Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Vietnamese Language Pack Infected With Trojan

Posted by timothy on from the when-childhood-goes-wrong dept.

An anonymous reader writes "Wired.com is reporting that the Firefox browser has been unknowingly distributing a trojan with the Firefox Vietnamese language pack. Over 16,000 downloads of the pack occurred since being infected. This highlights a risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."

8 of 200 comments (clear)

  1. Downside of OSS by elrous0 · · Score: 4, Interesting
    I know this isn't going to be a popular opinion here, but two of the big downsides of open source software to me are the lack of documentation and the lack of quality control. Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?

    I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Downside of OSS by ttapper04 · · Score: 2, Interesting

      You are right. It may have something to do with the responsibility a software company has when selling you code. There are flaws in this statement, but what I mean is this:
      Joe Six-pack is not going to be as upset when he gets infected by the free thing vs. the thing he had to pay for.
      Is this fair to say? Can anyone say that better then me?

    2. Re:Downside of OSS by RiotingPacifist · · Score: 3, Interesting

      The Downside is when the project gets too big, the number of users >>> developers so resources get stretched to try and satisfy the large number of users and the quality of the project drops.

      --
      IranAir Flight 655 never forget!
    3. Re:Downside of OSS by jrumney · · Score: 4, Interesting

      In fact, it is more like less than one month, since the other two months is attributable to the delay in anti-virus vendors recognizing the trojan.

    4. Re:Downside of OSS by dave420 · · Score: 2, Interesting

      No, the "hahaha" is on you, if you think proprietary software has no quality control. It has plenty. So does Open Source software. When you spend money on a closed-source package, chances are that software house has a QA department. I don't mean to be rude to anyone or piss anyone off, but the same can't be said for most OSS projects, apart from those released through the few large OSS houses that have their own QA departments. Just because you've found bugs in closed-source software doesn't mean they don't have QA. The fact that they do have QA demonstrates you're wrong on that. People find bugs in open-source software, too - by your logic, OSS is just as bad as closed-source. Great jerrrb.

    5. Re:Downside of OSS by AshtangiMan · · Score: 3, Interesting

      So it's like when you park your car in your garage at night. In the morning you don't look in the trunk to make sure that i) no one put a hostage/ dead body in there; ii) no one removed a hostage/ dead body; or iii) the spare tire is in good working condition. While it is possible, and recommended that you do so, there is no guarantee that everyone does this.

  2. Proprietary software has the same risk by jrumney · · Score: 2, Interesting

    This has nothing to do with Mozilla accepting user-submitted extensions. If anything, that makes them more careful about what they publish. A developer's machine becoming infected with an as yet unknown virus that is undetected by anti-virus scanners is a risk that every software producer faces. How many commercial software vendors even run their developers' code through a virus check when it is committed, let alone running regular anti-virus checks on software they have already released?

  3. Accident Waiting to happen - Should Sign All Updat by KJACK98 · · Score: 2, Interesting

    I don't know if this has been done yet, but each new extension submission or upgrade must be signed by Mozilla with some type of private exchange with the author. My concern right now is, I know some of my extensions come from third parties, whats stopping someone from hacking the server and introducing a fake upgrade that gets spread across to all users in the auto upgrade? Thus when the update downloads it, compares they checksum signatures it would know it was not an authorized release. Thus besides hacking the server, the person would of had to have gotten the users private communications password too.