Can Mozilla-Based Browsers be Hijacked?

Chibi Merrow asks: "Matt Hartley in his latest GnomeReport speaks of supposed browser hijacker programs that are now targeting Mozilla FireFox instead of IE. While this is in a way cool (since that means the browser's now considered mainstream), it's also hard to believe. It doesn't help that his article is very light on details. Now there have been some discussion about spyware masquerading as valid extensions; but they require user intervention to install. Most people think of a browser hijack as something that automatically installs itself. Has anyone ever encountered an actual self installing browser hijacker/spyware program that has targeted Mozilla Firefox, or is this a bunch of FUD?"

Yes, i've seen it

[Joff_NZ]

www.crack-locater.com tries to get you to install a couple of .xpi extensions into Mozilla... I naturally clicked "Cancel", so I couldn't tell you what they did...

Re:Yes, i've seen it

[Joff_NZ]

Yes, you're right.. it was a misspelling, the site in question is www.crack-locator.com
Guess I should have checked that

Re:Yes, i've seen it

[gazbo]

Here we go: I manually downloaded and unpacked the XPI file, to see the JS installer and an exe. Here's what AVG had to say about it.

Semi-OT: Why are extensions not signed ?

[Wudbaer]

I love Firefox and Thunderbird. But everytime I install an extension I really wonder: Why does noone bother to sign their extensions ? As the browser complains that the extension is not signed a mechanism to do that must be there.

Re:IE is part of Windows

Integration into the OS makes the scope of IE vulnerabilites larger, but it doesn't necessarily make IE less safe. Microsofts neglect towards known vulnerabilities is a problem, but a similar attitude would hit Mozilla just as hard.

An example: For a short time, several themers chose to distribute Mozilla skins in XPI form, because that allowed users to install them without additional files. The now preferred way of installing skins requires the help of a script, either in the browser (theme installer extension) or on a webpage. The latter method does not give skins access to JavaScript and is considered safe. XPIs can do a lot more: The installation process can run arbitrary code on the target system and even skins which are installed this way can later on access browser resources and relay them to an external attacker.

Re:No ActiveX

[cookd]

That means nothing. In any computer product that is intended for use by non-computer-experts, the developer needs to keep this in mind: You cannot trust the end user to make good decisions regarding computer security.

Here is what I mean. My dad clicks on a link. The front page says "Click here to install the software necessary to view this web site." So he clicks. He gets a scary message, warning about potential viruses and trusting and digital signatures and stuff. None of it makes sense. Essentially, it gets translated into the following question:

Do you want to visit the web site? OK / Cancel.

XpInstall is just as vulnerable as ActiveX in this regard. People are dumb. Just like you don't care enough to read the full EULAs with all their legal mumbo-jumbo, most computer users won't really consider the warning.

And, by the way, ActiveX also requires an OK before installing, just like XPI. There are buffer overflows or cross-site scripting attacks that can bootstrap an attack without ActiveX (and to which Mozilla is just as vulnerable), but ActiveX itself doesn't offer any way to auto-install software without the user's agreement, unless the user changes the Internet Security settings.

ActiveX == Browser Plugins. Mozilla allows plugins, so there is NO difference.

IE gets updated whenever a security flaw is found. And the user is prompted to download the update. I don't get alerts when FireFox needs an update -- I go to the website once in a while. You tell me which method is more likely to keep my dad's computer secure.