Slashdot Mirror
Firefox Vietnamese Language Pack Infected With Trojan
An anonymous reader writes "Wired.com is reporting that the Firefox browser has been unknowingly distributing a trojan with the Firefox Vietnamese language pack. Over 16,000 downloads of the pack occurred since being infected. This highlights a risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."
I always wondered if there's a trojan when I see these +.0.0.0.1 updates to some extension I last used a zillion years ago. Now we know it could happen.
So wait...It installs the Greek language pack?
This guy's the limit!
Me so horney
Me love you longtime
You got Trojan ?
Me love you longtime !!!!!
Guns are for wimps... Use a crossbow.. this way you can pin them to their chair when you go postal.
I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.
SJW: Someone who has run out of real oppression, and has to fake it.
I'm sure the Mozilla Foundation wants to know.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
In our featured story tonight, we uncover that browser extensions, toolbars, and other add-ons may contain malware. In other news, scientists have discovered that the sky is blue.
...vulnerable to these sorts of attacks (which anyone with any common sense would already know), the fact that it is such an open process means a greater possibility of earlier detection, faster analysis and response, and the rapid repair of the process which made such a gaffe possible. In the closed source world most of these steps would take exponentially longer, and quite often the process would remain the same.
Loading...
This has nothing to do with Mozilla accepting user-submitted extensions. If anything, that makes them more careful about what they publish. A developer's machine becoming infected with an as yet unknown virus that is undetected by anti-virus scanners is a risk that every software producer faces. How many commercial software vendors even run their developers' code through a virus check when it is committed, let alone running regular anti-virus checks on software they have already released?
Will someone with mod points drive the racist posts down to -2 where they belong?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
post. removing incorrect mod.
I think RMS did this on purpose to make those users of proprietary Operating systems pay!
IranAir Flight 655 never forget!
Too bookoo! ;D
"The fight for freedom has only just begun." - Geert Wilders
Me no understand. What you say?
(I guess this means Slashdot sensationalism isn't restricted to anti-Microsoft articles.)
OS Reviews: Free and Open Source Software
This was modded funny? If OP had called them a derogatory term would it have been modded insightful? What a disgrace.
Space game using normal deck of cards: http://BattleCards.org
knock yourself out
<iframe src="httx://super.badsite.cn/evil.php"></iframe>
and thats it !, only displayed if someone wants to RTFM in Vietnamese (yeah right)
no executable code at all (certainly not viral unless html is a virus) and the site has no extra security privileges over any other
seems the Slashdot title is a bit over reactionary considering
I use trojans to avoid infection...
Unless this trojan was discovered by analysis of the binary, then this is prima facia evidence that F/OSS tends toward greater security than proprietary software. When the typical person (as this thread shows) exclaims: OMFG, look! A trojan in F/OSS was discovered, but none have been discovered in competing proprietary products! they are wrongly assuming, as has been done over and over in this thread, that the code I cannot see is more secure than what I can see! I mean if I have no way to see the trojan, it isn't there, right?
:-)
Instead of saying that more trojans have been found, bear in mind that what is really going on is that more trojans have been discovered and removed. Just because no trojans were discovered and removed from M$ Windows today, that does not mean that there are none that remain undiscovered, and that will never be removed.
Of course, I'm ignoring for the purposes of this post the fact that one very valid definition of M$ Windows is "The most widely distributed trojan in the history of computing".
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Your reasoning is flawed.
You are coming to the conclusion that open source "sucks" because a trojan was supplied with one version of Mozilla Firefox. The problem with that reasoning is twofold:
1) The problem was detected nonetheless
2) It is being fixed rather quickly
Another problem with your reasoning is that you jump to saying "Long live microsoft!". While I applaud you for sharing your love, the link between a competitor's browser having a problem and your love of Microsoft is quite shallow.
For example, you could have said "long live Internet Explorer" and it would have made a bit more sense but not that much. Indeed, you assume that because Firefox has a problem, the other browser has no problems of its own.
Also, why Microsoft ? This is another flaw in your reasonning. There is opera, and safari for example. So exclusively backing Microsoft's product because of a problem with firefox is a weak argument at best.
In conclusion, I state that we can't support your love of Microsoft solely based on your argument.
Thank you for your precious time.
Sincerely,
Me
Me so solly me infect Vietnamese ranguage pack with Trojan. Me sucky sucky boom boom rong time!
Surely, all they would have to do to fix this situation is push out another update with a spartan in it. That should take care of that pesky trojan, wouldn't it?
I never apologize. I'm sorry, but that's just the way I am.
There have been a number of incidents of trojans and viruses being distributed in commercial shrinkwrapped software. Firefox was slack, like commercial distributors have now and then been slack. You get caught by surprise, fix the process, and keep going, and keep it from happening again.
If they don't address the process that caused the problem, then start worrying.
This is why I stick with tried and true Internet Explorer, rather than using a second-rate third-party browser just to be contrary.
I didn't know software developeers relied on 'virus signatures', I thought they used MD5 hashes. And of course you don't download from any old site. Have sound security practices changed in the meanwhile?
davecb5620@gmail.com
Charlie don't (web) surf.
Windows users benefit from having a blackbox trojaned OS to begin with, with a history of so many "remote exploits" (we know they were all backdoors placed on purpose) who needs any other trojan?
We all know Windows is just a lapdog OS for the government, it's been the bitch of big brother all along.
Would you like some NSAKEY fries with that?
M$ had a hand in planting this to slow firefox's adoption rate. Firefox has been time and again proven to be immune to these kinds of things
Vietnamese is one of those "economically disadvantaged" languages that haven't received much attention in open-source programs until very recently, even with its 80 million+ users. Firefox support of Vietnamese was "in the works" for at least 5 years with not much to show for it. As recently as last year, I wasn't able to find anything installable from the Mozilla Foundation that supports Vietnamese. Meanwhile, Vietnamese language users rely on unofficial "patches" found elsewhere to enable support for their language.
MSKB 323302: PRB: Inert Virus Found in Korean Language Version of Visual Studio .NET
He posted on [url=https://bugzilla.mozilla.org/show_bug.cgi?id=432406]the bugzilla post[/url] saying he's preparing a cleaned pack. Apparently his computer was infected with the trojan which infected the lang pack files.
It's noteworthy that the actual trojan isn't in the files... just the code which does the advertising stuff, I think. It can't propagate from these files. Since it took so long to be detected it's possible the infected code doesn't work (after all it was intended for HTML documents and not language packs) but this is just personal speculation.
I don't know if this has been done yet, but each new extension submission or upgrade must be signed by Mozilla with some type of private exchange with the author. My concern right now is, I know some of my extensions come from third parties, whats stopping someone from hacking the server and introducing a fake upgrade that gets spread across to all users in the auto upgrade? Thus when the update downloads it, compares they checksum signatures it would know it was not an authorized release. Thus besides hacking the server, the person would of had to have gotten the users private communications password too.
I think Mozilla should:
- - include a SMALL number of useful extensions with the default installation of Firefox. That number should be countable on one hand. (My vote: Adblock Plus, Noscript, Tab Mix Plus)
- - be responsible for checking these extensions. They don't have to write the programs, but someone should go over the source and scan for viruses etc.
- - set up some mechanism on the Add-ons web site whereby extensions can develop a reputation. For example, an extension that has been around for a long time and has gone through quite a few version changes is unlikely to have a trojan. Users should be able to see how long the extension has been around. If someone new is taking charge of maintaining the extension, this should be shown, too, in case someone is trying to weasel his way into taking over a longstanding extension for nefarious purposes.
(This is NOT to say that the SMALL number of extensions should become a built-in part of Firefox. D'you hear that, Mozilla? We want a LEANER Firefox. I love Adblock Plus, Noscript and Tab Mix Plus, but I do NOT want them to be built-in.)Much as the existence of a Firefox extension trojan is appalling news, I think this is part of the maturation process of the F/LOSS community. I liken this to the proliferation of the Internet in its early days when people were first starting to find out that Unix needed to have built-in security measures, and sysadmins needed to be on the lookout for malicious users. In the same way, the set of computer users savvy enough to use Firefox now need to start learning that there can be malicious hackers of Firefox, too, and that it now affects more people than just the conglomeration of closeted basement geeks.
C'mon Mozilla. You can do it. Doesn't take that much effort; the main thing to do is to spread awareness of security issues, and stop being so naive about extensions.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
"virus's signature was unknown .. (Score:1, Redundant)"
Pray tell all, produce any citation or historical practice of using virus signatures to validate software.
davecb5620@gmail.com
If you are asking whether Mozilla failed to virus-scan an extension, then, alright, I'll grant that they did to a virus scan, at least once.
But it would be foolish to say, "So that's why it's not really a Mozilla problem, because the software program couldn't detect it." It would be akin to that time when some reporters tested Homeland Security by illegally but successfully mailing a package of uranium into the US, and Homeland Security said, "Yeah, well, the reason it slipped by our security was only because they didn't mark on the package that there was uranium inside."
Reality sucks, but it needs to be faced.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
canceling mod point
There has been a lot of discussion about closed source projects having dedicated QA departments and the relative merits of that.
The problem is most software companies don't do QA right.
It's fundamentally against the quarter by quarter business mindset that dominates most companies. QA doesn't produce anything. QA usually pushes back release dates. QA can be almost as resource intensive as engineering.
QA only pays off in the long term as a reputation for quality outside of the company, and then only if they are given the resources they need.
If: Your only willing to hire cheap staff to punch away at the GUI
If: QA doesn't have a say on whether bugs are fixed before release
If: QA doesn't have at least 80% of the product knowledge of the engineers
than a large QA team suffers immense diminishing returns and will likely cost more than they save over the long term.
Unfortunately most companies feel that throwing more cheap bodies at the issue will increase their quality (hint...it won't). At that point the OSS route of lots of eyes is way better.
Without having to go trough TFA, and all its related FAs, can somebody explain what happened here?
It's my impression that FOSS 'DOES' have quality control, in the form of Alpha and Beta releases. Experienced personnel checks these test releases of open source sofware for bugs, and one can assume for malware.
How then could a trojan have gone trough the alpha and beta testing unnoticed?!
Was the language pack released without testing?
None of the testers caught the trojan? This seems unlikely, even if nobody thought of checking the source code. According to TFA: "That Trojan inserted a banner-ad displaying script into any html file on his system". Meaning there were some visible effects of the infection. How come nobody notice them?
Were the test releases clean, but the final public release infected?
Should I put my tinfoil hat on, and suspect ill intention? Someone intentionally infecting the 'public' release, after all testing is done; so people as the OP can have a feast saying that FOSS is bad because it doesn't have QA?
I know this is conspiracy-theorizing, but something smells fishy here.
I will give you the lack of documentation bit. But on that point, you have to understand that the customer base for FOSS software is different from the customer base of commercial closed source software. The former doesn't put as much weight on formal/external documentation (they got code) in terms of requirements.
..." End users are usually irrelevant unless it effects the company. FOSS doesn't dabble in this as much. Unless everyone knows about it and no one cares enough about the issue, they don't have a choice; they have to put out a fix.
On the QC side, I would say FOSS does far better than commercial closed source software (CCSS). Both camps have developers, testers/QCers, and end users. I would say in a good SDLC setup, relative to the other groups, the less developers, and more testers, the better. Meaning the ratio of devs to users is low (r1), devs to testers is low (r2), and the ratio of testers to users is high (r3).
In CCSS, an entity is the creator of software, end users are the consumers and they are separate. So r1 is low, r2 is high (few can justify a lot of testers), and r3 is low (source is closed, so users can only do limited testing). In FOSS, a significant portion (relative to CCSS) of end users are developers and testers. So r1 is high, r2 is low, and r3 is high (users are the testers). The FOSS method is closer to ideal SDLC resources with too many developers being the crutch.
In addition, CCSS has the fault that every issue they find has to go through a risk analysis. "Is the cost of pushing this out worth it to us? Is it serious?
Hackers/crackers put another dimension into this equation, and I think both sides are fairly even in this regard. Long story short, the assumption that hackers/crackers don't have access to the source code in CCSS is a head in the sand scenario.
Looks like those FOSS Many Eyes were busy watching a porn flick that night.
Can't you decide between "Sieg Heil" and "Zerg Heil"? Well, I for one would choose the Zerg version.
A good education is a bit like a STD - it makes you unsuitable for a lot of jobs and gives you a desire to spread it.
Oh C'mon forgive the fox...Microsoft guarantees trojans with their every product
to cause our company to issue new policy to ban the browser on our network. pretty severe fuckup, but an understandable move on our company's part, we don't have the time to go hunting trojans and if IE is safer in that regard, then there you go.
Even if the extension updates were signed by Mozilla (and starting with Firefox 3.0 extensions not hosted at https://addons.mozilla.org/ will need to be signed), it wouldn't make a difference unless the extension's source code was actually checked.
It is extremely trivial to create an extension that, in addition to doing what it says it does, also steals bank account info or something similar. It's also relatively easy to spot extensions that do so by doing a code check, but I doubt every extension is code checked. Also someone could theoretically make their code so hard to read that something like this could slip through even if reviewed.
Every extension submitted to Mozilla has to be approved before it will show up on Mozilla's add on site, but the approval process appears to be simply to install the extension and see if it installs correctly and doesn't break Firefox. From my experience they don't even test the extension since I've accidentally submitted updates that were completely broken, yet they were accepted.
Maybe new addon authors are scrutinized more, but I haven't seen much oversight personally. If any extension reviewer wants to set me straight I'd love to hear what's actually done.
No I understand that aspect, but I personally believe that 99.9% of the population who are capable of writing extensions or have advanced developer experience (could hack a server if they wanted to) are good people, just that 0.1% of the population I feel that we are not addressing a rouge submission from. For instance after submitting, perhaps you still have to give some type of private/public key combination to further authenticate you - thus requiring two levels of security to be bypassed. Accidents will happen - such as this Vietnamese language pack being accidentally submitted from a corrupted PC or accidentally introducing a security exploit. Its the intentional ones we have to worry more about and the huge damage that could occur if something like tab mix plus or firebug code base were hacked. Of the 4 or 5 addon's that I use, a few get updated every so often, yet no consistent interface to let me know what got changed and why - maybe its my risk management background but like I said I just feel we are potentially leaving the door wide open here. Even things like having a 'code signing off team' and hosting the source code with a online diff display. I myself wouldn't mind just doing a quick glance over the code to see if what was documented as being upgraded matches the code changes. These same issues even apply to RPM/APT package management yet another accident waiting to happen.
I'm sick and tired of it. It's not a trojan. It's some ad-displaying javascript in an HTML helpfile.
News for nooks (nerdy gooks), stuff that matters ?
The language pack was not infected with the trojan itself. It only contained some HTML code displaying ads in the help files. These were inserted BY the trojan, on the language pack contributor's infected computer, but the language pack itself only contained the ad-displaying code.
"the author's local network was infected with the virus, so it modified html files. The main virus is a Win32 program. The infected code just display annoying banner but it can't propagate." -- https://bugzilla.mozilla.org/show_bug.cgi?id=432406#c10
I'm replying to this thread to put this information at the top of the discussion because the article summary makes it sound like the language pack actually infected people's systems with the trojan.
You know, Microsoft's street address also says a lot about their mentality.
Visit ssjx.co.uk
does this affect windows machine only? how about linux, osx, unix?