Spyware for Firefox Coming This Year?

EvilCowzGoMoo writes "One of the main reasons for the Firefox browser's successful seizure of market share from Microsoft's Internet Explorer is the desire to escape the inundation of PC-slowing spyware. However, spyware experts indicate that with its increased popularity, Firefox itself will become a target for spyware creators." From the article: "Basically, if you use Firefox today, you're not susceptible to any spyware, other than what you download when you're on Kazaa...The spyware writers target mostly Explorer users because that's the most fertile feeding ground for piranha-like (spyware) attacks. They'll watch as Firefox becomes mainstream, they'll see opportunity there and start targeting them."

Malicious XPI's exist already

[flyingace]

Spyware already exists for firefox in XPI form. Please lookout of malicious XPI's More information on this can be found here. http://forums.mozillazine.org/viewtopic.php?t=6434 1

Re:Malicious XPI's exist already

[tod_miller]

This cannot be installed without users knowledge, so technically, it is not any more dangaerous than 'you are saving the file untra l3tt p0rno download + last episode 0f ent3rpr1se.exe'.

So, erm, there. XPI doesn't mean you cannot put shit in there, the same way that .exe doesn't mean you cannot put shit in there.

A zip file can contain any shit you want.

If they are awarding prizes for gratuitous uses of explitives on /., please nominate me, today is a shit day.

Re:Malicious XPI's exist already

[athakur999]

Firefox extension don't have to be installed via the browser. I could download something off of a P2P that, when I ran it, would find my Firefox profile folder, install the malware files, and modify my configuration files directly to turn it on. The uesr would never know, especially if it gave itself an innocent looking name in the Extensions list.

Re:Malicious XPI's exist already

[Haydn+Fenton]

Nothing does the bare minimum anymore, just look at mobile phones, you'll have a hard time finding a phone that doesn't have games, camera, internet, calculator and all the other junk that gets packed with them. Any why would people make just the bare minimum? They'll never get market share if there are poeple offering so much more for a tiny percentage increase in the cost (or in the browser case, nothing extra at all).
Personally, I know if I'm making a program, even if I didn't intend on having as many options, they end up being put in anyway because its not much hassle to do so, and its much more beneficial when it comes to using the program. Like someone has said, if you don't want all the features there are, use linx.

Re:Malicious XPI's exist already

[athakur999]

My point is that all of Firefox's attempts to block XPI installations by default isn't going to help as much as people want to think it will. A big chunk of spyware people get is crap thats piggybacked with other software. Firefox, as it stands now, can do absolutely nothing about this.

The people that get infected by crap this way when they use IE are not going to be any safer when they switch to Firefox because it is just as vulnerable to this type of "exploit". User education is the key to reducing the problem. Install Firefox and telling the user to "use this instead of that blue E" does nothing in the long run.

Re:Malicious XPI's exist already

Spyware S&D pretty much tags just about ALL cookies as spyware, as does Hijack This!

Until they become executable entities, I'm not worried about that.

But will it be possible to "inject" XPIs into an otherwise benign HTML page stream and have Moz run it w/o user initiating it? Hmm... hopefully some UI genius does not promote that.

If users have to click on something, then let it be. The automatic, invisible install that ActiveX controls, BHOs, etc., do on IE is just a bad thing.

Re:Malicious XPI's exist already

[niittyniemi]

There sure is. I just posted to freebsd-chat:

Date: Tue, 8 Feb 2005 18:15:32 +0000
Subject: Spyware on FreeBSD!?
Cc: FreeBSD chat

Bad news, looks like my machine has been infected with some Spyware.

I noticed that on surfing to: http://news.bbc.co.uk/ or anything under that domain, I was getting some outgoing activity and Firefox was after a URL (as shown by the status bar) somewhere under the domain:

http://bbcnewscouk.112.2o7.net/

A quick Google on 2o7.net confirmed my worst fears: spyware!

and a 2o7.net cookie planted on my machine.

I cached some pages in my proxy :

http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/ G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bb c.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2: 21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Pag e&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864& c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin %3B&%5BAQE%5D

http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/ G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.u k/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+ 0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http ://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1 .3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BA QE%5D

Looks like some sort of perl script which returns a 2x2 gif, whilst harvesting your browsing habits (and screen & windowsize - by calling Javascript functions in Firefox?)

I wonder if they use different sub-domains to collect stats on different sites. This particular variant seems to be only activated by a visit to BBC news.

I had a grovel in the source of the BBC news homepage but found no reference to 2o7.net (For a minute I thought the BBC had turned evil on me!)

I'm going to do a little bit more investigation on it - I tried removal by obliterating my Firefox profile but no joy. The only thing I saved was my bookmarks file, which looks sound.

Spyware on a unix machine? Tell me it's not so! :(

BTW:
FreeBSD 4.11-PRERELEASEfirefox-1.0.r1,1

I know the latter has some vulnerabilities and I'll update it in due course (and the OS).

I think I'm going to build Links/Lynx with SSL and use that for my banking from now on (if I can).

Anybody aware of other reports of spyware infecting Unix machines?

Anyway, I'm gutted. I feel like I've been violated and humiliated. In short, I feel like a Windows user does everyday!!

The truth: I feel a bit pissed off but I urge people to take no action against 2o7.net like DOS or cracking their webserver and trashing it.....I'll do that myself ;)

Further information: it uses Javascript and I'm guessing it came with an XPI I installed. I'll try and determine which one and post back to freebsd-chat. To disable: turn off Javascript & firewall off 207.net both outgoing and incoming.

I'll also post back here when this story gets duped in a few days time ;)

Re:Malicious XPI's exist already

[jonbryce]

Didn't some of the Mosaic developers leave NCSA to start Netscape?

How?

Can someone explain how this is possible?

On IE there is the mess that is called ActiveX. Are we talking up XUL? Or perhaps malicious plug-ins?

Signed java applets

What about all those signed java applets out there all ready?
The user only needs to press 'OK'(which they usually do) and the applet gets full system access(because of the signing).
Doesn't look very safe to me.

I know you can configure this, but normal users doesn't do that

Spy vs Spy

[Doc+Ruby]

How about a program that takes the cryptohash of the virgin final installed code, and checks against that hash periodically (every 5 minutes, every new website, every app launch)? When spyware strikes, it changes the app fingerprint, and this sentinel could keep a log of recent traffic for analysis, and offer to reinstall. Our desktop immune system should take advantage of our "known good" info to detect these cancers when they start, and track them to their source.

Re:Open Source Disadvantage

[bashbrotha]

Sure, there will probably be companies like that. That's the risk you take when you use open source software.

At least I have a better chance of less exploits created because there are so many eyes on the code.
I've heard that openBSD developers have founded and fixed other security bugs while working to fix exploits, so I still don't see an inherent disadvantage to using FireFox vs. Explorer.

YES.

Security holes _will_ be found (some have been found already see the url spoofing). And some firefox users specially non-savvy ones (a portion that will grow as firefox goes mainstream), will not upgrade.
Spywares will exploit this

The security of Firefox is an illusion. Security through obscurity is not a viable plan for security permanence - if your product is good enough and marketed aggressively enough (and I do count word-of-mouth marketing in this), it will spread and be targeted. It is that simple. It's not until you have the full force of virus/spyware writers coming against you that you know whether all your previous big-talking statements about your security will stand up for crap. My belief? Firefox is going to find itself besieged and it will be a huge test for the OSS community, to see if they can really handle these problems as well as they always say they can.

Re:YES.

[grennis]

and a new, superior, method was put into place within a single release (about a month, as I recall). IE ... hasn't done a damn thing.

Uh, the "new, superior" experience you speak of is the yellow bar at the top. The yellow bar was stolen verbatim from the SP2 IE. The look, the sound, the behavior. It was 100% lifted from IE. So get your facts straight... oh wait, this is Slashdot... I must be new here.

FUD.

[Spy+der+Mann]

IMHO that's a lot of FUD. Firefox is not nearly as vulnerable to spyware as IE is. Firefox by default has XPI installation disabled except by approved sites.

Installing spyware on Firefox would be much more about social engineering (if you want to see this website, follow these instructions: download, choose "save as...". Then double click on it, yadda yadda..."

Of course, with people falling for phishing attacks, it wouldn't surprise me they'd be so stupid to do this. In that case, Firefox should issue a warning about "evil XPI files". At least that way when some moron says "bwaaa they told me firefox was spyware-free", we can ask: "Did you follow the evil website's instructions when they told you to install this XPI?"

Then all we have to do is repeat the worldy-famous Nelson quote.

Re:But is firefox as vulnerable?

[Golias]

What about those guys who offered $15,000 to anybody who could hack their Mac web server back in the 90s? Nobody ever collected the prize.

Real security is something which can be accomplished.

*BSD is secure because it was designed to be secure, not simply because it's less common than other solutions. Likewise, if Internet Explorer 6.0 only represented about 15% of the market, it would still be hacked with shocking regularity, because Microsoft's security is a joke.

I'm not saying that all this means Firefox is as secure as some of the other technolgies I just mentioned. I'm no expert on the codebase for Firefox. It might be downright vulnerable. I will say, however, that it's hard to imagine it being worse than IE.

Re:Duh.

[BabyDave]

To be fair to Windows, I've found that FF 1.0 installs extensions into the users' profile folder, even when I'm in as Administrator.

Re:IE and Firefox have different problems

[theManInTheYellowHat]

They click "Yes" because they simply are doing whatever they think will get them to the next screen. It is no different for the 30+ data entry people that I work with. All they are doing is completing as much as needed, as fast as they can, to get to the next screen

Re:duh

[WhiteWolf666]

I truely believe you are only half right

Yes, we will see more Firefox/Linux/Mac viruses/exploits in the future.

However, the 'barriers to entry' will be higher, because these systems simply are MORE secure.

Evidence? Server marketshare. Linux has comparable marketshare to Windows, yet Linux is compromised less often.

Not never. Linux IS indeed compromised, and at statistically significant levels.

But given the comparable marketshare, linux is compromised quite a bit less.

I suspect the desktop landscape will become similar. Linux/Mac marketshare will approach windows. Linux/Mac viruses/exploits will become more popular.

But they will never reach the levels of Windows exploits in their heyday.

Re:Why more than just two browsers is a good thing

[nine-times]

Sometimes it sounds like the new browser war is between Internet Explorer and Firefox, and only those. But people often forget that there are other browsers out there, such as Opera and Safari/Konqueror (when will we get a decent KHTML browser for Windows?).

Let's let them continue to forget, so that I can browse the web in peace, huh?

If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to create viruses, or take over computers for monetary purposes.

This is very true, that our security is well served by heterogeneity. And not just in browsers, but in platforms. I'd bet we'll find that some of the attempts to infect Firefox are targeted specifically at Windows exploits, and even don't work on Linux/OSX. Maybe they'll come up with an extension/toolbar that reports searches and browsing habits back to some marketing team, but that in itself doesn't bother me so much.

The shear fact of spyware, that some software reports some kind of information back to someone, that's one issue, but at least users can choose that for themselves. It's the self-installing programs, impossible to remove, inflicting damage on your system as you force-remove them, installing other spyware as it goes, reinstalling itself as it's removed, etc.-- those facets of spyware are what trouble me. And I doubt it will be terrifically easy to create platform-agnostic spyware that exhibits those properties, even if you have a common browser.

Given the response time of Mozilla's development..

[HerculesMO]

I have to say we are in good hands for the time being. Mozilla has been pretty quick to release patches and fixes to bugs that were found. Additionally we have to consider one important thing -- Firefox does not integrate with your operating system, like IE does. This is why when you log onto the net 'unpatched', you can get infected just by being online (which is amazing to me). The future of spyware may be aimed more towards Firefox but in a way, it's helpful to Firefox for spyware/malware writers to target it -- it helps them close security holes that aren't known about and help prevent and protect against other things. And since the Mozilla community (oh yea, open source!) is very good in turnaround time to support the browser, the patches will be relatively swift.

So while the author may be right that malware and spyware authors may target Firefox as it gains popularity -- Mozilla and its hordes of programming legions (the open source community) will work together to close the holes that open and see they can't be opened in different ways. In IE, if you closed one hole, you opened another, very similar one. Not that IE is bad, but it was really just abandoned and now that Firefox has the head start -- it's going to stay ahead for the foreseeable future. We will see what Longhorn brings to the table, with the next iteration of IE though.

Either way, I am the type of person that's convinced we will see the end of SPAM in the foreseeable future... I don't see why continual development can stop spam entirely.

One thing that's often overlooked

[MerlinTheWizard]

when using Firefox or Mozilla is the Java virtual machine, most often the Sun JRE is used. There are some security holes in the JRE and this has nothing to do with Firefox. I mean, if you think you're safe with Firefox - update your JVM first. Or don't use any. Bizarrely, nobody ever talks about the Sun JRE. It's very far from perfect though, and must certainly be taken into account.

Re:A Grand Day For Firefox

[nine-times]

Maybe spyware authors are just hoping to make the appearance that they're focussing on Firefox in order to prevent switching. If I were a spyware author, and I knew that people switching to Firefox would make my job harder, and I knew the reason people are switching was the understanding that "using Firefox makes you less likely to get infected with spyware," I know what I'd do: try to make noise that I'm working on Firefox spyware.

The hoped-for result would be that people would be discouraged from switching because they believed it didn't matter. They'd think I was going to get them one way or the other, so they might as well stick with what they're used to. The hoped-for result would be that people stay on IE and keep my job easier.

I'm not saying that this is what's happening, but I wouldn't be surprised if it were to happen.

Re:It's a different problem

[MrP-(at+work)]

Exactly

Chances are any spyware for FF will launch popups and whatnot when you run FF.. Whereas IE spyware can launch popups even if IE isn't running (cause it actually is always running)

Worst that can happen is you delete firefox and reinstall it. All better

With IE, worst that can happen is you format and reinstall windows.

Yay FF! =P

Security Alert: Whitelist bug in firefox

[ad0gg]

You heard it here first on slashdot. I haven't posted this to any security lists yet. I just proved this on my system 5 minutes ago.

IDN Allows Bypass of Mozilla's "Allowed Sites" List

Background:
DN[International Domain Name] support in Mozilla allows bypass of 'Allow Sites'. Problem is caused in the way Mozilla handles IDN when used to handle checking of the list of allowed sites.

Example:

<a href='http://update.xn--mozill-8nf.org/ malicious.xpi'>Friendly Extension Name</a >
Update.mozilla.org will be checked against the whitelist instead of update.xn--mozill-8nf.org.

Threat:
Exploit could be used to trick users into installing malicious extensions.

Solution:
Don't trust 'Software Install Prompts' Use a different browser

Author: Todd Lehr