Firefox Vietnamese Language Pack Infected With Trojan

← Back to Stories (view on slashdot.org)

Firefox Vietnamese Language Pack Infected With Trojan

Posted by timothy on Thursday May 8, 2008 @01:16AM from the when-childhood-goes-wrong dept.

An anonymous reader writes "Wired.com is reporting that the Firefox browser has been unknowingly distributing a trojan with the Firefox Vietnamese language pack. Over 16,000 downloads of the pack occurred since being infected. This highlights a risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."

26 of 200 comments (clear)

Min score:

Reason:

Sort:

infected with Trojans? by gEvil+(beta) · 2008-05-08 01:21 · Score: 5, Funny

So wait...It installs the Greek language pack?

--
This guy's the limit!
1. Re:infected with Trojans? by Yvan256 · 2008-05-08 01:28 · Score: 3, Funny
  
  Yes, and it adds the wooden rabbit font, too.
2. Re:infected with Trojans? by betterunixthanunix · 2008-05-08 01:31 · Score: 4, Funny
  
  I guess I was the only one who thought "infected with trojans" was funny. Especially since many of the condoms I've seen are made in south Asia.
  
  --
  Palm trees and 8
Downside of OSS by elrous0 · 2008-05-08 01:22 · Score: 4, Interesting

I know this isn't going to be a popular opinion here, but two of the big downsides of open source software to me are the lack of documentation and the lack of quality control. Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?
I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.

--
SJW: Someone who has run out of real oppression, and has to fake it.
1. Re:Downside of OSS by Keyper7 · 2008-05-08 01:33 · Score: 4, Insightful
  
  Open source allows greater quality control than closed source. If Mozilla did not use this potential, it's their fault and not the open source process'. In fact, the problem here is that the quality control used by Mozilla was not open source enough. They only did automatic scanning, something that can be done in compiled binaries, when a simple code-checking (notice that an extension source is not that big) would get the malicious code rather quickly.
2. Re:Downside of OSS by peragrin · 2008-05-08 01:33 · Score: 5, Insightful
  
  right quality control in closed source. bullshite.
  
  How many refurburished ipods have had viruses on them/ How many sb thumb drives with custom controls and drivers have had viruses on them? How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?
  
  OSS has a far better track record on quality control. Even better OSS software knows exactly how many times it has been downloaded and releases the exact date at which the infection happened. That is information that is NEVER released by closed source companies.
  
  OSS is far from perfect, but it has a much better track record than closed source software. And when it does fail, everything about the failure is spelled out in details so that particular failure is less likely to happen. Unlike closed companies whose own management don't even know what really happened.
  
  --
  i thought once I was found, but it was only a dream.
3. Re:Downside of OSS by betterunixthanunix · 2008-05-08 01:34 · Score: 3, Informative
  
  http://fedoraproject.org/wiki/QA
  We have quality control also. Also, this language pack trojan was caught early on...
  
  --
  Palm trees and 8
4. Re:Downside of OSS by RiotingPacifist · 2008-05-08 01:37 · Score: 3, Interesting
  
  The Downside is when the project gets too big, the number of users >>> developers so resources get stretched to try and satisfy the large number of users and the quality of the project drops.
  
  --
  IranAir Flight 655 never forget!
5. Re:Downside of OSS by jrumney · 2008-05-08 01:41 · Score: 4, Interesting
  
  In fact, it is more like less than one month, since the other two months is attributable to the delay in anti-virus vendors recognizing the trojan.
6. Re:Downside of OSS by JustinOpinion · 2008-05-08 01:47 · Score: 5, Insightful
  
  To be fair, this particular sequence of events could have happened to a proprietary product as well. The article explains that an add-on developer uploaded a new version of the language pack. The language pack was automatically scanned for viruses, and found to be clean (since the signature for this particular Trojan wasn't yet known). It appears that this occurred because the developer's computer was infected (i.e.: this was accidental, not intentional, on the part of the contributor).
  
  This isn't too different from a hypothetical employee whose home computer is infected, and who is working from home and emails a module to his boss, who merges it into the final product. If his home computer was infected, and the standard virus scans missed it, then the final product could end up having Trojan code buried inside.
  
  Would the company necessarily have caught the Trojan? Doubtful. They, too, would probably not have done a line-by-line review of each module update that is submitted.
  
  So I'm not convinced this can be pointed to as a failing of the OSS development model per se. The only difference is that the OSS user contributor is perhaps less well-known (less trustworthy?) to the distributors than in a corporate setting. (But, again, this wasn't a problem of trust... this was a contributor machine being infected. And I assure you that corporate developers can and do get their machines infected.)
  
  Nevertheless, this points to a breakdown in Mozilla's auditing practices. They should be very careful with any code they distribute. But these kinds of quality-control breakdowns occur in OSS projects and corporations, too. (One could tangentially argue that at least with OSS, breaches are likely to be publicized, whereas companies will frequently try to suppress information that points out a security breach.)
7. Re:Downside of OSS by Uncle+Focker · 2008-05-08 01:47 · Score: 3, Funny
  
  So was Mozilla using a proprietary anti-virus software? Better hope not, or the ggp is going to have his entire point demolished.
8. Re:Downside of OSS by Paradise+Pete · 2008-05-08 01:48 · Score: 4, Informative
  
  I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.
  Creative MP3 players ship with virus
  Apple Ships iPods with Windows Virus
  Seagate Storage Units Ship with Virus
  Sega Dreamcast console game spreads virus
  Maxtor USB Hard Drives Ship Virus Infected
  Digital photo frames ship with computer virus
  Sony Ships Rootkit
9. Re:Downside of OSS by ericlondaits · 2008-05-08 01:49 · Score: 5, Insightful
  
  I guess the point is: "the fact that anyone could check the source code at any time should not replace proper QA, which shouldn't be all that different from the one done on commercial software".
  
  I'm sure that Firefox has quite a bit of QA done to it... but it's usefulness relies too much on extensions, which we don't that many assurances about.
  
  --
  As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
10. Re:Downside of OSS by dave420 · 2008-05-08 02:14 · Score: 3, Insightful
  
  Open source means the QA can be shifted from a group of QA workers in an office to people who use the software. Both approaches work, and both are not perfect. Saying one is inherently better than the other is a bit strange, as they both achieve the same thing, only in different places. QA performed in-house has access to the source code, and can highlight errors and get them fixed, just the same as any OSS project. The only difference is the QA workers are getting paid for it, and are working directly with the developers. I'm not saying that's better, it's just what happens.
11. Re:Downside of OSS by makomk · 2008-05-08 03:00 · Score: 4, Informative
  
  Not really. Apparently, the trojan was a single line of code in the HTML help file, not the extension code itself, and I doubt a human would necessarily even think to check there.
12. Re:Downside of OSS by AshtangiMan · 2008-05-08 03:23 · Score: 3, Interesting
  
  So it's like when you park your car in your garage at night. In the morning you don't look in the trunk to make sure that i) no one put a hostage/ dead body in there; ii) no one removed a hostage/ dead body; or iii) the spare tire is in good working condition. While it is possible, and recommended that you do so, there is no guarantee that everyone does this.
13. Re:Downside of OSS by Anonymous Coward · 2008-05-08 04:49 · Score: 5, Funny
  
  What kind of messed up place do you live where it's recommended you check the trunk for dead bodies?
14. Re:Downside of OSS by Spy+der+Mann · 2008-05-08 07:10 · Score: 3, Insightful
  
  The majority of OSS is half-finished, poorly-planned crap that is in perpetual beta. In my experience (and I've held long debates with friends and colleagues about this) this has been caused by plain and simple pride. i.e. what happened with Pidgin - developers imposing their own viewpoints on their software for no valid reason.
  
  That, and the language/OS elitism. A lot of abandoned projects in sourceforge are developed in an obscure scripting language and/or extension that requires very, VERY careful installation (i.e. wxPython - choose the wrong version and you'll end up in a support nightmare), or perhaps use a specific UI toolkit (perhaps even proprietary *cough cough* cinelerra *cough cough*) that keeps crashing and crashing. I remember when I tried to install GAIM in Windows. It sucked big time. You can't just design something as "cross-platform" if you don't do extensive testing on ALL operating systems, and that includes the Redmond Nightmare.
  
  I believe that a lot of OSS developers program for selfish reasons - i.e. "I'm programming a tool that does what I want" instead of "I'm programming a tool that will help people who might not use my OS or won't share my personal tastes, therefore I need to think about them".
  
  The lesson: It's not really the OS or the toolkit, or even the language used. It's the attitude of the developers that ruins projects.
15. Re:Downside of OSS by Knuckles · 2008-05-08 08:59 · Score: 3, Insightful
  
  The difference is that in the closed source world something as basic as a language pack would come with the same QA that the program... To be fair, most closed source software not not come with a Vietnamese language pack at all.
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
How do you say "oops" in Vietnamese? by davidwr · 2008-05-08 01:22 · Score: 5, Funny

I'm sure the Mozilla Foundation wants to know.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Ignore this by Anonymous Coward · 2008-05-08 01:34 · Score: 3, Informative

post. removing incorrect mod.
More Slashdot Sensationalism by MobyDisk · 2008-05-08 01:50 · Score: 5, Informative

The article says:
...That Trojan inserted a banner-ad displaying script into any html file on his system, which included the help files for the language pack.

That meant that anyone installing the language pack would have malicious ad displaying code inside their browser -- which could be used for other exploits.
So the language pack did not have a Trojan. I don't think the language packs even have executable code. The language packs had help files with banner ads in them. That's not even close to what the headline says. But I guess "Vietnamese help files may contain ads" doesn't sound as scary.

(I guess this means Slashdot sensationalism isn't restricted to anti-Microsoft articles.)
1. Re:More Slashdot Sensationalism by trifish · 2008-05-08 04:33 · Score: 3, Informative
  
  Eh? From the article: "On Tuesday, a user named Hai-Nam Nguyen reported that anti-virus programs detected the Xorer Trojan inside the add-on. Firefox admins quickly confirmed the presence of the Trojan's code and removed the file the same day."
Not really infected by hweimer · 2008-05-08 01:53 · Score: 4, Informative

According to the Mozilla Security Blog the language pack did not contain any malicious code, but only manipulated HTML files:
The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself.

--
OS Reviews: Free and Open Source Software
A rebuttal by Bragador · 2008-05-08 02:12 · Score: 3, Funny

Your reasoning is flawed.
You are coming to the conclusion that open source "sucks" because a trojan was supplied with one version of Mozilla Firefox. The problem with that reasoning is twofold:
1) The problem was detected nonetheless
2) It is being fixed rather quickly
Another problem with your reasoning is that you jump to saying "Long live microsoft!". While I applaud you for sharing your love, the link between a competitor's browser having a problem and your love of Microsoft is quite shallow.
For example, you could have said "long live Internet Explorer" and it would have made a bit more sense but not that much. Indeed, you assume that because Firefox has a problem, the other browser has no problems of its own.
Also, why Microsoft ? This is another flaw in your reasonning. There is opera, and safari for example. So exclusively backing Microsoft's product because of a problem with firefox is a weak argument at best.
In conclusion, I state that we can't support your love of Microsoft solely based on your argument.
Thank you for your precious time.
Sincerely,
Me
Not infected by jonasj · 2008-05-08 19:07 · Score: 3, Informative

The language pack was not infected with the trojan itself. It only contained some HTML code displaying ads in the help files. These were inserted BY the trojan, on the language pack contributor's infected computer, but the language pack itself only contained the ad-displaying code.

"the author's local network was infected with the virus, so it modified html files. The main virus is a Win32 program. The infected code just display annoying banner but it can't propagate." -- https://bugzilla.mozilla.org/show_bug.cgi?id=432406#c10

I'm replying to this thread to put this information at the top of the discussion because the article summary makes it sound like the language pack actually infected people's systems with the trojan.

--
You know, Microsoft's street address also says a lot about their mentality.