Slashdot Mirror
Firefox Vietnamese Language Pack Infected With Trojan
An anonymous reader writes "Wired.com is reporting that the Firefox browser has been unknowingly distributing a trojan with the Firefox Vietnamese language pack. Over 16,000 downloads of the pack occurred since being infected. This highlights a risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."
So wait...It installs the Greek language pack?
This guy's the limit!
I'm sure the Mozilla Foundation wants to know.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
right quality control in closed source. bullshite.
How many refurburished ipods have had viruses on them/ How many sb thumb drives with custom controls and drivers have had viruses on them? How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?
OSS has a far better track record on quality control. Even better OSS software knows exactly how many times it has been downloaded and releases the exact date at which the infection happened. That is information that is NEVER released by closed source companies.
OSS is far from perfect, but it has a much better track record than closed source software. And when it does fail, everything about the failure is spelled out in details so that particular failure is less likely to happen. Unlike closed companies whose own management don't even know what really happened.
i thought once I was found, but it was only a dream.
To be fair, this particular sequence of events could have happened to a proprietary product as well. The article explains that an add-on developer uploaded a new version of the language pack. The language pack was automatically scanned for viruses, and found to be clean (since the signature for this particular Trojan wasn't yet known). It appears that this occurred because the developer's computer was infected (i.e.: this was accidental, not intentional, on the part of the contributor).
This isn't too different from a hypothetical employee whose home computer is infected, and who is working from home and emails a module to his boss, who merges it into the final product. If his home computer was infected, and the standard virus scans missed it, then the final product could end up having Trojan code buried inside.
Would the company necessarily have caught the Trojan? Doubtful. They, too, would probably not have done a line-by-line review of each module update that is submitted.
So I'm not convinced this can be pointed to as a failing of the OSS development model per se. The only difference is that the OSS user contributor is perhaps less well-known (less trustworthy?) to the distributors than in a corporate setting. (But, again, this wasn't a problem of trust... this was a contributor machine being infected. And I assure you that corporate developers can and do get their machines infected.)
Nevertheless, this points to a breakdown in Mozilla's auditing practices. They should be very careful with any code they distribute. But these kinds of quality-control breakdowns occur in OSS projects and corporations, too. (One could tangentially argue that at least with OSS, breaches are likely to be publicized, whereas companies will frequently try to suppress information that points out a security breach.)
I guess the point is: "the fact that anyone could check the source code at any time should not replace proper QA, which shouldn't be all that different from the one done on commercial software".
I'm sure that Firefox has quite a bit of QA done to it... but it's usefulness relies too much on extensions, which we don't that many assurances about.
As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
(I guess this means Slashdot sensationalism isn't restricted to anti-Microsoft articles.)
What kind of messed up place do you live where it's recommended you check the trunk for dead bodies?