for example, at the recent buffer overflow found in CVS, software that's been open since its inception and been around for a long time. Also, look at the latest problems with OpenSSH, again a package that has been around for quite a while, and one that people should be *very* security concious about.
While the idea that the code being open forces the bugs to be found and removed, that only works if someone with the skill to find the bug, and the willingness and skill to fix the bug does so.
Overrated / Underrated : Moderation