Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Developers Respond to Malware

Posted by CmdrTaco on from the something-to-think-about dept.

An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."

29 of 429 comments (clear)

  1. not so fast of a fix by true_majik · · Score: 3, Informative

    wasn't this bug known for a while and was just recently issued a fix for it?

    1. Re:not so fast of a fix by it0 · · Score: 5, Informative

      Wasn't it also that it was a shell bug in win2k/xp that actually only was an OS bug, that MS didn't fixed so they eventually did it?

    2. Re:not so fast of a fix by ZZeta · · Score: 3, Informative

      Not really.

      A report had been out for a while detailing some improvements that could have prevented that vulnerability. However, the bug itself wasn't exploited until one day before the patch was released.

    3. Re:not so fast of a fix by ViolentGreen · · Score: 2, Informative

      It was fixed. Fixed with bubblegum as an extension.

      The fix was also not easy to find. It was not (and still isn't) listed on the firefox homepage.

      --
      Not everything is analogous to cars. Car analogies rarely work.
    4. Re:not so fast of a fix by Diabolical · · Score: 4, Informative

      Why is this modded interesting?

      First of all, it wasn't a bug at all, it was a problem in Windows' URI handler. Mozilla merely redirected unknown uri's to this handler as it was expected. The "bug" the op mentions was a discussion about whether this feature was safe or not.

      When it turned out that it wasn't safe, the Mozilla team was very quick to solve it.

      Very simple solution by the way, just turn the redirect off... now the user has to explicitly consent with this action instead of automagical launching of apps.

      By the way, this feature was a MS one, not Mozilla's idea. Recent bugs in the MS product family are actually the same. Just an exploit of the URI handling of Windows.

    5. Re:not so fast of a fix by thenextpresident · · Score: 2, Informative

      And considering it's a bug in Windows, it's still not fixed.

      --
      Jason Lotito
    6. Re:not so fast of a fix by Anonymous Coward · · Score: 5, Informative

      Wrong, generic bug about potentially hazardous protocol handlers was opened in 2002, and framework for dealing with them was created.

      The specific shell: protocol was pointed out as maybe dangerous one day before it was fixed (with just a configuration change, because that framework was already there).

      Very quickly fixed.

    7. Re:not so fast of a fix by EulerX07 · · Score: 4, Informative

      Want to know what the best part is?

      The original poster was right, and your uninformed bash at his comment caused the truth to be modded down. Maybe he doesn't like Microsoft, but even paranoid people get it right sometimes.

      You may want to read this interesting article. In it, you'll find that this "shell bug" he's talking about is exactly what the mozilla bug was, and that it also affects word and MSN messenger.

      Sorry to burst your bubble. And technically MS didn't fix it yet, they just disabled ADODB.Stream until they do.

    8. Re:not so fast of a fix by Short+Circuit · · Score: 3, Informative

      Link fix. Those go to a specific mirror. These should be redirected as needed:

      FireFox:
      http://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/0.9.2/shellblock.xpi

      Mozilla:

      http://ftp.mozilla.org/pub/mozilla.org/mozilla/rel eases/mozilla1.7.1/shellblock.xpi

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    9. Re:not so fast of a fix by KevinKnSC · · Score: 3, Informative
      The 'bug report' opened at Mozilla in 2002 was essentially trying to deal with the way Mozilla handles unknown protocols. The normal way was just to pass them to the OS.

      Did you even read the bug report? The link is:

      http://bugzilla.mozilla.org/show_bug.cgi?id=1674 75 (you have to copy/paste and strip out the extra space, they disable links from /.)

      Look at comment #11, which links to a duplicate bug. It was known in October of 2002 that it was possible for certain HTML to launch code locally. Yes, this was a result of passing unknown protocols to the operating system, which then handled them in an irresponsible manner. That doesn't change the fact that the Mozilla team just kept on trusting the OS to do the right thing. If they had allowed HTML like <img src="del c:\*.*"> to get through to Windows, would you also write that off as a bug in the OS?

    10. Re:not so fast of a fix by KevinKnSC · · Score: 2, Informative

      On the Windows side of things, part of it (handling of the hcp:// protocol) was quietly patched with SP1, although too many protocol handlers are still allowed to do crazy things. While I agree completely that the root cause of this bug is in Windows (you see that, whoever modded me flamebait?), I don't think that really excuses the Mozilla folks. In October of 2002, according to bugzilla, it was known that unsafe protocols were being passed to an OS that couldn't be trusted to handle them safely. Their solution was to put in a blacklist, which by definition only covers the bad protocol handlers they knew about, and waited until last week to put something in place that actually fixed the problem.

    11. Re:not so fast of a fix by _xeno_ · · Score: 4, Informative
      As many people have mentioned, this bug was found two years ago.

      Since Mozilla doesn't like people on Slashdot being able to trash-talk their browser by linking to bug reports, you'll have to copy the links to actually visit them, but:

      2002-08-20 - http://bugzilla.mozilla.org/show_bug.cgi?id=163767 - root of all these bugs, Mozilla passes unknown protocols to Windows
      2002-08-20 - http://bugzilla.mozilla.org/show_bug.cgi?id=163648 - same bug, spefically could launch IE and allow the execution of VBScript (possibly in the local security zone)
      2002-10-03 - http://bugzilla.mozilla.org/show_bug.cgi?id=172498 - same bug, hcp: protocol could delete any file on your computer (wildcards allowed)
      2002-10-07 - http://bugzilla.mozilla.org/show_bug.cgi?id=173010 - requested a whitelist to avoid future instances of the same bug

      This bug has been known about for two years. It still hasn't been fixed. When SP2 adds the "delete:" protocol or similar, then Mozilla is going to be vulnerable to that, too. And it looks like the developers have decided not to bother fixing it.

      This isn't a triumph of open source - it's an example of how open source falls prey to exactly the same problems closed source does. Except publically, so you can point to these discussions to demonstrate that they knew about the issues for two years.

      --
      You are in a maze of twisty little relative jumps, all alike.
    12. Re:not so fast of a fix by dveditz · · Score: 2, Informative
      Since Mozilla doesn't like people on Slashdot being able to trash-talk their browser by linking to bug reports [...]

      Links are blocks simply to prevent slashdotting the server. Anyone curious enough to copy/paste the link is welcome to come by, and raising the bar that little bit keeps work from grinding to a halt every time a story mentions a Mozilla bug.

      That said, please keep unproductive trash-talk out of bug reports. Discussions and rants belong in our newsgroups.

  2. IE by shackma2 · · Score: 5, Informative
    It wasnt just Mozilla Firefox and the like.

    Some microsoft products were affected also.

  3. Misleading by sepluv · · Score: 4, Informative
    reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware)
    I would like to point out that this is slightly misleading (as it implies Mozilla had a security flaw before the fix), because, even before the whitelist fix was added, you had to do the following to get infected by any malware:
    1. Enable Javascript
    2. Enable install from XPI locally and globally
    3. Click on a Javascript link on a WWW page (which would be shown in status bar) (N.B. Mozilla does not execute XPI-related JS automatically--the user must have clicked the link)
    4. Wait a few seconds while watching a very large uncancellable dialog box saying "A website is requesting permission to install the following item", giving full details of the program it is installing (including its signatures in big red letters, its name and its URI), and saying in big bold letters, "Malicious software can damage your computer or violate your privacy. You can only install software from source you can trust."
    5. After waiting a few seconds you, you then had to press a button labelled "install now".
    I'm guessing that even some ex-MSIE users might not go through all that on the request of a malicious WWW site they have found.

    I digress.

    --
    Joe Llywelyn Griffith Blakesley
    [This post is in the public domain (copyright-free) unless otherwise stated]
    1. Re:Misleading by Val314 · · Score: 2, Informative

      the user didnt have to click there is a thread in mozillazine about a page that showed (its now something different) the Install me Dialog over and over again until the user clicks "Install". this will be fixed in 1.0 (and is allready in the current nightly) but this was just as scary as those ActiveX horror on some pages (and again: thanks mozilla for fixing those stuff as fast as they do)

  4. Re:Mozilla "innovation" reaches new low? by sepluv · · Score: 2, Informative
    Yet, a base Mozilla 1.7 downloaded right after release will have this issue for a very long time
    NO, because, Firefox (and I think also Mozilla) now have a function to automatically dowload new versions or security fixes.

    Also please note the steps on had to take to get infected by malware before the fix (whitelisting domains):

    reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware)
    I would like to point out that this is slightly misleading (as it implies Mozilla had a security flaw before the fix), because, even before the whitelist fix was added, you had to do the following to get infected by any malware:
    1. Enable Javascript (enabled by default)
    2. Enable install from XPI locally and globally (enabled by default??)
    3. Click on a Javascript link on a WWW page (which would be shown in status bar) (N.B. Mozilla does not execute XPI-related JS automatically--the user must have clicked the link)
    4. Wait a few seconds while watching a very large uncancellable dialog box saying "A website is requesting permission to install the following item", giving full details of the program it is installing (including its signatures in big red letters, its name and its URI), and saying in big bold letters, "Malicious software can damage your computer or violate your privacy. You can only install software from source you can trust."
    5. After waiting a few seconds you, you then had to press a button labelled "install now".
    I'm guessing that even some ex-MSIE users might not go through all that on the request of a malicious WWW site they have found.

    I digress.

    --
    Joe Llywelyn Griffith Blakesley
    [This post is in the public domain (copyright-free) unless otherwise stated]
  5. Re:Just to clear some things up... by bob670 · · Score: 2, Informative
    So true, it was the Ballmer contention that they were "betting the company" on Windows 2000 and then releasing it with security and stability issues that pretty much squandered what faith I had left in MS. I firmly believe that if the codebase of Windows ME had been even slightly more stable than it was that it would still be in favor. It was better looking than 9x, supported newer hardware features better and was still less bloated than XP by a long shot, too bad it suffered from so many stability issues for so many people.

    Of course, you could take those lumbering ME boxes and put Mandrake on them and fix all the problems, but so many foolishly opt for XP. 'Tis a shame...

  6. more IE swiss cheese by Ari_Haviv · · Score: 3, Informative

    see http://secunia.com/advisories/12048/

    --
    Join Team Mozilla #38050 Folding@home
  7. Mozilla exploit? by panamahank · · Score: 3, Informative
    Whoa! If this was a Mozilla exploit, does that mean I have to patch my Linux version?

    --
    Serial Meta Moderator
  8. Re:Mozilla being OSS by julesh · · Score: 2, Informative

    Tell you what, you look at the Mozilla source code and find out about the recently discussed problems.

    Here's the catch: the problem was caused by undocumented behaviour in the Microsoft Windows APIs for handling URLs. No source audit by somebody who didn't know about that behaviour would have found it, because those APIs are closed source.

  9. Re:Mozilla "innovation" reaches new low? by That's+Unpossible! · · Score: 4, Informative

    I would like to point out that this is slightly misleading (as it implies Mozilla had a security flaw before the fix), because, even before the whitelist fix was added, you had to do the following to get infected by any malware...

    I don't think this is true. The specific exploit in XP allows shell: protocol links to run arbitrary code if crafted properly. Mozilla was passing these links right on to the OS.

    I think you are confusing this bug with the idea that people can install malware via XPI.

    --
    Ironically, the word ironically is often used incorrectly.
  10. Re:the interesting thing by Finuvir · · Score: 3, Informative

    Firefox will have auto-update (optional, on by default) in version 1.0.

    --
    Why is anything anything?
  11. Re:XPI? by julesh · · Score: 2, Informative

    Eh? Opera's equivalent technology is described here.

  12. Re:It was a Windows flaw, not a Mozilla flaw by jesser · · Score: 2, Informative

    This problem is identical to a serious vulnerability recently discovered in Safari where a nafarious site could make use of the disk:// URI handler and the default automatic custom URI installer to download and execute arbitrary code. Has anyone checked to see if Mozilla/FireFox are also vulnerable to this?

    They were, until the problem was worked around in Firefox and fixed in Mac OS X.

    --
    The shareholder is always right.
  13. Re:Malware by drinkypoo · · Score: 2, Informative

    My solution to adware/spyware/malware is to run both spybot and ad-aware regularly (teatimer is running) and to occasionally run Mike Lin's Startup Control Panel and look to see if anything unusual has cropped up. There's no solution like watching those registry locations yourself so you can recognize what is and what is not malware.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  14. Re:Mozilla "innovation" reaches new low? by Allen+Zadr · · Score: 2, Informative
    The,

    I have a response to your leaving F/OSS in my Journal

    I invite anybody to read and reply to it.

    --

    I would like to also point out that this is also a case of "his issue, not mine", that has been the bane of all software (and much hardware) in both Open and Proprietary shops since the Epoch.

    This issue is a vulnerability in a Microsoft technology, that just happens to - also - be accessible through Mozilla. Some people chose to ignore this issue simply because they believed that Microsoft would fix the underlying problem.

    Two years later, they are realizing that Microsoft is not prone to attempt to fix this problem - and that something really needs to be done. This is the right direction. Because all security issues are every vendor's/project's problem. Not Microsoft or Mozilla, but both. Now that Mozilla is willing to look at it that way, then, the Mozilla project has made a great stride towards future improvement.

    --
    Kinetic stupidity has a new brand leader: Allen Zadr.
  15. Re:At the risk of being flamed... by argent · · Score: 2, Informative

    Have you tried going into userprefs.js and adjusting the timeout? For example, to increase it to five minutes:

    user_pref("network.http.connect.timeout", 300);

  16. Odd by rjamestaylor · · Score: 2, Informative

    That the story submitter buys into the "it's insecure because it's popular" myth is one thing; for Slashdot to willy-nilly accept it is another. Very odd.

    That the "shell://" hole in Mozilla (thereby Firefox and Thunderbird) exists is true; but it is not truly a Mozilla whole; Mozilla passes the unhandled scheme to Windows and Windows serves the hole. It's a Windows hole. MS Word (among others) also is vulnerable to the "shell://" exploit.

    This exploit is specific to Windows. Windows is being targeted, not Mozilla.

    So, don't just move to a more secure browser, jump to Mac OS X, Linux, and or *BSD for a better Internet Experience.

    --
    -- @rjamestaylor on Ello