Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware Disguises Itself as Firefox Extension

Posted by ryuzaki0 on from the not-yet-linux-compatible dept.

Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."

64 of 247 comments (clear)

  1. Not a vulnerability. by Short+Circuit · · Score: 5, Informative

    Note that this isn't a Firefox vulnerability.

    The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
    1. Re:Not a vulnerability. by kfg · · Score: 5, Funny

      I refuse to use this trojan until it's ported to Linux.

      We have to send a message to developers that we want our apps native.

      KFG

    2. Re:Not a vulnerability. by DrXym · · Score: 3, Insightful
      Well yes it is. Firefox extensions are an easy way to trojan a system. Anyone can write an extension and put it up on the addons site and there isn't even the requirement that it be signed. There is no enforcement of trust at all except for a primitive domain whitelist system. I think it would be fairly trivial to produce a malicious extension. Worse, you could even craft one that works on Linux, OS X and Windows in one fell swoop, since you have unfettered access to all of the XPCOM objects running in Firefox.

      My feeling is that Firefox desperately needs to implement some kind of trust model. I can understand why that might not be RSA PKCS since the system is crap for small publishers. But something is needed. Even a trust model based on PGP signing would be of benefit.

      I'm sure some would argue that no one looks at signatures anyway, which might be an exaggeration, but it does have some truth. It is certainly no excuse for offering no trust model at all, or for Firefox UI designers to not be able to produce some simple traffic light trust system with sensible defaults to simplify it for those who can't or won't look at the certs.

    3. Re:Not a vulnerability. by dschuetz · · Score: 4, Insightful

      Note that this isn't a Firefox vulnerability. The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

      While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

      Of course, this presupposes that Firefox hackers can manage to get their extensions signed, and if that's possible, then the malware authors could do the same. Unless...FF gets distributed with a mozilla.org CA cert, and extensions accepted and published on the mozilla site(s) get signed with that cert, then every "legitimate" extension from the mozilla sites will be verifiable at runtime. The user could opt out of that with an "allow execution [not installation] of unsigned extensions" preference setting, but the majority of users would be protected, so long as the malware doesn't also set that preference for the user. :)

      (though even that last bit could be guarded against by creating a personal key to sign the config with, and every time you make a "security relevant configuration change" to the browser's settings, you have to re-sign the file.)

    4. Re:Not a vulnerability. by lowrydr310 · · Score: 2, Funny
      The headline makes it seem like Firefox is bad because there's a new piece of spyware that takes advantage of it.

      Darn, I knew this was going to happen sooner or later. Time to switch to IE. oh, wait a minute...

    5. Re:Not a vulnerability. by kfg · · Score: 5, Informative

      McAfee do not describe it as a Firefox exploit. They describe it as a VBS exploit originally written to target IE, i.e., a Windows exploit.

      KFG

    6. Re:Not a vulnerability. by KiloByte · · Score: 4, Insightful

      ... or until the trojan makes a trivial change in FireFox's binary.

      Once you're pwned, you're pwned. If you give someone free reign on your box, he can do anything to any file writeable by you.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    7. Re:Not a vulnerability. by greed · · Score: 5, Insightful
      While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

      Once someone's system is compromised, they can replace or alter the FireFox binary which verifies the signatures, replace libnssckbi.so, libsoftokn3.so, whatever.

      You can't win at that point. If you're storing your operating system and executables on writable media, it can never be trusted to that level. The hardware would have to cryptographically verify the boot loader on disk, which would verify the kernel, which would then be able to verify everything it executes--FireFox alone can't do it.

      (Say, what was that hardware-based Trusted Computing stuff supposed to do? In addition to ramming DRM down everyone's PCI bus, wasn't there system verification too?)

    8. Re:Not a vulnerability. by 140Mandak262Jamuna · · Score: 5, Funny
      Come on, You dont even have to be a script kiddie to write malware for Linux.

      This is how it works:

      First create an executable that will do bad things. It could even be a csh script. Then send emails to all and sundry like this and attach that file"

      Dear Linuxuser,

      This is a virus/trojan/worm/malware for Linux. It works on the honor system. Please forward the attachment to all addresses in your .mailrc first and then save it to disk, chmod +x and sudo it. Thank you.

      Attachment: malware

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    9. Re:Not a vulnerability. by zo1dberg · · Score: 5, Funny

      This is the one thing that keeps people from running Linux on their desktops! We normal users don't want to fiddle around with the commandline and stuff like that, we need a point-and-click-interface to compromise the security of our computers! Trust me, until this is fixed, Linux has no hope of ever becoming a serious competitor to Windows.

    10. Re:Not a vulnerability. by archen · · Score: 2, Insightful

      I think you'll still end up with the same problems though. Where does firefox keep it's list of trusts? In the registry, or a config file? People will want to develop/install plugins that aren't signed so you'll need to be able to make exceptions. Where will the settings for the exceptions be stored? In the registry or config file?

      I think this just gives you a false sense of security. If you're OS were secure and you knew for a fact that no one else could ever write to the firefox config files or the registry, you could sign things just fine. But this isn't a man in the middle attack, but more like a "man in the backroom" attack. And that's exactly what this spywhere does.

    11. Re:Not a vulnerability. by Not+The+Real+Me · · Score: 5, Funny

      Good point.

      A friend of mine has certifications as an MCSE and a CNE. When I tell him to run "ipconfig /all" and "route print" (on his WinXP machine), the look of consternation and confusion on his face is priceless.

    12. Re:Not a vulnerability. by Drachemorder · · Score: 2, Insightful

      Any piece of software capable of running executable code is vulnerable to trojans. Anyone can write an executable program to do nasty stuff, and there's no reasonable way for an application to tell the difference. Firefox can't figure out on its own that an extension which deletes files or sends email is malicious, because such functionality can conceivably be useful. The only real solution is to educate people about running untrusted executable code, and Firefox already takes every reasonable precaution to do so. So much so, in fact, that it's a bit annoying when you really do want to install an extension. Trojans are a form of social engineering; with enough effort you can convince most people you're trustworthy, and there's very little that can be done to prevent that sort of activity, except perhaps educating people about the possibility.

      So the problem isn't the software. It's the people using the software. As more people learn about Firefox, we'll just have to accept that some of them are going to be stupid. It's a statistical inevitability. You can fix security holes all day, but you can't fix stupid.

    13. Re:Not a vulnerability. by PsychoSid · · Score: 5, Funny

      csh ! What century have I entered this time.

    14. Re:Not a vulnerability. by RedOregon · · Score: 4, Funny

      Actually, I'd call it a "man in the backdoor" attack, considering what it does to you...

      --
      Skivvy Niner? Email me!
      HEY! Look left just ONE MORE TIME!
    15. Re:Not a vulnerability. by soft_guy · · Score: 4, Funny

      A friend of mine has certifications as an MCSE and a CNE

      With friends like that, who needs users?

      --
      Avoid Missing Ball for High Score
    16. Re:Not a vulnerability. by DrXym · · Score: 2, Informative

      Well the should. In fact, I read just the other day that Debian will be signing packages at long last. It's not brain surgery to do either - Red Hat has been doing it for a very long time.

    17. Re:Not a vulnerability. by jftitan · · Score: 3, Funny

      Dear Linux User,

          This is a virus created for Windows users, and it is based on the honor system.
        Please forward this email and its trojan/virus written attachment to all your
        Microsoft based users, and let them know how much you care!

          Sincerely,

            Another Linux User Friend

      ATTACHMENT: firephox.extention.exe

      --
      "Don't Forget to Salt the Fries"
    18. Re:Not a vulnerability. by cyber-vandal · · Score: 4, Insightful

      Not as priceless as the look on my face on reading that and noting that that clueless muppet gets paid a lot more than I do. Maybe I should get off my arse and get one of them MCSE thingies.

    19. Re:Not a vulnerability. by arose · · Score: 2, Insightful
      It would be TRIVIAL to insert a trojan onto that site.
      I still don't see how that differs from a trojan on, say, SourceForge--that's just how trojans are.
      The funny thing is IE was panned for ActiveX control issues and yet Firefox contains something just as serious in extensions.
      IMHO problem with ActiveX are the seemingly endless vulnerabilities that enable drive by installations, I don't see this with Firefox.
      It is true that extensions must be voluntarily fetched by a user so the user base as a whole has a lot of protection, but it does not excuse the lack of trust information for the poor sucker who caught a dose from Mozilla's own web site.
      And your proposition for a distributed system of trust information that is transparent to users is? Sure, PGP/GPG signing might benefit to those who watch where they step, but it does little for those who are most susceptible to trojan attacks.
      --
      Analogies don't equal equalities, they are merely somewhat analogous.
    20. Re:Not a vulnerability. by Anonymous Coward · · Score: 3, Insightful

      Look, I got my MCSE in 1999, and I had to know how to use ipconfig and route as part of the course -- now, did that get covered in the test? I don't know. But it was part of the work we had to do in the TCP/IP module. It's depressing to me because I think MCSE used to mean something, but I also have encountered dolts who have a raft of acronyms after their email signature, and it's almost a sure-fire way of identifying useless chumps in the organization. I don't advertise my MCSE in my signature, and I instead refer to my 11 years' experience as my qualification for doing what I do: that, and the fact that almost everyone in the organization comes to me when they want something done right.

    21. Re:Not a vulnerability. by drinkypoo · · Score: 4, Funny
      It's depressing to me because I think MCSE used to mean something

      It still does: Moron Confused by Sun Equipment.

      Still better than Netware, which has two certification which stand for Certainly No Experience and Can't Network Anything.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    22. Re:Not a vulnerability. by X0563511 · · Score: 2

      Hell, you can probably take and pass the test without doing any of the coursework. Or you could do the coursework anyways and have a slight chance of learning a tidbit or two. I got my A+ without any study (like that's an accomplishment around here...)

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    23. Re:Not a vulnerability. by infosec_spaz · · Score: 2

      Oh, come on....Mod parent up, it was FUNNY AS HELL!!! Give it a 6, come on.

      --
      ----- I have bad karma for a reason! -----
  2. MozillaZine Has More by Anonymous Coward · · Score: 5, Informative

    This MozillaZine article has lots more on the trogan horse, including instructions for spotting if you have it.

  3. Personally... by celardore · · Score: 4, Informative

    Personally I only download FF extensions from the official site.
    https://addons.mozilla.org/extensions.php?app=fire fox

    1. Re:Personally... by Anonymous Coward · · Score: 2, Informative

      Thats not whats going on. This trojan isn't installed as an extension, it comes as a regular old .exe in an email, which when you run it, then edits the firefox configuration files to add itself into the extension list without going through the normal extension process.

    2. Re:Personally... by celardore · · Score: 3, Insightful

      In that case... Who runs an exe they receive in an email? Unless I'm expecting it, and know the sender, I certainly won't.

      Education must be the answer then. I learned not to open random executables from unknown sources many years ago. People apparently click them though. Teach a man to use the internet, and he'll be safe for a day. Teach a man to know the internet and he'll be safe for a lifetime.

    3. Re:Personally... by SydShamino · · Score: 4, Funny

      Teach a man to send an "internet," and he can be a senator!

      http://www.youtube.com/watch?v=DClkE64nFDY
      Fast forward to about 2:00.

      --
      It doesn't hurt to be nice.
  4. Hmmmm by robpoe · · Score: 3, Interesting

    Basically, what you're saying, is I must open an EXE from a non Walmart "Walmart" email, or I have to use IE?

    Nothing to see here, move along..

    --
    = Grow a brain...
  5. Break extension by Anonymous Coward · · Score: 5, Funny

    In next version of Firefox, the extension will be broken anyways. Mozilla breaks extension every new release. :D

  6. Thankfully, I'm running IE by Anonymous Coward · · Score: 5, Funny

    Which makes me invulnerable to snooping for credit card numbers as all my accounts are empty and my credit rating is ruined.

  7. Emphasis on that. by khasim · · Score: 4, Informative

    This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

    This does not exploit any vulnerability in Firefox.

    If your OS is not secure, no app running on it can be secured.

    1. Re:Emphasis on that. by Short+Circuit · · Score: 2, Funny

      If your OS is not secure, no app running on it can be secured.

      Ssh...don't tell the RIAA.

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    2. Re:Emphasis on that. by _Sprocket_ · · Score: 4, Informative

      That's the legitimate extension. This trojan is not it.

    3. RE: Emphasis on that. by KURAAKU+Deibiddo · · Score: 5, Informative

      Actually, if you read the article more closely (and similar articles that have appeared in no shortage of other places), the malware pretends to be the numberdlinks extension. Your post implies that the actual extension is malware, and this is untrue.

      Additionally, if you read the Slashdot blurb, it's explained pretty clearly there.

      Basically, if you click on e-mail attachments without knowing what they are, it's your own fault if your computer becomes infested with viruses and spyware.

    4. Re:Emphasis on that. by dedazo · · Score: 5, Insightful
      This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

      This is an user-executed email attachment with a trojan. It will happily be executed from Outlook Express, IE, Eudora and Thunderbird. McAfee mentions they've seen one version trying to exploit a three year old IE vulnerability. If you haven't patched that, well then you deserve to get nailed.

      This does not exploit any vulnerability in Firefox

      It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.

      If your OS is not secure, no app running on it can be secured.

      If your OS is being operated by a user that executes attachments from "WalMart" that read "helo, teh attcachements for yuo pleasures" then your OS is not secure.

      BTW, this progression is interesting. When FF came out just installing it would make the world safe, because it was invulnerable and impervious. Now I also have to switch operating systems? And when someone finds another exploit in SSH

      --
      Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
    5. Re: Emphasis on that. by trifish · · Score: 2, Interesting

      Ok, I stand corrected. Anyway, it is still a valid concern that any Firefox extension could actually be a Trojan horse.

    6. Re: Emphasis on that. by PhoenixPath · · Score: 5, Insightful

      No. It's not.

      Any extension downloaded from addons.mozilla.org has been tested, is widely used, and subject to an enormous amount of user feedback.

      Now, if you download an extension from kickme.to/malware, you get what you deserve.

    7. Re:Emphasis on that. by LiquidCoooled · · Score: 2, Interesting

      I agree with you here.

      There should be a way of signing the profile folder contents to detect outside changes.

      Knowledge is power, and being informed about a change to your profile will either set warning bells off or put you at ease (after you manually changed it yourself).

      --
      liqbase :: faster than paper
    8. Re:Emphasis on that. by mrchaotica · · Score: 5, Insightful
      It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.

      Okay, and then the next trojan will simply add itself to the file that Firefox checks to see if the extension is new, and you're back to square one.

      Firefox isn't the problem. The fact that the thing can write to the application's directory means the computer is already compromised.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    9. Re:Emphasis on that. by athakur999 · · Score: 2, Informative

      Extensions can be happily installed inside a user's profile directory. It doesn't require write permissions to the Firefox application's directory to install an extension.

      There is nothing about "vulnerability" that would stop the same thing happening on a Linux box. The only saving grace for Linux at this point in time is that your average Linux user is smart enough to not execute random executable files they receive from people they don't know in an email message.

      --
      "People that quote themselves in their signatures bother me" - athakur999
    10. Re:Emphasis on that. by TheSpoom · · Score: 2, Interesting

      Microsoft has tried to do this multiple times. Ever hear of Windows System File Protection?

      Not that they've ever entirely succeeded, but the idea has been run through its paces a few times.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    11. Re:Emphasis on that. by penix1 · · Score: 2, Insightful

      "The only saving grace for Linux at this point in time is that your average Linux user is smart enough to not execute random executable files they receive from people they don't know in an email message."

      Although I agree with this statement, a lot of the time the really nasty ones are spread by people you *DO* know. You know the type. This is the user that actually believes clicking "Remove me from this list" will actually remove them from that spammer's list. These also tend to be those people that clog the email system with "try this! It really works!" messages.

      B.

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
  8. How does it work? by Klaidas · · Score: 2, Insightful

    Does it install simply by browsing, or does it need to open an .exe? Or do you install it like a normal extension?
    If it's #1, it's bad
    If it's #2, not so bad - a simple virus
    If it's #3 - hey, who install extension from non-oficial sources?

  9. Re:and? by hotdiggitydawg · · Score: 4, Funny

    (response from Lynx user) *cough* ActiveX *cough* *snigger*

  10. Re:Is numberedlinks legit? by savala · · Score: 2, Informative
    The article is not clear. If not, get it off the Moz site. If so, sux to be them.

    It is: "presenting itself as a legitimate existing extension called numberedlinks".

    The McAfee characteristics page (2nd tab - stupid that that isn't directly linkable) also says:

    The original component installs the following files:
    * %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\n umberedlinks.jar

    FormSpy installs these additional files:
    * %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\n umberedlinks.jar (modified - FormSpy)
  11. The tip of the iceberg... by Anonymous Coward · · Score: 2, Insightful

    People seem to be awfully dismissive of this, but it poses a real problem. Given the number of available vectors, even careful Firefox users can get struck by virus/spyware/other attacks (even OpenSHH has critical security vulnerabilities from time to time, and it is specifically designed for security). More sophisticated extension hacks aren't too far away. Given the level of extensibility offered via extensions, it sounds plausible that extensions may be delist themselves from the extension manager (a la rootkit techniques). Even if the Moz team had the foresight to prevent such a hack, it is pretty trivial to simply infect an existing extension. Simply inject your hostile javascript code into the extension files to get loaded along with the host extension. Maybe modify existing javascript that is provided in a default installation, such as the search engine plugins. Plus, you get the added benefit of cross platform compatability for your Firefox hacks.

    This is the proverbial shot across the bow. Perhaps it's time for crytographically signed extensions? It may not protect from someone explicitly installing a hostile extension, but it may prevent the self-installation of this kind of software from succeeding.

  12. It is a vulnerability. by mobby_6kl · · Score: 2, Insightful

    Firefox isn't doing anything to prevent it, so it's a Ff vulnerability.

    At least, that's how it works for other software.

    1. Re:It is a vulnerability. by peacefinder · · Score: 2, Insightful

      In general, if the next lower layer can't be trusted, the security of whatever you're evaluating is screwed.

      By way of example, at my previous job I used a linux boot floppy to change the local administrator password on a Windows NT4 system, thus owning the machine at the next boot. By an extension of your standard, this represented a Windows vulnerability, because whatever measures Windows may have taken to prevent such a thing (like NTFS) were ineffective.

      I think that's a clear mis-assessment of the true vulnerability: the problem wasn't that Windows couldn't handle tampering, but that the machine itself was physically unprotected from tampering. (Fortunately, I was an authorized tamperer.)

      Likewise, it is unreasonable to expect any app to successfully defend itself from its host OS. Firefox might make OS-level tampering harder, but it cannot prevent it. Therefore I agree with the grandparent poster that this is not a firefox vulnerability.

      --
      With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
  13. that's it, I'm switching to Internet Explorer by Anonymous Coward · · Score: 3, Funny

    I've had it. That's it, I'm switching to Internet Explorer. You can play with your crappy browser but I'm done with it.

  14. Spyware Disguised as an MSIE Extension by krell · · Score: 5, Funny

    It could have been worse, like spyware disguised as a Microsoft Internet Explorer extension. That's sort of like Nixon wearing a Nixon mask.

    --
    Where were you when the voynix came?
  15. Re:Why is mozdev.org still... by radish · · Score: 3, Insightful

    Hate to break it to you but ALL software is potentially bad. You have to decide how much you trust it based on who wrote it, whether that's verifiable, your own inspection of the source, whatever. In the case of F/OSS you do at least have to option of inspecting the source. You have no such luxury with non-free software, in which case you simply have to decide how much you trust the publisher.

    --

    ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

  16. Re:FUD by LurkerXXX · · Score: 3, Insightful

    What you don't seem to realize is that IE isn't embedded in 3rd party email clients like Thunderbird and Eudora, but the attachment will still hammer Firefix when you run it, just as it will in Outlook.

  17. RTFA by sensei85 · · Score: 5, Informative

    Again with people jumping to conclusions. The trojan is loaded when you open an .exe attached to an e-mail from "Wal-mart". Lesson to be learned: never open random .exe attachments. Ever. Problem solved.

    For those of you screaming that "numberedlinks" should be removed from the mozilla site, that wouldn't fix the problem. The original extension is perfectly safe and NOT a trojan. This one is just spoofing it by installing itself with the same name.

    A little more careful reading and some common sense go a long way

  18. Re:Why is mozdev.org still... by Anonymous Coward · · Score: 2, Insightful

    you will be labeled a hacker/cracker whether you like it or not; innocent or not.

    And, until this is settled, I will consider anything you develop to be suspect.

    Then that makes you part of the problem, asshole. It's not the legitimate author's responsibility to police every malicious programmer and make sure that they are not using the same name as something that is legitimate. If he has the name of his extension legally registered, and the author of the malware gets identified, then the legitimate author can sue for infringement, but that's the only recourse he has. He just has to hope that malinformed assholes like yourself are the minority.

  19. Firefox is horribly vulnerable; I have proof. by mmell · · Score: 4, Interesting
    On a machine which I maintain for my SO and children, M$ XP Pro is installed. The default browser is FireFox, which I have managed to convince my SO and children to use.

    My daughter (with a limited user account, no less) viewed a malicious advertising banner while logged into MySpace.com. I'm quite sure she clicked "yes" to running a WMF exploit.

    She has a limited account. End of story, you say? Nope, read on . . .

    My wife logged in a couple days later. A popup baloon warned her that the machine was infested and she should "click here to fix the problem". Well, she installed AntiVirusGolden v3.3 (from her not-so-limited user account). Who can blame her? I wouldn't have fallen for it (I already had CA's EZ-Antivirus installed and more or less trusted it), but it looked like a valid course of action to her, so the next thing I knew there were nearly a dozen payloads whanging around the rusty innards of my SO's computer - some acquired on the spot, others dropped there during the following week, I'm sure.

    That machine now runs Linux (like the rest of my home network). I'd like to thank the wonderful malware authors at AntivirusGolden for giving me the leverage I needed to convince my SO to give up on Windows and use a somewhat more securable OS.

    Oh, but I'll continue to use Firefox, now that I've closed that horrible WMF exploit that it has! You'd think the Firefox development team would know better than to trust end-users with the option to execute WMF's. Hmmph!

    *(The above is intentionally sardonic; but the basic facts are true)*

    1. Re:Firefox is horribly vulnerable; I have proof. by Itninja · · Score: 2, Insightful

      How does this make FF 'horribly vulnerable'? The WMF flaw is, by definition, a Windows problem not a FF one. That's like saying your new alarm system is flawed because someone left the front door unlocked.

      --
      I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  20. Re:FUD by Firehed · · Score: 2, Insightful

    As with anything else, this requires you to be enough of a moron to run an attachment received in a spam message (which theoretically requires you to be enough of a moron to actually read your spam). It's much more of a PEBKAC problem than a vulnerability of any piece of software. I don't know about Eudora, but I've found Thunderbird's spam filtering to be excellent, something not even offered the last time I used a MS-made client, which hypothetically reduces the risk of you running the thing, though that's pushing it.

    It's probably worth considering that most people smart enough to have switched to Firefox are also smart enough not to think "oooh, cool, free file, better see what it does!!!1".

    --
    How are sites slashdotted when nobody reads TFAs?
  21. make it open source by kdemetter · · Score: 5, Funny

    just send the source code in a nice tarball .

    that way it's open source and people can improve it .

    --
    Slipping shoelaces ?
  22. Re:and? by vdboor · · Score: 2

    (response from Safari user) *cough* Obtain an interactive shell through lynx *cough* Lynx NNTP vulerability *cough* Lynx CRLF injection*cough*

    --
    The best way to accelerate a windows server is by 9.81 m/s2 ;-)
  23. Signatures don't matter here by sterno · · Score: 3, Insightful

    You are talking about a situation where an executable has been run with your priveleges. It can do anything it wants to, especially in Windows where most people run as Administrators. It can disguise itself as a firefox extension, sure. But it could also modify the firefox binary, or simply install a sniffer running as a service, or format your drive, or any number of nasty things.

    The only place a singature would matter in this case is when the trojan executable was run. If you are executing attached executables from an e-mail, then no amount of signature verification is going to protect you. The reality is that no technical process can exist that will prevent this kind of attack so long as users can install their own software.

    --
    This sig has been temporarily disconnected or is no longer in service
  24. Looking at the big picture! by Aeomer · · Score: 3, Insightful

    Forget the debate on FF vs IE and WinXX vs *nix - otherwise known as the 'My dad is bigger than your dad!' department. The issue is that an exploit, however it arrived on the machine, is targeting Firefox. All those smug 'it can't happen to me because I use xxxx version of yyyy product/os' should see this as the beginning of an onslaught on all *nix and open source projects in general. Yes, I realise this exploit was specifically on Windows but you are missing the big picture. That being an open source project went from a minor player to a major competitor and so became a big target. You may feel safe in your (insert *nix here) OS but the end of that house of cards is in sight. 'But I know what is secure and what is not, and my system is harded against such stuff!', I hear you cry. Well, if you realise that more and more people are running *nix based desktops and most of those new users have and need only basic 'Clue' on how to run their browser and wordprocessor then we are looking at an ever expanding problem. How long will it be before everyday users are downloading distros with Spyware built right into the kernel? 'But, I know how check a distro is genuine!!!', I hear you cry again. And again I say what about your average user - do they know instinctively how to check hashes on everything they download? No they do not! Mark this date in your calender - the end of OS smugness is in site.

  25. firefox -safe-mode & by alskjdfasd · · Score: 2, Insightful

    i always run firefox in safe-mode. i know that extensions cannot be loaded, but the only important firefox extensions i used to use are now replaced by web proxies. for example, i used to use livehttpheaders, tamperdata, and modifyheaders. with burp, suru, webscarab, and xss-proxy, these extensions lack the significance they once had. for people that are heavy into extensions and themes, maybe you should first ask yourself why, and then weigh the benefits versus the drawbacks.

    i also change a few settings in options->content and about:config to prevent javascript from doing anything but the basics. since i'm always bouncing back between windows xp, linux, freebsd, and mac os x - it's nice to be able to acheive such consistency and still know what my baseline for browser security posture is.

    there is worse spyware out there these days anyways. see: http://theinvisiblethings.blogspot.com/2006/06/int roducing-blue-pill.html