 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
2 edits | Wow! Mozilla distributing infected code! said by »blog.mozilla.com/security/2008/0···refox-2/ :The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions. ... Been out there for 2.5 months! Wow! |
|
SUMwarePremium
join:2002-05-21
kudos:2
4 edits | Only Vietnamese language pack addon is affected Here's the rest:
"Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy. While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.
Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload. We are also adding after-the-fact scans of everything to address this sort of case in the future.
A new language pack will be available shortly. Until then, Vietnamese language pack users should disable this package using the add-ons dialog on the Tools menu.
More information is available in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=432406"
According to Bugzilla the affected file was removed from public staging prior to 2008-05-06 11:06:44 PDT. |
|
 CabalPremium
join:2007-01-21
Austin, TX | reply to Steve
Re: Wow! Mozilla distributing infected code! I've seen worse add-ons.  |
|
|
|
 ABPremium
join:2006-04-04
Leesburg, VA
kudos:3
 ·Verizon Online DSL
| reply to Steve
said by Steve:Been out there for 2.5 months! Wow! Phân thần thánh!  |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to SUMware
Re: Only Vietnamese language pack addon is affected said by SUMware:Only Vietnamese language pack addon is affected The point is not to get everybody to check their installations - I didn't download this pack and don't know anybody who did. Most people weren't affected.
This reveals a shocking lack of quality control. We're lucky it was "only" a Vietnamese language pack.
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
| reply to Steve
Re: Wow! Mozilla distributing infected code! It also highlights one of my concerns with a lot of software available by download - checksums not being provided. Perhaps checksums might have caught this before 16,000 people downloaded it. Of course there is no certainty in that, but I think it should be a part of quality control. |
|
1 edit | reply to Steve
yet another demonstration that open source code is NOT safer than closed source code 
Mozilla spreads malware rather than security:
»blogs.zdnet.com/hardware/?p=1813 |
|
| Oh grow up. I pick up more bad stuff using IE than I ever do using FF. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by goalieskates:Oh grow up. I pick up more bad stuff using IE than I ever do using FF. I think you're missing the point: here, the malware came from the vendor - Microsoft hasn't ever shipped malware, as far as I know, but Mozilla has. |
|
 donoreoPremium
join:2002-05-30
North York, ON | said by Steve:Microsoft hasn't ever shipped malware, Depends on your definition of malware, doesn't it? |
|
| I agree, Firefox and Mozilla WILL become unsafe also just like IE.
Firefox is gaining momentum and its market share is picking up. And that will result in more exploitations. |
|
1 edit | reply to Steve
said by Steve:said by goalieskates:Oh grow up. I pick up more bad stuff using IE than I ever do using FF. I think you're missing the point: here, the malware came from the vendor - Microsoft hasn't ever shipped malware, as far as I know, but Mozilla has. Whatchu talking 'bout Willis!
SP 3 for XP was just recently released....  Folks running OEM AMD machines would call SP3 malware. |
|
 LanikLab-nikPremium,ExMod 2002-03
join:2001-06-25
Bay Area | reply to Steve
I guess nobody reads links these days. Vietnamese language pack is an addon and doesn't ship with the browser. 
Micro$oft ships far worse, hActiveX comes to mind.
--
"If it ain't broke don't fix it." |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Lanik:I guess nobody reads links these days. Vietnamese language pack is an addon and doesn't ship with the browser. That it doesn't ship with the product doesn't mean that the vendor doesn't provide it Micro$oft ships far worse, hActiveX comes to mind. ActiveX isn't a thing that ships, it's an interface that everybody uses to create browser extensions. Blaming ActiveX is like holding an operating system liable because they provide a way to delete a file.
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
 fatnesssubtleJanitor
join:2000-11-17
fishing
kudos:13
Bright House Netwo..
Earthlink DSL
TekSavvy
Forum Feature Requ..
Need Site Help
| reply to Steve
Wired News article
quote:
Mozilla, the maker of the open source Firefox browser, is redoubling its efforts to check user created add-ons for viruses and Trojans after it discovered that a language pack on its official add-on page had been infected for months with rogue code, the organization reported Wednesday.
Starting in mid-Feburary, Vietnamese users of Mozilla's open source Firefox browser were at risk of infection from malicious Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site. The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.
The glitch isn't the first time that seemingly trusted software included rogue code, but such occurences are surprisingly rare given the amount of open-source and shareware programs that net users install based on blind trust. That's not even mentioning the huge selection of pirated software available on file sharing networks that could easily be infected with malware.
In response to the later discovery of the latent Trojan code by anti-virus software, Mozilla pulled the language pack and announced it would begin scanning all add-ons whenever they update their virus signatures, not just when add-ons are originally posted, according to a entry on the Mozilla security blog.
quote:
16,667 people had downloaded the add-on since November 2007.
--
Female monkeys often utter loud, distinctive calls before, during or after sex.. |
|
 MysticGogetaThe Robot DevilPremium
join:2005-03-14
League City, TX | reply to Steve
Wow! I like when people are shocked that a browser isn't perfect so they jump on every opportunity to flame/troll.
--
Team Discovery-Join the fight |
|
SUMwarePremium
join:2002-05-21
kudos:2
2 edits | reply to Steve
As has been stated, the infection occured in one language extension addon. The Firefox browser itself was/is not infected.
said by fatness:Wired News article quote:
Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site. The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.
»bugzilla.mozilla.org/show_bug.cgi?id=432406 quote:
Dave Miller (MoCo) 2008-05-06 01:47:24 PDT
clamscan says:
vietnamese_language_pack-2.0-fx-win.xpi: HTML.Xorer FOUND
The file is dated February 18, the virus signature is date April 14, so we
apparently had this in the wild for about 2 months before the scanners were
detecting it.
Axel Hecht [:Pike] 2008-05-06 01:50:23 PDT
FWIW, I think we're talking about
http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.
aspx?idvirus=189095&sitepanda=particulares,
right?
Dave Miller (MoCo) 2008-05-06 01:53:02 PDT
The signature I found that said April 14 on it was HTML.Xorer.A. The one you
just found is much more likely to be a match, and the window looks much smaller
there.
Hai-Nam Nguyen (jcisio) 2008-05-06 02:01:26 PDT
With info from Panda security, I think it just because the author's local
network was infected with the virus, so it modified html files. The main virus
is a Win32 program. The infected code just display annoying banner but it can't
propagate.
I think we might just remove the script and everything backs ok.
Justin Scott [:fligtar] 2008-05-06 10:20:09 PDT
Since we seem to have determined it wasn't malicious on the part of the author,
I've changed the add-on status to be in the sandbox and deleted both files.
Jasper, please upload a new version without the virus and let us know and we'll
check it out before pushing it public again.
Dan Guido 2008-05-07 21:07:14 PDT
Was the source of this malicious code found?
Jasper Thái 2008-05-08 05:04:42 PDT
Sorry for the inconvenient!
I've found that translated help files was modified by a virus, come from China.
I'm so busy these days, but I've cleaned up malicious code. The new fresh pack
coming soon.
Thanks!
|
|
CabalPremium
join:2007-01-21
Austin, TX Reviews:
 ·Suddenlink
1 edit | reply to matunga
said by Steve:said by goalieskates:Oh grow up. I pick up more bad stuff using IE than I ever do using FF. I think you're missing the point: here, the malware came from the vendor - Microsoft hasn't ever shipped malware, as far as I know, but Mozilla has. Try again. Next?
--
Interested in open source engine management for your Subaru? |
|
 BeesTeaNetwork JanitorPremium,VIP
join:2003-03-08
00000 | reply to SUMware
said by SUMware:As has been stated, the infection occured in one language extension addon. The Firefox browser itself was/is not infected. An important thing to note. The extent of involvement for the Mozilla project directly was marginal. I don't know if the addons are even directly hosted with Mozilla. This is essentially 3rd party.
--
Overpower, overcome. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to MysticGogeta
said by MysticGogeta:Wow! I like when people are shocked that a browser isn't perfect so they jump on every opportunity to flame/troll. It's not the browser that's imperfect, it's the quality control of distribution. That's news.said by SUMware:The Firefox browser itself was/is not infected. The distribution mechanism was attacked, and that's news. It's just a happy accident that it was a little-used add-on: remember that XPI can execute code.said by Cabal:Next? (re: my claim that Microsoft had not distributed malware) Yep, you're right - they did it too.
Corrupting the distribution system is a tremendous violation of trust.
Steve — longtime enthusiastic Firefox user
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
