Slashdot Mirror
Korean Mozilla Binaries Infected
Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."
This virus has been in the wild since at least early 2002.
c /data/linux.rst.b.html
Here's Symantec's take on the virus:
http://securityresponse.symantec.com/avcenter/ven
bug.gd: error search engine. Humanity working together to solve all errors.
it's a virus?... for linux? I'm sorry but just don't understand the situation?
Guess anything that can be programmed is also vulnerable, regardless of how impenetrable it is.
"Mozilla hits back at browser security claim"
BWAHAHAHAHAHAHA.
Oh, wait.
...after Yesterday's story
Oops Mozilla. Damage control - Engage!.
Birdflu ?
...expect to see more of this as the popularity of OSS continues. Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Is this the first time a linux virus has been spreading in the wild?
This proves that Linux is teh suck!
Or, it might actually prove that people who log in and use Linux as the root user on a habitual basis deserve whatever they have coming to them.
Steve Balmer is going to have a good day today.
A new flaw affecting Firefox users under Unix allows webmasters to craft a URL that when run from an application like Evolution can execute any command. The flaw stems from the use of backticks in the shell script used to launch Firefox. Read more about it here on the Secunia advisory. Version 1.0.7 fixing the flaw is already out.
They could have easily replaced the app signatures to match the infected binaries.
-mkb
...and it pops up a window saying..."No more Nukes for you!"
Some settling may occur during posting.
Really? I wonder if this website really knows much about Linux at all. That's fine advice for a platform that has antivirus products.
This certainly doesn't bode well for these new 'IE is more secure than Firefox' claims.
Even so, as long as the user you run doesn't have write acccess to any executables (tis a good idea), you're fine.
This link is saying that Mozilla 1.7.6 and Thunderbird 1.0.2 Korean For Linux were infected. But it doesn't mention any other versions.
Old news? Crap that doesn't matter (any more)?
I can hear it now; "See, FF isn't as secure as its supporters claim it is."
Whatever.
Considering this only affects one operating system (Linux) and occured in only one area of the world (Korea), despite this flaw it's still a whole bunch better than getting an update for IE our Outlook and having everyone who uses Windows, regardless of where they are in the world, being infected.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
And that applies to Linux as well. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception. This is what we ought to teach end users to practice and also system Admins need to follow advice on this. Understand SELinux, Firewalling and virus detection is crucial.
Scott McNealy to Michael: "Suck my Sun!" Michael Dell to Scott : "Lick my Dell!"
First the unofficial Korean Mozilla site in July, and now long obsolete versions of the Korean Mozilla (not Firefox) and Korean Thunderbird builds. I doubt anyone was infected, nor was that likely the intent, especially given the old, neither stable nor current, version numbers, but one thing is clear. Someone out there really doesn't like Koreans.
only root as write access to executables /bin, so how does this virus get around
in
that and change the executables (which is
what the report from viruslist says the
virus does)???!.
Is this just BS or does this virus somehow
get root privileges. I would bet the former.
Actually Linux is more secure. If you run mozilla as a normal user, then mozilla and the virus can't write to the files in /bin, and therefor can't do any really servere damage.
Well, the symantec description wasn't very useful to me. But if I read it right, the virus tries to infect /bin. But iirc it will have to be run with root privileges in order to be able to infect /bin. Dunno about you guys, but I never ever unpacked firefox builds into my home directory when running as root. Basic security. So, if I understand this correctly, it only infects /bin when you've been sloppy. Not much of a threat, is it?
----- One learns to itch where one can scratch.
What's that sound? Uh-oh...that's the sound of the other shoe dropping.
Unfortunately, as Linux continues to gain popularity, this sort of thing is only going to increase. One of the basic reasons Linux used to be so secure is because anyone who took the time to sit down and learn the OS was technically savvy enough by the time they were done that they knew enough to take at least elementary precautions against infection. With the advent of easy to use, out-of-the-box Linux solutions (Xandros, I'm looking at you), the formerly steep learning curve for Linux has softened, and with that, some of its security has eroded.
Please don't think I'm trying to bill myself as some sort of Linux zealot, that believes that the holy OS should be kept out of the hands of the 'great unwashed', because I'm not. I'm just saying that a computer is only as secure as the person sitting at the keyboard lets it be.
____
~ |rip/\/\aster /\/\onkey
I'm assuming this can only occur if you installed the virus infected material as root?
Nothing new here....if you install software as root from a compromised source and don't check the md5sums along with other precautions you put yourself at risk
only old people get infected
Then you'll know this virus was distributed on purpose or the core distribution was hacked and the hackers distributed it on purpose.
You'll also know that the virus isn't infecting *anything* unless you're running as root or you're using a version of kernel and glibc that have specific flaws to allow the virus to do something as a regular user. Are they using a kernel and software from 2001? Maybe, for all I know, but that's pretty irresponsable if they are.
This is such a non-issue for anyone except the stunned distributor that sent around the CDs. Not the first time it happened to the Windows world, either.
...Steve
tfa was a bit brief -- was the tarball infected, or was it the firefox binary? was it infected during the build?
this doesn't seem like a problem/vulnerability with firefox per se, but a problem with their particular download page -- someone posted an infected file -- oops!
mr c
"Physics is like sex. Sure, it may give some practical results, but that's not why we do it." - R. Feynman
...that Microsoft was behind it.
Rumors are that they're running a sweatshop in Malaysia to mass produce viruses to attack the compteition's products, creating a hype about how safer MS really is.
Besides the one virus mentioned in the article, another one infected machines with the Google toolbar installed: it randomly displays a flying chair across your screen while popping up messages like "I'm gonna kill YOU!".
Uncopyrightable: The longest word you can write without repeating a letter.
Guess anything that can be programmed is also vulnerable, regardless of how impenetrable it is.
I guess anything that can be built can be broken, regardless of how unbreakable it is.
As I recall, Firefox (which is not the same as Mozilla, yes, I know) won't work quite right unless it is run as root once. Isn't that a security hole waiting to be exploited by something like this? Even a user who normally doesn't normally run as root can be hit with this situation.
I don't subscribe to RMS's GNUtopian vision.
It is. The fact that the only way for it to be effective is to pre-infect the original distribution. Which means someone miscopulated the canine. Still cant get around human fallibility in that regard.
Linux is still much more secure in its raw state than almost any closed-source product even after post-install configuration. Anyone with a modicum of experience with a fresh *nix installation will likely spot this before it does any real damage.
Suppose it was only a matter of time before someone figured this out though. Goes to show you, it is not a good idea to hook any system up to a network or the web before you finish the basic post-install configurations.
Stupid Humans.....
Since if you run it as a normal user on Windows it cannot damage the system files either :)
Even so, as long as the user you run doesn't have write acccess to any executables (tis a good idea), you're fine.
Uh, but don't you need write access to be able to install the infected mozilla executables? Even if it can't infect executables, having your web browser infected is more than bad enough since you typically enter all sorts of "interesting" information in your browser. How is this "fine"?
Its not about a security exploit. Somebody managed to put up an altered binary on a public server. Its the exact same thing as if someone managed to alter a binary at download.com for windows. You wouldnt blame Microsoft for that would you?
...use Lynx or Links, not a graphical interface!
Custom electronics and digital signage for your business: www.evcircuits.com
Before everybody starts pointing out that they don't browse the web with their root account, and so can't write to any of the binaries on their system, you should be aware that one of the infected files is the installer - which most people do run as root.
Also, even if you don't run the installer binary, but simply unpack the tarball manually, the release notes tell you to run included binaries as root as part of the normal multi-user installation process.
Bogtha Bogtha Bogtha
To trust no one should be part of a good
security practice. Just because you are downloading something from a well known not evil entity it doesnt mean you should let your guard down.
More like everything could be bad unless proven otherwise aproach.
It would be funny something like this happening on
the windows update servers as they are pushing the
automatic download and installation of updates.
The best test environment is production. - Me
chrome://browser/content/browser.xul
I can't believe Microsoft didn't do this sooner.
If the poster would have read and UNDERSTOOD the original article, he would have realised that it was only a general hint about dangers that can happen when you dowload binaries. He refers to an OLD mozilla security breach (check out the version numbers).
"Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.
Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b"
Why is only the Korean version infected? The North Korean leader is already paranoid enough. This will push him over the edge.
//Headline: North Korea Bans Use of Computers
Who is that guy who don't feel necessary to precise that "/bin directories" can't be written by non-root users... Jeez, "all about internet security", really ? Make your facts accurate !
"It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."
Well, I hope, this gets, fixed quickly.
This Linux virus was not effective virus in 2002. It is even less effective now. The firefox was about 2 version old, so the infection rate is extremely low.
I guess that's why you don't download, install and run precompiled binaries from unstrusted sources. Or do you?
:%s/Open Source/Free Software/g
YTARY!
The article suggests that one should scan the files downloaded from the internet for viruses.
For excellent antivirus software see free open source Clam AntiVirus.
because most users run as root despite being smart enough to know its safer not too. For the same reason New Orleans didn't have category 5 safe levees, most users spend a lot of their time running as root. Its simply easier to take the risk and, unless your system is critical, getting taken down once in a while just represents an opportunity to clean up. Especially in America, we like our freedom and we are risk takers. Its in our blood.
A lot of people are still running Redhat 9 and that's ancient in the OSS world, so I expect some people are still running much older versions of linux that may have the circa 2001 flaws.
thank God the internet isn't a human right.
Easy come, easy go. It's back to lynx(1) for me!
org.slashdot.post.SignatureNotFoundException: ewg
Do you think we can blame this on the North Korean Hacker army we've been hearing about?
If the installer binaries are infected, well, you're screwed.
Build from source.
...is what's on the line here, not the security of Firefox. Installing someone else's code is always insecure if they can't be trusted. I still trust Mozilla, but I'm really shocked by this.
OK, really paranoid, conspiracy-theory thought here... Yesterday, Symantec, a vendor with an AV product, releases a report claiming that Mozilla is not as secure as IE. Today, a news story comes out that a download of Mozilla from some website in Korea has been trojaned. Anyone else wondering if Symantec placed the infected files in Korea to boost sales of either their Linux AV product (haven't checked to see if there is one yet) or their security consluting services?
My late-night googling skills are failing to find a reference, but I remember some stories from a couple years back about AV companies writing and releasing new viruses to pad their list of known viruses. If that was true, then I wouldn't put a stunt like this past them.
I can trace the code trying to run but OpenBSD just err's out a message to the console and Mozilla keeps running.
Awesome.
When are people going to lean that the only truly secure computer is the one that's free of any connection to anything, wired or otherwise, powered off, encased in concrete, and then shot into the sun? Anything that people build will have some kind of vulnerability. The trick is mitigating them so that damamge is minimal.
Come on...this isn't rocket surgery. Use some common sense.
This is not a sig. this is a duck. quack.
Maybe the perp behind was the magnificent and dear chairman Kim Jong-Il himself? I really can't think of anyone else clever enough with skills mad skillz to pull it off.
You forgot:
8) The 'let me sum the discussion up into categories' karma whore.
While you're right normally one installing software as root, installing software from a FTP site without checking at least the md5sum from a trusted origin is dumb.
Unfortunately this part can't be fully automatised, because you would rely on the untrusted package to find the originator sources which can be facked, obviously..
If the installation on Linux was standardised maybe just asking the user where is the originator website of the software.
But Linux's distribution can't even standardised on a common packaging format, so standardising on a common installation tool is a pipe dream..
I use a lot of OS software (e.g. Firefox, NeoOffice/J, LyX, R), but the standard installation process on my platform (OS X) does not allow checking for an authentic signature. Why is this not built in? It doesn't have to be this way: for instance, Red Hat signs its own RPMs (though Debian's APT didn't support this last time I looked).
We already have to trust the developers. We shouldn't have to trust every FTP server too.
...or at least one of his tribunes, bringing forth the message, being ignored as usual, and watching the foretold calamity from a nearby hilltop and muttering to myself, "and so it begins."
Sooner or later the haughty attitude and assumption of near omniscience and perfection catches up and the weaknesses which built and multiplied and were covered with a coat of paint as it were cannot longer be hidden and the whole thing crashes down.
Microsoft's earlier buggy code was partially a result of this sort of idiocy. The very foundations of bug hunting and removal are in the writing of the code in the first place and those who believe all they do to be blessed and special are more prone than any others to make the grievous errors that in the end destroy the reputation of the writers, the publisher, and the product itself and as Microsoft has clearly shown by their own peccadillos, reputation is easier kept than restored after a loss.
The Firefox has fallen in the mud. Better not let the flames go out and the hunters catch it...
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
If this was a story about Microsoft/IE/Windows, the /. crowd would be crowing about it and saying how the episode shows how bad/insecure MS/IE/Windows is.
This time it's happened to the "good guys" - does that mean that Mozilla/Linux should be shouted down for being bad/insecure.
See these links for examples:
m .html
http://www.softheap.com/internet/viruses-on-cd-ro
http://www.nha.com/news/archives/msvirx.htm
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
But, as there is no oil to be found in Korea, the motivation to intervene is somewhat thin...
This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.
This is about a 3rd party site distributing binaries of compiled Mozilla code that were infected.
The only Microsoft comparision that can be made would be if HP (or some OEM) shipped WinXP computers with a virus.
The real question is how did that virus get there in the first place. It's been around for a while but it doesn't spread.
When Security companies and security experts write or say anything derogatory about Linux/OSS security everyone jumps on them. When corroborating news comes out OSS people deny or try to explain it away as an aberration and not the norm.
And I thought part of the OSS religion was diligence and persistence in security. M$ are the ones that deny the problem exists and do nothing about it right? Well, RIGHT?
The emperor has no clothes!
--russ
Are you saying these things aren't true?
Yes, you'll download it from microsoft.com, not from microsoft.kr. Hmm, why not take the same care when downloading Mozilla?
So what? The binaries on the Mozilla site were infected. Big deal. If you downloaded the source tarball and built it yourself, you would have a clean copy. Likewise, if you downloaded the binary package from your Linux distributor, you would have a clean copy {since they compile the sources themselves, and just make the appropriate tweaks to make it fit in better with their distro}.
If you download untrustworthy binaries, you're a twat, and you deserve everything that happens to you. It might teach you a lesson. What earthly good is a door with multipoint locking and over a billion key differs, if you go inviting random strangers off the street into your home?
Je fume. Tu fumes. Nous fûmes!
Just because those responses are predictable doesn't mean that some of them aren't also true.
Besides, Microsoft is constantly broadcasting the message that Linux sucks, and they are paying billions a year to have that message repeated wherever they can. Do you expect Linux supporters to just respond once and then shut up?
Microsoft has bought the airwaves, print publications, billboards, and face time to get their message across. Leave the rest of us a little space on discussion groups for expressing our views.
...don't forget that some Links variants are quite capable of creating a graphical display.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
Writing a virus for Linux is easy.
Getting that virus onto someone else's box is very difficult.
Getting that virus to spread from that box is even more difficult.
Linux viruses have an infection rate that is lower than their removal rate so they die in the wild.
The real question is how did that virus get into that code? Linux viruses tend to have total infection numbers of less than 100 machines.
This very article is about an incidence of the virus spreading. Must it state this explicitly for it to be true?
You list two seeming "common sense" practices as what we should take from this story, yet this story wouldn't come about if those were adhered to. Linux is very, very far from being idiot proof, and as the user base of linux grows, so will the percentage of (willfully) ignorant users. Linux is only as secure as it's user.
No user is perfect, no distro is perfect, and Linux is not perfect. Thankfully, error rate is still relatively low.
Sorry you require a duh... If you are not running as a Admin/Power User it is the same in windows as well. And yes it is possible to run as a regular user in the windows world, and i am typing in this as a user logged in without any admin priviledges, and wow i can run ff, office, VS, photoshop, dreamweaver, gaim, sql manager, query analyzer, cygwin, yahoo music engine and 7-zip.
I think people need to quit complaining that they cannot run as regular users as windows. Use RunAs if you a pain in the ass game that requires admin access
Personally I would have modded it down on the basis that it was coat-tailed onto a post that was nothing to do with MS v Mozilla issues, but just happened to be the first 5-rated comment. I mod those down as Offtopic, because they are offtopic to the thread that they were attached to. There's no excuse for modding it as troll or flamebait though, so I kind of agree with you.
Anti-virus apps are REACTIONARY patches to hide that failure of the security model.
I will continue to run Linux WITHOUT anti-virus software because I understand how viruses/worms/trojans work.
Why should everyone degrade their system just because one site put up an infected binary?
Hah, should keep some Koreans busy fixing it then, instead of sending me spam!
#include <sig.h>
But given the increasing number of security vulnerabilities discovered this year and freeware Opera being available without ads, its time for me to switch yet again based on: security, features, price, and performance.
On Windows machines I've switched from: Netscape -> IE -> Mozilla -> FireFox -> Opera 8.5 (yesterday) -> ?
Help improve the quality of software: if you are a non-programmer, then save your loyalty for people.Blind loyalty to software promotes bad software and laziness. Switch whenever something better comes along as long as the benefits justify the cost of switching. Opera 8.5 is free beer, more secure than Firefox & IE (for now), feels faster on Windows, and has nicer core features (which I didn't expect yesterday).
Price, security, performance, and features (like the mini-panel dropdown when you click the URL address editbox).
Sure, the source code isn't available but all of the above benefits outweigh it. Especially since I never modified or compiled Firefox (I modify only about 5% of software I download--and I download a lot).
If another browser comes along that is better, I'll probably switch again as long as the benefits justify the cost. All it took was a few mouse clicks to import Firefox bookmarks into Opera.
Good luck Mozilla/Firefox, I hope you improve enough to convince me to switch back again--and I hope some other product does the same afterwards, and so on...promoting software evolution.
Bloated software is more likely to be
downloaded in binary form than software
that can be downloaded in source form
and quickly compiled by the user.
This is yet another reason to avoid BLOATWARE.
Maybe http://www.dillo.org/ is a better option.
Or perhaps the more ancient Beest project.
http://www.mozillazine.org/talkback.html?article=
I'm thinking they should give up their domain which likely causes the confusion and give the false impression that what you are downloading from the site is an official Mozilla binary.
burnin
The site in question was not affiliated with Mozilla in any way. Would you lose faith in Microsoft if the copy of Windows you downloaded via P2P contained a backdoor?
mmm... So do you not think the phrase "Mozilla.org is the latest example" is a just the teeniest bit misleading in this context? You know, what with most people taking "latest" to mean "happened very recently" as opposed to "even so, there hasn't been one for simply ages so I wouldn't get too worried".
Not that anyone would do such a thing deliberately, of course... Except I can't help wondering how many people pondering a change away from Windows/IE will read that and form a false impression of Mozilla and Linux.
Now who could that benefit, I wonder...
Don't let THEM immanentize the Eschaton!
ActiveX is a stupid security model. That is why so many exploits for it exist and why you have to keep your anti-virus signatures updated every day.
There is no equivalent in FireFox.
Anyone, anywhere can put up infected FireFox binaries. Whether anyone will ever download and install them is another matter.
People, this is why sensationalized news is a bad thing.
There have been absolutely no details given, and there is no corroborating evidence from a different source. You are losing trust in Mozilla based on the word of an anonymous stranger. Maybe you never trusted them in the first place.
-mkb
But Mozilla as a whole (the organisation and the products) are already getting bad press for this.
People have complained in the past about the Mozilla organisation being heavy handed about trademarks, and trademarks (eg the Linux one) have been getting a bad rap in general. But here's the other side of the coin - the actions of an organisation that identify themselves as "Mozilla", even though they're _not_ the Mozilla foundation, are tarnishing the reputation of the genuine article.
rm -rf ~/*
.. :)
Severe enough
The Mozilla foundation needs to pursue strong, immediate public action against NKing.com, holders of the mozilla.co.kr domain. Using the Mozilla name connotes official status, and they are trashing it badly. I would say stop releasing Korean builds until the domain is handed over to more responsible people.
The original article is missleading, it mentions some outdated version numbers that should rise suspicion, besides the fact that this is reported nowhere else. If you look at Mozillazine, you will find this article from June:
Korean Mozilla Site Hacked
This site was not an official "mozilla.org" site but a korean fan site, and it was hacked, like MSN Korea a week before:
internetnews article
So some hackers in june broke into a korean site that has nothing to do with the mozilla foundation, altered files by adding virusses. This slashdot article makes me feel sad.
See! Windows and IE ARE more secure!!!
MWHAHAHAHAHA!!!!!!!!!
The larger number of exploits in Firefox is just the tip of the ice berg!
Open Source, you are going DOWN!
And I for one, welcome our new DRM laden overlords.
Oh, wait, they're not NEW overlords, they've been the overlords for a few decades now.
Well, I welcome them anyway.
"Live Free or Die." Don't like it? Then keep out of the USA
Where is my gentoo ebuild for the virus?
I forgot to be anonymous.
People, this is not a real virus and it doesn't get very far. In fact, variants of it have been around since early 2002. It is just a small piece of binary that's a bit annoying and anyone who builds from source can't get it anyways.
unless you only want to use it yourself.
To get infected on Windows you... have to turn the system on. As far as I can tell.
Sure a lot of Windows infections are because the user downloaded and installed binaries from untrusted third parties, but equally as many just turned their computers on.
If you ran untrusted binaries on your Apple you'd be exposing yourself to similar risk. Hell, we used to have the same problem on IBM mainframes back in the '80's -- every year around chistmas time all the freshmen would run those greeting card programs in their in-boxes and bring the network down as the trojan spread itself to everyone in their address book. Windows just eliminates a lot of the work for you.
As the Linux userbase expands into increasingly less clueful segments of the population compromised systems are going to be more of a problem, but I predict that even if the installed Linux base ever grows to the size that Windowss is, the problem won't be as severe as it is on Windows. Unless everyone's running Lindows...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
> How do MD5 sums protect you from trojaned software?
Because you get the few bytes of MD5 checksum from a trusted webshite (say, maybe, possably an offical mozilla site, with offical builds and offical checksums) and download the actual few megs of binary/source from a local server. _Then_ you veryify the checksum you prat.
The worring thing is your post was modded as 'informative'.
>So, its not mozilla.org (the article states "on public servers. Mozilla.org is the latest example")
It doesn't matter.
Who got infected? Users of Mozilla and Thunderbird for Linux. Why? Who cares. The point is that's a typical problem that can happen with OSS.
(I have to make one observation here: how the FUCK is one supposed to download from the main site when their servers are fucked up most of the time. Here, today Firefox 1.0.7 was released. I bet you didn't know. Do you see a flashing indicator in your Firefox v1.0.6? I don't and I think I won't see it before next week. So OF COURSE people download crap from whereever they can. Not everyone knows how to use wget, rsync, GetRight, etc.)
I know, it happens rarely, but it's apparently possible and a real threat. In recent years similar things happened with Debian root servers and sendmail packages.
And one day when your yum auto-updater updates to a compromised binary, I'll see if you'll overhype of downplay the problem.
>Unlike Mozilla Europe, Mozilla Japan and Mozilla China, the Korean Mozilla site is not officially affiliated with the Mozilla Foundation.
Who gives a shit? If I get infected, I'd hate them all. Refund would certainly not be an option.
If one works for a company (or is a clueless Windows or Linux user), he WILL buy security product (and/or a commercial Linux distro).
It's like insurance - if you don't buy it and nothing happens, good for you!
But enterprises don't take such risks.
You think you're smarter than those "greedy security vendors" but you only show unprofessional attitude towards security and system management. Or were you speaking from the home user perspective (in which case I have nothing to say to you)?
The truth is - as Linux (and OSS in general) market share is picking up, so is number of its security problems.
Maybe we can't compare severity of vulns, time it takes to fix them, etc. but any reasonable person already gets the picture - types of vulnerabilities and risks are different, but the final outcome is that neither Linux nor Windows are secure operating systems.
Uhmm.. as long as you run apps as user and NOT as root, you are ok. If you're stupid enough to run apps as root, then you deserve whatever you get. Funny how the article doesn't state the blatantly obvious.
The irritating, endlessly whining "OMG slashdot is teh biased!1!!" crowd don't mind distorting the truth in order to try prove their invalid point.
I'm almost sick of reading slashdot because it's gotten so bad that in practically every thread there are a hundred posts trying really really really hard to "prove" the existence of this alleged bias. (Nobody has succeeded yet, because every "slashdot is biased" post seems to ironically get modded up to +5.)
I think it started with just astroturfers who deliberately come here and try to use pscyhology to control and manipulate posters into thinking twice before posting anything criticising Microsoft. And so far (predictably) it's worked pretty well, as a number of the more naive posters have picked this up and are now doing the astroturfers' work for them.
The reason it matters is because the Mozilla organization is not involved so there is no point in blaming them. Who is to blame? The site distributing the unofficial binaries. Maybe Mozilla should use their trademark ownership to shut down the site, but that's the extent of their control over the situation.
Do you blame product vendors when other sites distribute infected unofficial copies of their software? No, I don't think so. If you do I question your sanity.
A checksum would be for making sure nothing was corrupted by the transfer, and is largely irrelevant with any modern protocol (FTP, HTTP etc.) because there are checksums in all the lower-layer protocols.
A cryptographic hash tells you that you almost certainly have the same binary as the person who created the hash, hopefully that person is trustworthy otherwise the hash is worthless.
In mirror systems you only need to check that the mirrors have correct hashes. If their hashes are correct and the users check them, any problems with the (much larger) binaries will be reported and won't cause any harm.
You're correct that a full signature system would be preferable, and that's what e.g. Linux distros like Fedora Core use. But there's a lot of overhead in such a system compared to just putting a few MD5sums on your home page.
Since the (unofficial, not part of Mozilla.org) Korean Mozilla site seems to have allowed these binaries purely out of carelessness it's no help to have either digital signatures or hashes.
Downloading from any mirror, official or not is fine as long as you check the archive using md5 or sha1 (or ideally, gpg) from the main site, which provides signatures for every archive.
Though what I don't know is why mozilla doesn't insist more on that (you have to go on the ftp site clicking on "other systems" to find the checksums and signatures : ftp thunderbird)
Fine mod me down. You know I'm rite.
/.
Oh and theres no free speach on
Parent is supposed to be +1, Funny, not -1, Troll or Offtopic. If you cant comprehend the nature of a simple joke, please restrain from moderating posts like this.
When Mozilla has a bug in it (like two weeks ago), all the slashdotters say "the good thing is you can patch it yourself!, here's the change!". And that's true. But the problem is now the produced binary doesn't match the md5sums on the Mozilla site.
So if a VAR were to want to "do the right thing" and patch immediately, as open source allows you to do, they then open up their customers to trojan problems because the md5sums don't match the Mozilla site anymore.
Just pointing out how the logistics of releasing a patch are fairly significant, so that perhaps some people can understand why MS can't patch every problem in under 30 days. And we haven't even talked about testing...
http://lkml.org/lkml/2005/8/20/95
You are a blithering idiot who doesn't have the first fucking clue what he's talking about, and the world would be a better place if you would kindly go and castrate yourself at once to avoid the (admittedly extremely remote) possibility that more of your kind might be spawned.
I'm being serious. Please, castrate yourself.
MOZILLA IS NOT INVOLVED WITH THIS ISSUE.
Got that into your thick skull yet? Here, I'll repeat it for your benefit:
MOZILLA IS NOT INVOLVED WITH THIS ISSUE.
Mozilla did not distribute the infected binaries. You cannot blame Mozilla for what they did not distribute. The virus was not in any way related to the Mozilla software, as it can infect any Linux binary. You cannot blame Mozilla for an issue which is not caused by their software.
Your post makes about as much sense as saying "I downloaded Claria thinking it was Opera, now I hate Opera for infecting my computer with spyware."
No, on second thoughts, your post makes even less sense than that.
Ummm...No, not in context of proper English. It's a referential statement aligned with the prior statements, "Infected binary or source code files aren't anything new. And sometimes they are found on public servers."
Mozilla's infection is the latest example of a public server serving infected files. Latest has nothing to do with the virus but rather relates to infections on public servers. Unless you can show how this common use of the English language somehow is not relevant in this case, I don't get your point at all.
"... but you can love completely without complete understanding." - Norman Maclean, "A River Runs Through It"
You are incorrect in what I think is your major point:Source of the problem is OSS.
Nope. A comprimised server could be used to distribute a hacked IE.
I was going to make fun of your post - but upon further reading, you're obviously not a native English speaker (and can speak English far better then I can Danish)
My pics.
Everyone knows that Linux can't get a virus. I'm sure I've read that about a million times on /.
Clearly this is just a lie spread by M$.
You never really know how close to the edge you can go until you fall off.
It's about freaking time virus writers started supporting Linux and Mozilla...
Err, wait...
// file: mice.h
#include "frickin_lasers.h"
It might not be the fault of the Mozilla foundation, but I can see this as being another Microsoft marketing ploy against OSS by suggesting that their software is less likely to be infected because they have QA teams to help verify validity before their products leave the store and because Microsoft is their own distributor of software downloaded from their site. Not to say that their Korean offices couldn't accidentally make the same mistake, but Microsoft can surely find a way to use this to their advantage.
My lame blog.
As any Slashdotter knows, ONLY IE and MICROSOFT products have bugs, viruses, and security exploits.
We all know open source and anything not MICROSOFT is immune to these sorts of things.
This is obviously a MICROSOFT frame job.
The distribution system is how people get the code.If the md5sums from the main site would be valid, then why not download from the main site?
Once you start installing apps from random sites you open yourself up for all kinds of problems.Yeah. Keep believing that. Maybe you've heard of this stuff called "spyware" that infects machines via IE's ActiveX implementation.
Or maybe you haven't heard that a restricted user cannot use IE because the permissions aren't correct.
So, on Windows, you must have elevated permissions just to use the various apps and THAT is what results in so many infections.
When I installed Ubuntu a few months ago, this sort of thing woulnd't work for me - I had a lot of problems when I tried to sudo stuff. Eventually, I just logged in as root and ran stuff directly.
--LWM
Is everyone's goal to post as fast as possible and move on?
Half the posts are busy defending Linux when this problem clearly could affect any operating system and the other half are windows users insulting firefox before they read a single comment or try and understand the article... What gives? This intelligen discussion sounds more like ignorant screaming.
Really, I look at a situation like this and, rather than lament about the sorry state of the software involved, I really just want to know how to make it not happen. With UNIX systems, this shouldn't be an impossibility - right off the bat many people have said "don't be root to install",which does stop one point of failure in the process, but it doesn't solve the problem of _running_ the application as root.
/bin binaries immutable), but these only make it so that the actions taken by the virus fail (relatively) silently. No big klaxons going off to tell the admin that a program is misbehaving as root.
/bin/bash" is made impossible without a reboot even for root, a la BSD?
Some solutions come to mind for things that you should be doing anyway (firewall traffic on ports not being officially served by a system; make
Is there any sort of system-wide watchdog that can be put in place to monitor programs and catch actions that are outside the scope of its auspice? I think chroot can be used in a manner somewhat consistent with this idea, but not without resulting in some serious systemwide design complexity if you want to do it right. Any other thoughts?
And might this be an arguement for a Security Levels sort of system whereby things like "remove the immutable flag from
Know ye not that ye are Gods???
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
You see? All but one had "number of sites" between 0 and 2.
They
Do
Not
Spread
Linux's security model is far more effective than Microsoft's one for Windows.
Anyone can write a virus/worm/trojan for Linux, but they cannot get them to spread beyond any machine that they themselves do no have access to.
Just because you install an app as root and it is owned by root does NOT mean it runs with root priviledges. If you want that to happen you have to set the setuid bit. Go read up your Unix 101 for Dummies book then get back to us.
That's why you keep your home directory on a RAID, duh! :)
LRC, the best-read libertarian site on the web
Unofficial and Unaffiliated with Mozilla Korean Binaries infected.
The editors are not doing their job, but that's not news.
Has this been verified ?
F-Secure incorrectly report a MASSER infection in the latest release of Sun One application server.
...are Microsoft astroturfers and trolls coming out in force on Slashdot to bash Mozilla whenever the "opportunity" presents itself. Amazing what a bunch of whiners Microsoft fanboi's can be.
I know you know this, but for the sake of casual readers: as has been stated elsewhere in this story, this wasn't a Mozilla-controlled site. It wasn't sent out from Mozilla with a virus in any way, shape or form. The problem was not with "Mozilla", but with an unauthorized modification to it. And yes, modification of a downloadable binary to insert a virus/trojan horse/other could be done with any software. No one has ever claimed otherwise.
To be fair, the same people should bash Microsoft if some rinkydink OEM ships a computer with a Windows virus on it. Somehow, I kinda doubt we'll see that...
Kythe
GP: Xandros gives root login by default.
P: Bullshit!...If you wish to hide the root account on the login screen, this can easily be done by going to Launch->Control Center->System Administration->Login Manager->Users, and selecting root under "Hidden Users."
Most Linux users don't run as root. Most distributions specifically steer users away from that if they try to, anyways. KDE on most distros, for instance, will give you a big scary red screen with no icons and a prompt to log out if you log into it as root. Besides, running as root doesn't provide any benefit other than avoiding the root password when doing system administration... and what user is going to spend most of their time doing that?
Browsing the web, changing your desktop look and feel, checking for email, playing games, and chatting are the activities most users want to perform, and you don't need to be root for any of them.
If you run mozilla as a normal user
But you'll have installed it as root, and the installer was infected, and you're still screwed.
It's official. Most of you are morons.
Yes it is "my beloved" ports collection that helps me keep safe /FreeBSD User :D
Almost all packaging systems allow the execution of arbitrary code. I'll grant that some only use root privileges to copy the programs to the final destination directory. But they're a minority--most allow, for example, at least allow testing the deployed app.
Most packaging systems also allow the installation of setuid programs.
It was lindows that I was thinking of, not Xandros. Just so that you know, Lindows basically logs in as root by default. You have to go out of your way to create individual accounts. I am guessing that when you did Xandros, it did root password and then insisted on at least one user account (same as in SUSE, Redhat, Mandrake, etc). Sorry again. These days, I stay with more of the major lines rather than the minor distros.
I prefer the "u" in honour as it seems to be missing these days.
Zeeeeeeeeeeerrrrrrrrrrrrrrrrrrgggggggggggggggg rrrrrrrrrrrruuuuuuuuuuuuuuuusssssssshhhhhhhhh!!!!!
Reality is a big nasty dragon. Fortunately I don't believe in dragons.
Hey, what is going on? Nobody posted "In Korea only old people..." yet.
Oh well, what the hell...
People won't have too much trouble with this virus as long as they are not running as root.
But if i wanted a lackluster unfeatured OS just for security that had a tyrannical leader, i would have just installed MSDOS with a TCP/IP driver.
That was actually pretty clever--not redundant. +1 Funny if you ask me.
We already new FF isn't as secure as its supporters claim it is. That's not news, and I hope people who are promoting Firefox are doing so because of features and not a myth of security.
What was interesting, was the existence of the Linux virus. I'm pretty certain these things aren't supposed to be possible, because Linux is uber super secure from design.
Yet another myth bubble burst.
I guess next we'll hear about the big Apple MacOSX virus that also isn't supposed to be possible.
I have "~/bin" and I put all my 3rd party apps in there.
/usr/bin/games is protected! You can still run xtetris!
Ok, so the impact is everything else in ~/bin, as well as anything and everything on the system that your account can write to, including networked drives, etc.
I'm assuming you have data? Maybe your resume? Letters to your mother? Financial data? Nakid pics of your girlfriend?
All gone.
Hey, but don't worry...
I don't think people fully comprehend the damage a virus can do. The concern is not the system. A system can be recovered from CD. It's the data. And you better have good backups.
If you're going to install a package such as FF, why bother going to an unoffical site that has had /known/ problems with security?
www.internetnews.com/security/article.php/3512081
Come on! Don't blame Mozilla.org for something that's not under their control. This goes double for the Windows idiots that point and say that "oo! FF is just as vulnerable!" and forgetting all about that this is just like going to "Shady Joe's Windows Upgrades" instead of microsoft.com for SP2.
--
BMO
I don't think to mutch people downloaded it already. So if they remove it fast then their shouldn't be to mutch people knowing :)
The point is that I think the sentence is intended mislead the reader. It's quite possible to do that whilst remaining gramtically correct.
Specifically, there is an ambiguity in the use of the word "latest". It is quite correct to use the word to mean "most recent occurence".
However, a common usage in the media is "very recently occurence".
So, to my eye, that article reads as if the author intended us to think that this server compromise was something new
Unless you can show how this common use of the English language somehow is not relevant in this case, I don't get your point at all.
It's a semantic issue, not a syntactic one.
Hope that helps.
Don't let THEM immanentize the Eschaton!
It makes me wonder why people think Slashdot has such an pro-Linux bias - clearly Taco will publish FUD from anyone at all ;)
Seriously - where better to debunk crap like this?
Don't let THEM immanentize the Eschaton!
This has been a worry of mine for some time.
Notice that when you use MSIE on Windows, it shows you the true URL of the site you are downloading from. In the download box, it will show you the URL it's downloading from, and you can see Mozilla's choice of mirrors around the world.
With Firefox, however, you don't get to see this by default. It just shows the basename of the file you are downloading, not the full URL containing the hostname and directory path. By right-clicking on the progress bar in the Downloads popup window, and choosing Properties, you can then view the true URL, but many users don't know about this.
If the user has turned on the "Ask me where to save every file" option, the popup file-chooser window also unfortunately does not show the true URL. It would be an ideal place to show it in this window, as there seems to be plenty of room there.
Right now, I have to download the file multiple times, open the Properties to make sure I'm getting a different mirror, and then diff the files to make sure they're the same, before I can consider them trustworthy enough to install.
By itself, this is just a nitpick, but it turns into a nasty bug when combined with other things:
1) The user not being able to easily see the true originating URL of a file, before making the download decision
2) Mozilla's decision to use a huge variety of seemingly random sites as mirrors, some more questionable than others
3) Mozilla's decision to not have any way whatsoever of verifying the integrity of the download, such as a cryptographic signature
Put all three together, and it's virus time!
Microsoft: Smug Mode.
With the large numbers of mirrors Mozilla uses, spread throughout the world, the odds of someone sneaking malware in there (either by ignorance, hacking, or a good old-fashioned bribe) is quite high.
The solution probably lies in a plugin. If there's not already a plugin to let the user plainly see the true URL and verify where files are coming from, it should be made (I wish I knew how). The plugin should also have some cryptographic method of verifying a downloaded file, and Mozilla should sign all releases with a strong key. It's just basic common sense, and I'm shocked Mozilla hasn't done this already.
Dr. Demento On The 'Net!
The sums only check to be sure you got what the VAR sent. It doesn't mean it is clean. The parent says you should check them against a reputable location. If you don't check against Mozilla.org, you aren't getting any safety at all. But if the VAR wants to patch, then the sums won't match.
My point here, which you missed twice is that without a central patching/release authority, there is no way to have users be sure they are getting a safe build.
Thus the theory that you can get updates on a moment's notice with Mozilla is undercut. Yes, you can do so, but you aren't sure what you are getting. You trade one risk for another.
Again, the logistics of doing a large release are significant. Making statements like "Mozilla patches are available in under 24 hours!" belittles the actual process of ensuring safe software gets to people properly.
http://lkml.org/lkml/2005/8/20/95
When will the editors of Slashdot take responsibilty for the items they publish? Do they do any fact-checking at all? They have an extraordinarly popular and powerful journal, but they handle it with the journalistic standards of a high school student newsletter.
I've heard the virus has been in the wild since 2002, but from a developer-stand-point, I have to wonder, why are the development computers being allowed to traverse a DMZ (provided they have one)? It's highly unlikely the virus was brought in on one of the developers. Development computers are for development purposes and should not be subjected to ANY kind of external resource whatsoever. Because of this, there is no control in the content of the media, ergo, this latest mishap with the Korean distros. This is the equivalent of running a high-profile DNA lab test on a park bench in Madison Square Garden while hobos spit at you.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
I was under the impression that, if a user runs
a program, even one installed as root, owned
by root, that, unless it is set uid root
(ls -s of file should show something like:
-rwsr-sr-x 1 root root), that it can't trash
anything the user doesn't have permissions to
trash. If that's the case, unless this mozilla
were installed suid root, what could it do?
In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
Luckily, I use the a.out format for all my linux binaries.
-- I was raised on the command line, bitch
Note to self - do not hire Koreans for sysadmin jobs.
A properly built Unix app has NEVER needed to be installed by root.
Not so fast. A lot of popular software packages for *n?x systems are device drivers such as printer drivers, scanner drivers, sound card drivers, and the like. Under current monolithic designs, device drivers do need to be installed by a superuser.
Execute and store online backups as another user.
And how long would that take at 48 kilobits per second?
MOZILLA IS NOT INVOLVED WITH THIS ISSUE.
The point is that most home users do not know this.
Your post makes about as much sense as saying "I downloaded Claria thinking it was Opera, now I hate Opera for infecting my computer with spyware."
Except in this case, because the domain is mozilla.co.kr, it would be extremely easy for less sophisticated end users to mistake Claria for Opera.
Sounds like the Honeymoon is over.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
As much as it pains me to say it, this would never have happened to a Microsoft product. Microsoft has never taken kindly to any 3rd party distributing their binaries for them, even if they're friendly 3rd parties. Remember when there was that torrent of SP2?
Does anyone know how many copies of the trojaned installer were downloaded before it was discovered?
Legalize recreational marijuana. Seriously.
Acording to someone, over the last 5 years there was only one event of a virus-infected instalation package for Mozilla, versus 35 infections for Microsoft.
See, it's no big deal.
Administrators of what? I doubt anyone would have problems like this if they simply pulled their binaries from a trusted source, like Debian.
I think too many Linux admins don't believe there's such a thing as a Linux virus.
No, they just don't believe they have ever seen one. I'm not sure how you think you can convince them their eyes are wrong and you are right.
Tell me how you get this silly thing into a hosting server. Machines like that should have some stable distro on them and never budge unless attacked by malicious users. Give me some infection numbers and a study to back up the "so many" number.
Friends don't help friends install M$ junk.
Glesgakiss, your post contains no information.
"dealling with trojans is a 90% user function." - Can you define this please ? Did you just pull that number out of thin air (or someplace else). I think you made it up. Prove me wrong and show were 90% comes from and what "user defined" means. As I recall, IIS has been trojaned so many times without any user interaction. Maybe since they installed IIS, they trojaned themselves ?
Regardless of your foolish made-up numbers, there is real world statistics to look at. How many instances/sites are infected with this renegade copy of Mozilla ? Less than 1% This means that the trojan was ineffective, like usual.
I cannot say that it is impossible for many many Linux machines to be infected. There is very little that is impossible. But likewise, you can not say that just because there exists a virus for Linux, then the whole world Linux install base is in danger. Security is a matter of risks and the risk of this one is very low.
You must do better to show the severity/risk of this virus other than say, "oh, I suppose it's possible so you're all in danger"
I repeat: Show me the scale at which this virus has grown, otherwise this article pure and utter crap. There should be better moderation of who posts meaningless drivel. Doesn't Slashdot have someone review this articles before they are posted ?
Yeah, but what about those people who will, sooner or later, launch Firefox as root. Personally, I download all my packages as root, but I use ftp or wget (commandline). If somebody were to go one step further and use Firefox, they would be exposed.
Here's the thing. If the binaries had been digitally signed by the mozilla foundation, then the hacker's attempt to change the file would have broken the digital signature.
Without signatures on binaries, there's no way of knowing if the binary you download is the one that the author intended it to be.
What are you talking about? Korean is corrupted blood!
I bet there are a lot of pisssed off Kims.
Its not that problems happen its how you learn to deal with them that counts... In this case the virus is piggybacking on something the users wants to install. Which circumvents Linux's User model protection... There are several senarios that could lead to this this is a good time to think about how all of them can be preempted.... Senario 1): A malicious party plants virus code within a code repository, malicious code is unnoticed when a release is made... Senario 2): Code is built on an Infected System Senario 3): Infected packages are planted in a package repository Senario 4): Knowingly infected code is distributed independently directly to user. Well as other people have pointed out Senario 3) already has safeguarding measures against... Signing packages. As long as the malicious party does not have the power to make official packages this should hold up quite well. Senario 2) sounds like it will be an uncommon issue - It will happen very occasionally... Hopefully the source of the issue will be easy to track down and damage will be minimised. Senario 1) sounds like the least likely route but none the less possible. Most content systems log all transactions so it should be easy once offending code is found who submitted it. Senario 4) Is by far the most worrying and likely of the four. This kind of attack happens a lot already in the windows world. However there is a nasty twist where Opensource software is involved. It is quite possible to build a compromised version of a popular and trusted program and distribute it independantly - damaging the good name of original product (which may in some cases be the intention of the excersize). In all four senarios - this type of virus threat is not really contageous since it requires the user to bypass security for it. This is still worrying as it is potentially no less painful to those infected.
Complains are mainly about the fact that windows configure your account as admin by default. Unexperienced user do not switch to user account by themselves.
-- bouh
If you read the link, the installer was infected. Most of the time that's going to be run as root.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
The problem is that the VAR in question put up an already trojaned copy. If you checked the sums against VAR sums, they would have matched.
And I never said a central authority means you are getting a clean build. I said that without one you cannot guarantee you are getting a clean build.
With Mozilla's central authority you can have some more confidence, but of course you can't be sure of anything. You can't be sure the sun will rise tomorrow.
The point was again, and I was the one who made it (a couple posts up now) that the claims that Mozilla patches within 24 hours aren't really useful to most people, because the first thing that most people need to be concerned with is getting a clean build. Then it's important that every possible bug be patched, after that.
Yes, md5sums protect you from trojaned software. Well, in as much as they help you know that you got what you were supposed to get. Whether the person who put that up might have trojaned it by accident or mistake doesn't really have much to do with md5 at all.
They project me if the software was trojaned after the md5sums were made and the person who trojaned it didn't think to update the sums.
http://lkml.org/lkml/2005/8/20/95
Read the comments on their site. They say everything.5 77
/bin-folder is not normally writeable in linux installation.
http://www.viruslist.com/en/weblog?discuss=170721
The Viruslist is behaving really irresponsibly. The article is BS and should be removed.
1. Mozilla.org has nothing to do with it.
2. Looks like someone has deliberately planted an old virus to the source and put it on the server.
3. The "virus" is on the very lowest score on the "Thread Metrics" (Symantec) :
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
4.
5. The virus is from 2002 and can not infect current distros.
Practically: the virus is not in the wild, can not spread, is no dangerous, is easy to remove and prevent. It a laboratory thing, made in order to create something difficult: a linux virus.
I would have to go back in my logs to confirm it, but over the last year, 90% of remote attacks on my servers have come from .kr networks. I was considering blocking entire networks at the router, just to filter out the noise in the logs.
.kr are easier to pwn and/or zombify, or is it that the crackers and script kiddies are just more prevalent?
Is it that the systems in
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
Well, they do offer MD5 and SHA1 checksums, but you really have to dig on the ftp site to find them. All part of the process of de-geeking the firefox experience, I suppose; hide those ugly checksum fils so they don't scare the non-tech users.
How secure are digital signatures anyway? I seem to recall a case when someone created malicious ActiveX controls that seemed to be digitally signed by Microsoft. MS's workaround at the time was to disable active scripting or not to trust microsoft components. I don't recall if that was a problem with the signatures though, or an exploit in IE.
Don't let THEM immanentize the Eschaton!