Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
edit:
May 7th, @10:37PM
| Wow! Mozilla distributing infected code!
said by »blog.mozilla.com/security/2008/0···refox-2/ :The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions. ... Been out there for 2.5 months! Wow! |
|
SUMware
Premium
join:2002-05-21
edit:
May 7th, @11:26PM
| Only Vietnamese language pack addon is affected
Here's the rest:
"Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy. While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.
Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload. We are also adding after-the-fact scans of everything to address this sort of case in the future.
A new language pack will be available shortly. Until then, Vietnamese language pack users should disable this package using the add-ons dialog on the Tools menu.
More information is available in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=432406"
According to Bugzilla the affected file was removed from public staging prior to 2008-05-06 11:06:44 PDT. |
|
Cabal
Premium
join:2007-01-21
02101 | reply to Steve
Re: Wow! Mozilla distributing infected code!
I've seen worse add-ons.  |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to Steve
said by Steve  :Been out there for 2.5 months! Wow! Phân thần thánh!  |
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| reply to SUMware
Re: Only Vietnamese language pack addon is affected
said by SUMware :Only Vietnamese language pack addon is affected The point is not to get everybody to check their installations - I didn't download this pack and don't know anybody who did. Most people weren't affected.
This reveals a shocking lack of quality control. We're lucky it was "only" a Vietnamese language pack.
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
 ·Sprint Mobile Broa..
 ·RoadRunner Cable
| reply to Steve
Re: Wow! Mozilla distributing infected code!
It also highlights one of my concerns with a lot of software available by download - checksums not being provided. Perhaps checksums might have caught this before 16,000 people downloaded it. Of course there is no certainty in that, but I think it should be a part of quality control. |
|
matunga
join:2003-07-26
edit:
May 8th, @05:46AM
|  reply to Steve
yet another demonstration that open source code is NOT safer than closed source code 
Mozilla spreads malware rather than security:
»blogs.zdnet.com/hardware/?p=1813 |
|
goalieskates
join:2004-09-12
Knoxville, TN
·Comcast
 ·AT&T Southeast
| said by matunga :yet another demonstration that open source code is NOT safer than closed source code Mozilla spreads malware rather than security: » blogs.zdnet.com/hardware/?p=1813 Oh grow up. I pick up more bad stuff using IE than I ever do using FF. |
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| said by goalieskates :Oh grow up. I pick up more bad stuff using IE than I ever do using FF. I think you're missing the point: here, the malware came from the vendor - Microsoft hasn't ever shipped malware, as far as I know, but Mozilla has. |
|
donoreo
Premium
join:2002-05-30
North York, ON
| said by Steve :Microsoft hasn't ever shipped malware, Depends on your definition of malware, doesn't it? |
|
slajoh01
join:2005-04-23 | I agree, Firefox and Mozilla WILL become unsafe also just like IE.
Firefox is gaining momentum and its market share is picking up. And that will result in more exploitations. |
|
Davebo_
join:2002-11-19
Canada
edit:
May 8th, @09:03AM
| reply to Steve
said by Steve :said by goalieskates :Oh grow up. I pick up more bad stuff using IE than I ever do using FF. I think you're missing the point: here, the malware came from the vendor - Microsoft hasn't ever shipped malware, as far as I know, but Mozilla has. Whatchu talking 'bout Willis!
SP 3 for XP was just recently released....  Folks running OEM AMD machines would call SP3 malware. |
|
Lanik
Lab-nik
Premium,ExMod 2002-03
join:2001-06-25
Bay Area
·DSL EXTREME
| reply to Steve
I guess nobody reads links these days. Vietnamese language pack is an addon and doesn't ship with the browser. 
Micro$oft ships far worse, hActiveX comes to mind.
--
"If it ain't broke don't fix it." |
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| said by Lanik :I guess nobody reads links these days. Vietnamese language pack is an addon and doesn't ship with the browser. That it doesn't ship with the product doesn't mean that the vendor doesn't provide it Micro$oft ships far worse, hActiveX comes to mind. ActiveX isn't a thing that ships, it's an interface that everybody uses to create browser extensions. Blaming ActiveX is like holding an operating system liable because they provide a way to delete a file.
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
fatness
subtle
Janitor
join:2000-11-17
fishing
Host:
Earthlink DSL
TekSavvy
Forum Feature Requ..
Need Site Help?
Sports Chat
| reply to Steve
Wired News article
quote:
Mozilla, the maker of the open source Firefox browser, is redoubling its efforts to check user created add-ons for viruses and Trojans after it discovered that a language pack on its official add-on page had been infected for months with rogue code, the organization reported Wednesday.
Starting in mid-Feburary, Vietnamese users of Mozilla's open source Firefox browser were at risk of infection from malicious Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site. The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.
The glitch isn't the first time that seemingly trusted software included rogue code, but such occurences are surprisingly rare given the amount of open-source and shareware programs that net users install based on blind trust. That's not even mentioning the huge selection of pirated software available on file sharing networks that could easily be infected with malware.
In response to the later discovery of the latent Trojan code by anti-virus software, Mozilla pulled the language pack and announced it would begin scanning all add-ons whenever they update their virus signatures, not just when add-ons are originally posted, according to a entry on the Mozilla security blog.
quote:
16,667 people had downloaded the add-on since November 2007.
--
Female monkeys often utter loud, distinctive calls before, during or after sex.. |
|
MysticGogeta
The Robot Devil
Premium
join:2005-03-14
League City, TX
clubs: | reply to Steve
Wow! I like when people are shocked that a browser isn't perfect so they jump on every opportunity to flame/troll.
--
Team Discovery-Join the fight |
|
SUMware
Premium
join:2002-05-21
edit:
May 8th, @11:57PM
| reply to Steve
As has been stated, the infection occured in one language extension addon. The Firefox browser itself was/is not infected.
said by fatness :Wired News article quote:
Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site. The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.
»https://bugzilla.mozilla.org/show_bug.cgi?id=432406 quote:
Dave Miller (MoCo) 2008-05-06 01:47:24 PDT
clamscan says:
vietnamese_language_pack-2.0-fx-win.xpi: HTML.Xorer FOUND
The file is dated February 18, the virus signature is date April 14, so we
apparently had this in the wild for about 2 months before the scanners were
detecting it.
Axel Hecht [:Pike] 2008-05-06 01:50:23 PDT
FWIW, I think we're talking about
http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.
aspx?idvirus=189095&sitepanda=particulares,
right?
Dave Miller (MoCo) 2008-05-06 01:53:02 PDT
The signature I found that said April 14 on it was HTML.Xorer.A. The one you
just found is much more likely to be a match, and the window looks much smaller
there.
Hai-Nam Nguyen (jcisio) 2008-05-06 02:01:26 PDT
With info from Panda security, I think it just because the author's local
network was infected with the virus, so it modified html files. The main virus
is a Win32 program. The infected code just display annoying banner but it can't
propagate.
I think we might just remove the script and everything backs ok.
Justin Scott [:fligtar] 2008-05-06 10:20:09 PDT
Since we seem to have determined it wasn't malicious on the part of the author,
I've changed the add-on status to be in the sandbox and deleted both files.
Jasper, please upload a new version without the virus and let us know and we'll
check it out before pushing it public again.
Dan Guido 2008-05-07 21:07:14 PDT
Was the source of this malicious code found?
Jasper Thái 2008-05-08 05:04:42 PDT
Sorry for the inconvenient!
I've found that translated help files was modified by a virus, come from China.
I'm so busy these days, but I've cleaned up malicious code. The new fresh pack
coming soon.
Thanks!
|
|
Cabal
Premium
join:2007-01-21
02101
edit:
May 8th, @10:32AM
| reply to matunga
said by matunga :yet another demonstration that open source code is NOT safer than closed source code Mozilla spreads malware rather than security: » blogs.zdnet.com/hardware/?p=1813 said by Steve :said by goalieskates :Oh grow up. I pick up more bad stuff using IE than I ever do using FF. I think you're missing the point: here, the malware came from the vendor - Microsoft hasn't ever shipped malware, as far as I know, but Mozilla has. Try again. Next?
--
Interested in open source engine management for your Subaru? |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| reply to SUMware
said by SUMware :As has been stated, the infection occured in one language extension addon. The Firefox browser itself was/is not infected. An important thing to note. The extent of involvement for the Mozilla project directly was marginal. I don't know if the addons are even directly hosted with Mozilla. This is essentially 3rd party.
--
Overpower, overcome. |
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| reply to MysticGogeta
said by MysticGogeta :Wow! I like when people are shocked that a browser isn't perfect so they jump on every opportunity to flame/troll. It's not the browser that's imperfect, it's the quality control of distribution. That's news.said by SUMware :The Firefox browser itself was/is not infected. The distribution mechanism was attacked, and that's news. It's just a happy accident that it was a little-used add-on: remember that XPI can execute code.said by Cabal :Next? (re: my claim that Microsoft had not distributed malware) Yep, you're right - they did it too.
Corrupting the distribution system is a tremendous violation of trust.
Steve — longtime enthusiastic Firefox user
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
