Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware for Firefox Coming This Year?

Posted by Zonk on from the deeply-unsettling dept.

EvilCowzGoMoo writes "One of the main reasons for the Firefox browser's successful seizure of market share from Microsoft's Internet Explorer is the desire to escape the inundation of PC-slowing spyware. However, spyware experts indicate that with its increased popularity, Firefox itself will become a target for spyware creators." From the article: "Basically, if you use Firefox today, you're not susceptible to any spyware, other than what you download when you're on Kazaa...The spyware writers target mostly Explorer users because that's the most fertile feeding ground for piranha-like (spyware) attacks. They'll watch as Firefox becomes mainstream, they'll see opportunity there and start targeting them."

27 of 630 comments (clear)

  1. Malicious XPI's exist already by flyingace · · Score: 5, Interesting

    Spyware already exists for firefox in XPI form. Please lookout of malicious XPI's More information on this can be found here. http://forums.mozillazine.org/viewtopic.php?t=6434 1

    1. Re:Malicious XPI's exist already by Acts+of+Attrition · · Score: 4, Insightful
      In the immortal words of G.W.
      "Bring it on"

      How's Firefox supposed to get even more resistant to exploits if hackers aren't sitting there trying the exploit the heck out of it?
      Trial by fire. There's a reason it started out as Phoenix.

    2. Re:Malicious XPI's exist already by Frymaster · · Score: 4, Funny
      Why can't a browser simply be a browser anymore?
      All it needs to do is render html, optionally show pictures, and supply widgets for forms.

      well... there is lynx (and links, and dillo). the problem there is that, while you may not get hacked, people will think you're hacking them!

      --

      2 1337 4 u!

    3. Re:Malicious XPI's exist already by jwilcox154 · · Score: 4, Informative
      heck, even IE since it was based on Netscape, but it just shows a blue screen

      Internet Exploder was not based upon Netscape, but it was based upon the Mosaic Web Browser.

      Here's what it says in the "About Internet Explorer" dialog
      Based on NCSA Mosaic. NCSA Mosaic(TM); was developed at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign.


      They got the term for the Open source project Mozilla from Netscape's Original code name which is a contraction of Mosaic + Godzilla (i.e. Mosaic killer), and was coined by Jamie Zawinski (jwz) when Netscape's primary competition was Spyglass Mosaic.">

      In other words, Mozilla/Netscape and Mosaic/Internet Explorer are not based on one another, they have nothing to do with one another except they're competing web browsers.
    4. Re:Malicious XPI's exist already by Magic+Thread · · Score: 4, Informative

      2o7.net is a web analysis company, used explicitly by the BBC and other sites. See the replies on the freebsd-chat mailing list where the parent message was posted:

      1 2

  2. IE and Firefox have different problems by Anonymous Coward · · Score: 5, Insightful

    IE's spyware problems were largely due to exploits. Someone not up to date with patches could visit a website and have something remotely installed pretty easily.

    For Firefox, though, it'll take social engineering. The place to look for the spyware threats is in the brand new extension you WANT to install. Most Firefox users have at least one extension, and many have a dozen. How do you know what each of those is doing behind your back? Most people don't bother to scan the code, and while some may do so and report problems publicly, will you find out about them? A firewall won't even help you in this situation since you've probably given Firefox free access to port 80 (plus 443, etc).

    Mozilla should probably create some sort of permission system for extensions. Can it connect to a remote server? Can it write to disk?

    1. Re:IE and Firefox have different problems by maskedbishounen · · Score: 5, Informative

      This is why Mozilla Update exists. A safe haven for users to find extentions that won't screw them over.

      Supposedly.

      If nothing else, at least it has a rating and feedback system, so you'll have a heads up from others.

      --
      "An infinite number of monkeys typing into GNU emacs would never make a good program."
    2. Re:IE and Firefox have different problems by j-turkey · · Score: 5, Insightful
      IE's spyware problems were largely due to exploits. Someone not up to date with patches could visit a website and have something remotely installed pretty easily.

      For you and I, I'd say that exploits are the issue...but in my experience, most average users don't get a malware infestation via browser exploits (mainly because when you and I see the words Gator or Newnet, we say hell no). They simply click "yes" when asked if they'd like to install a piece of software. I don't know if the mentality is "yeah I want more functionality" or "yeah yeah, just show me the damn webpage!". One way or the other (antecdotally), most of the users whom I deal with tend to install the malware themselves. FWIW, these users tend to be on the low end of the learning curve.

      It would be interesting to see a permission based system for this...maybe even registering approved plugins with a crypto signature/hash.

      --

      -Turkey

    3. Re:IE and Firefox have different problems by altstadt · · Score: 4, Insightful

      The loophole here is that people will only see those reviews once, just before they install the extension. A year goes by and everybody hits the software update button which just goes ahead and installs the new stuff. Instant malware.

      I'm not saying this will happen, but it could. Hopefully the developers figure out a defence for this before it does, such as popping up tabs with the lastest reviews of the extensions Firefox wants to upgrade.

    4. Re:IE and Firefox have different problems by iabervon · · Score: 4, Informative

      One significant difference is that Firefox (1.0) uses a non-modal section for this sort of thing, so the user is much more likely to completely ignore it. Additionally, the section appears in the same area that the browser offers to let you see pop-ups, so users will quickly be trained to ignore that section as being for getting ads. It won't stop users from getting spyware, but the users will actually have to pay attention to figure out how to get it, rather than being bombarded with offers for it and having to refuse them intentionally.

  3. ...and.... by numbski · · Score: 4, Insightful

    Since xpi's are blocked by default, they're going to get there how? By a javascript dialogue that says "You must allow this installation to continue."?

    Hmm. That's probably exactly how it'll happen. :(

    --

    Karma: Chameleon (mostly due to the fact that you come and go).

    1. Re:...and.... by arkanes · · Score: 5, Informative
      Current versions of firefox don't allow this, unlike the (annoyingly easy to mis-click) ActiveX install dialog in IE. There's a whitelist for sites permitted to install extensions, which (by default) is limited to the offical Mozilla update site. Sites not in the whitelist won't even get a dialog, instead a yellow bar at the top of the screen appears, with a button you can use to access the whitelist and add the site. A site on the whitelist gets the standard dialog, which has a time-delay OK button to help prevent mis-clicks. There's no absolute way to prevent people from installing malicious extensions, but (assuming there's no bugs in, say, the whitelist implementation) Firefoxes current model is about as good as you could get.

      Note that older versions of Firefox (and Mozilla) don't have the whitelist, and even older ones don't even have the dialog and are in fact vulnerable.

  4. I doubt it ... by NitroWolf · · Score: 4, Insightful

    While the spyware makers may initially try to target Firefox... the fact is, Firefox is written to prevent just these sort of things. Is it possible there will be bugs that allow unauthorized code to run? Yeah... but they will be patched, and patche quickly.

    Overall, no matter how you slice it, Firefox is more secure and is designed from the ground up to prevent the "fertile feeding ground" that IE offers Spyware writers.

    So no, you aren't going to see the same rampant irresponsibility that you see with IE, and the threat is a tempest in a teapot.

    Of course, nothing is going to protect your computer from your own stupidity when opening executables, etc... that's all on the user whether or not they authorize code to run or not.

  5. What people don't understand is this... by Anonymous Coward · · Score: 5, Insightful

    Security is a process, not a product. There is no magical one product or suite of products that will protect you while online. Security is risk mitigation, plain and simple. Far less people would be vulnerable to the tricks of the miscreants out there trying to do people harm if they would just employ a little common sense. But, alas, common sense isn't that common.

  6. Fiddlesticks. Popularity is only part of it. by Shayde · · Score: 4, Insightful

    The issue isn't really how many people are using it. That certainly does figure into it, but the very basic design philosophy of IE allows spyware to propogate easily.

    Firefox has far better controls on what programs can be installed and can't be. Also, the very multi-platform nature of the code makes it harder to write an app that will work well.

    I'm not worried. On the IE side, the only people who can fix the code are microsoft drones, and they won't do it. On the firefox side, the people who fix the code are the people who use it, namely us.

    Planet-Geek
    --
    Event Management Solutions : http://www.stonekeep.com/
  7. The popularity argument again by gatesh8r · · Score: 4, Insightful

    "The only reason why X has $BAD_THING is because the system is popular. I'm 100% certain when Y has such popularity it too will have such problems." -- while ignoring any design differences that make Y less suceptable to $BAD_THING. Firefox is better designed from the ground up. Not saying that it's bullet-proof (it's not...), just less suceptable and less desirable to target. Would you rather target a locked door with an alarm system, or a door that's wide open and no security measures taken?

    --
    Karma whorin' since 1999
  8. I've already seen some... by eno2001 · · Score: 4, Informative

    ...being a 100% full time user of Firefox, I was surprised to find a site in a random web search a week or two ago that actually got a pop-up window going, but also appeared to attempt to execute some code as Firefox popped open a dialog asking me what I wanted to do with the file that was being downloaded. Thankfully, I have it ask me what I want to do, but if I was a typical user, I would have already associated the *.DOT file with MS Word and god knows what would have happened. Keep in mind that I didn't actually click on any links that indicated a download, I only clicked on a Google search result which took me to a site that displayed a blank screen and then the pop-up. I have to wonder what would have happened if I had associated OpenOffice.org with the *.DOT file since I run Linux. Probably not much... but it definitely indicates that Firefox will be targetted. The real question is: will the Mozilla project be able to keep up any better than MS has with IE? I'm guessing that they will.

    --
    -"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
  9. "Expert"? by Kupek · · Score: 5, Informative

    Their expert is the Vice President of Threat Research at Webroot. That much is from the article. The article doesn't take the next logical step, however, and point out that Webroot is in the business of developing and selling software to prevent, detect and eleminate spyware. So it's certainly in this guy's interest for people to think that spyware is still a problem.

    Their other expert is also from a company that makes similar software. So people who make anti-spyware software agree: you need anti-spyware software.

    I'll be more concerned when independent parties think spyware in Firefox is an issue.

  10. Why more than just two browsers is a good thing. by hkmwbz · · Score: 5, Insightful
    Sometimes it sounds like the new browser war is between Internet Explorer and Firefox, and only those. But people often forget that there are other browsers out there, such as Opera and Safari/Konqueror (when will we get a decent KHTML browser for Windows?).

    If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to create viruses, or take over computers for monetary purposes.

    What we need is several browsers that each have a significant part of the market. Not just IE and Firefox/Gecko based browsers, but also Opera and KHTML based browsers. Maybe there would be room for even more as well.

    It is good that an alternative browser is growing rapidly, but monoculture or duoculture makes life easier for virus makers. With four browsers, it would take four times the effort to get as much "bang for your buck" for virus authors looking to make money by infecting people.

    --
    Clever signature text goes here.
  11. Re:NO way!! by maskedbishounen · · Score: 5, Funny

    Pfft.

    I use GNU/Linux, so the only spyware I install on my system is GNU/Spyware!

    --
    "An infinite number of monkeys typing into GNU emacs would never make a good program."
  12. Typographical Errors in High Places by handy_vandal · · Score: 5, Funny

    Let's not get carried away here. I voted for him over the other guy, but I don't think I would describe anything he's ever said as "immortal."

    Typographical error -- should read "immoral words" ....

    -kgj

    --
    -kgj
  13. Re:The record keeps skipping. . . by OwnedByTwoCats · · Score: 4, Insightful
    "They're only safe because they're such a small target."

    While this is no doubt true, ...

    I doubt that this is true. Apache has a greater market share than IIS. There are more exploits and worms for IIS than there are for Apache.

    You may be safe if you are small. You are safer if your design takes security into account up front, and that design remains intact through implementation.

    Windows is insecure by design. Therefore, there are windows exploits. Unix, Linux, and MacOS X were designed with multi-user security in mind from the beginning; they are more secure than Windows.
  14. He hit the nail on the head by beef+curtains · · Score: 5, Insightful

    Nevertheless, Stiennon also indicated the creators, maintainers, and even users of Firefox will quickly and aggressively step up their anti-spyware efforts along with the increased threat. "The people who use Firefox -- their reaction to any spyware-type attacks will be pretty vehement," he said. "There'll be fast reaction from both Firefox developers and users."

    I think this part sums up the beauty of Firefox, and the reason why I don't think this is any sort of cause for alarm:

    There is a whole community of brilliant frickin' people out there who have taken a personal interest in making sure Mozilla products are secure & as bug-free as possible. I don't think it would be an exaggeration to say that they might look at Firefox as "their baby."

    More importantly, some of these individuals are well-versed with the shadier aspects of software...so I predict Firefox security holes being patched as quickly as they're found.

    Not only that, but I don't see many Firefox users (especially not those that have used it since its early days) taking spyware/adware lightly...turning the other cheek or throwing hands up in frustration don't seem to be personality traits of bastards like us ;)

    --
    Just once I'd like someone to call me 'Sir' without adding 'You're making a scene.'
  15. Re:YES. by arkanes · · Score: 4, Insightful
    Nonsense. The security of Firefox *has* been tested, and in fact holes have been found, and patched. To date, it has handled itself far better than IE has. For example, when malicious XPIs appeared, it was realized that the installation procedure was far too lenient and a new, superior, method was put into place within a single release (about a month, as I recall). IE has been plagued by the same category of bugs since the inception of ActiveX, and hasn't done a damn thing.

    Firefox doesn't rely on security through obscurity. It relies on security through process and architectural improvements, the same way anything should. Nobody has made any claims of perfection, simple of a superior process and architecture coupled with a much faster response time. So far, that has proven to be true.

  16. Re:Explain yourself... by hab136 · · Score: 5, Insightful
    What's the reasoning behind your guess? The old argument that simply because the open-source community has more coders, they're bound to fix problems more quickly and get it right the first time?

    That and OSS has coders that aren't being hamstrung by marketing weasels. If something is awesome, but would take too long to develop ("cost too much"), an OSS developer can still do it if he wants.

    What guarantee do we have that the people looking at the code are even qualified to review? What insurance do we have against their work if it goes wrong?

    None, same as closed source developers. No company will pay you, either voluntarily or in a lawsuit, for bugs in their code; neither will OSS. Read your EULAs.

    Who's accountable?

    Nobody, same as closed source developers. Both have reputations to uphold, but commercial developers only care about their reputation as a means to profit. If they can make money without bothering to have a good reputation, they will.

    One advantage is that OSS developers have a reputation they would like to uphold. If they write crappy/insecure code, people stop using their code. Closed source developers will often say "well, it works, and it sells, so.." and let the developer stay on, making more bugs.

  17. Totally OT... by bhsx · · Score: 4, Funny

    But, I went to a Lutheran HS in Chicago. We had chapel every Thursday. One day, a girl I had had a crush on forever (she went to my grade school as well), a well-perceived, good-faithed, honor roll student, was giving the sermon at chapel.
    The service was supposed to be decrying sexual immorality, but the entire 20 minute sermon, she unknowingly used the term
    "sexual immortality."
    Every time. And everyone laughed. Every time.
    A lot of us were suprised they didn't cut her short. Just thought I'd share :)

    --
    put the what in the where?
  18. Re:Bring it On by valkraider · · Score: 4, Insightful

    Who said anything about Levis and MTV? I never said that it was our "culture" that the terrorists are opposed to.

    It is not our culture, but rather our FOREIGN POLICY.

    Our government propping up leaders and overthrowing elected governments and things like that, ALL OVER THE WORLD, is what has caused Terrorism to flourish.

    Ask ourselves these simple questions: Why Did Osama Bin Laden switch sides? What caused him to stop working FOR the United States and start working Against it? Where did Iraq get all the weapons that they are now shooting at our sons and daughters? Why are people starving in Cuba but Castro is doing fine? Why did we really oust the Taliban from Afghanistan? Do people in other cultures really *want* democracy forced on them?

    Generally attacks come to places that have American interests or places that help American interests. But also, there is one thing people seem to overlook - How come no one hates Canada (besides Canadians...)? How come no one burns Swiss flags in protest?

    The United States government has a long history of meddling and pushing. Both Republican and Democrat. We have pushed with Military Might. We have meddled with covert actions. We have coerced with financial influence. That is why we are targets for Terrorism.

    They don't "hate our freedom and liberty" - they hate our government. And they see the American people who continue to support the governments policies, and who pay tax dollars to fund those policies - as enemy combattants.

    The Levis and MTV are just icing on the cake. Just one more reason for them to hate us.

    People in the USA are just as guilty of religious fundamentalism, and just as guilty of killing in the name of religion. More people have been killed in the name of Christianity than any other single cause. People resent that over time...