Spyware Disguises Itself as Firefox Extension 247
Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."
How does it work? (Score:2, Insightful)
If it's #1, it's bad
If it's #2, not so bad - a simple virus
If it's #3 - hey, who install extension from non-oficial sources?
Re:Not a vulnerability. (Score:3, Insightful)
My feeling is that Firefox desperately needs to implement some kind of trust model. I can understand why that might not be RSA PKCS since the system is crap for small publishers. But something is needed. Even a trust model based on PGP signing would be of benefit.
I'm sure some would argue that no one looks at signatures anyway, which might be an exaggeration, but it does have some truth. It is certainly no excuse for offering no trust model at all, or for Firefox UI designers to not be able to produce some simple traffic light trust system with sensible defaults to simplify it for those who can't or won't look at the certs.
Re:Not a vulnerability. (Score:5, Insightful)
While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.
Of course, this presupposes that Firefox hackers can manage to get their extensions signed, and if that's possible, then the malware authors could do the same. Unless...FF gets distributed with a mozilla.org CA cert, and extensions accepted and published on the mozilla site(s) get signed with that cert, then every "legitimate" extension from the mozilla sites will be verifiable at runtime. The user could opt out of that with an "allow execution [not installation] of unsigned extensions" preference setting, but the majority of users would be protected, so long as the malware doesn't also set that preference for the user.
(though even that last bit could be guarded against by creating a personal key to sign the config with, and every time you make a "security relevant configuration change" to the browser's settings, you have to re-sign the file.)
The tip of the iceberg... (Score:2, Insightful)
This is the proverbial shot across the bow. Perhaps it's time for crytographically signed extensions? It may not protect from someone explicitly installing a hostile extension, but it may prevent the self-installation of this kind of software from succeeding.
It is a vulnerability. (Score:2, Insightful)
At least, that's how it works for other software.
Re:Personally... (Score:4, Insightful)
Education must be the answer then. I learned not to open random executables from unknown sources many years ago. People apparently click them though. Teach a man to use the internet, and he'll be safe for a day. Teach a man to know the internet and he'll be safe for a lifetime.
Re:Why is mozdev.org still... (Score:4, Insightful)
Re:Not a vulnerability. (Score:5, Insightful)
Once you're pwned, you're pwned. If you give someone free reign on your box, he can do anything to any file writeable by you.
Re:Not a vulnerability. (Score:5, Insightful)
Once someone's system is compromised, they can replace or alter the FireFox binary which verifies the signatures, replace libnssckbi.so, libsoftokn3.so, whatever.
You can't win at that point. If you're storing your operating system and executables on writable media, it can never be trusted to that level. The hardware would have to cryptographically verify the boot loader on disk, which would verify the kernel, which would then be able to verify everything it executes--FireFox alone can't do it.
(Say, what was that hardware-based Trusted Computing stuff supposed to do? In addition to ramming DRM down everyone's PCI bus, wasn't there system verification too?)
Re:FUD (Score:4, Insightful)
Re:Why is mozdev.org still... (Score:2, Insightful)
And, until this is settled, I will consider anything you develop to be suspect.
Then that makes you part of the problem, asshole. It's not the legitimate author's responsibility to police every malicious programmer and make sure that they are not using the same name as something that is legitimate. If he has the name of his extension legally registered, and the author of the malware gets identified, then the legitimate author can sue for infringement, but that's the only recourse he has. He just has to hope that malinformed assholes like yourself are the minority.
Re:Not a vulnerability. (Score:2, Insightful)
I think this just gives you a false sense of security. If you're OS were secure and you knew for a fact that no one else could ever write to the firefox config files or the registry, you could sign things just fine. But this isn't a man in the middle attack, but more like a "man in the backroom" attack. And that's exactly what this spywhere does.
Re:FUD (Score:3, Insightful)
It's probably worth considering that most people smart enough to have switched to Firefox are also smart enough not to think "oooh, cool, free file, better see what it does!!!1".
Re:Emphasis on that. (Score:5, Insightful)
This is an user-executed email attachment with a trojan. It will happily be executed from Outlook Express, IE, Eudora and Thunderbird. McAfee mentions they've seen one version trying to exploit a three year old IE vulnerability. If you haven't patched that, well then you deserve to get nailed.
This does not exploit any vulnerability in Firefox
It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.
If your OS is not secure, no app running on it can be secured.
If your OS is being operated by a user that executes attachments from "WalMart" that read "helo, teh attcachements for yuo pleasures" then your OS is not secure.
BTW, this progression is interesting. When FF came out just installing it would make the world safe, because it was invulnerable and impervious. Now I also have to switch operating systems? And when someone finds another exploit in SSH
Re:Not a vulnerability. (Score:3, Insightful)
So the problem isn't the software. It's the people using the software. As more people learn about Firefox, we'll just have to accept that some of them are going to be stupid. It's a statistical inevitability. You can fix security holes all day, but you can't fix stupid.
Re:Firefox is horribly vulnerable; I have proof. (Score:2, Insightful)
Signatures don't matter here (Score:4, Insightful)
The only place a singature would matter in this case is when the trojan executable was run. If you are executing attached executables from an e-mail, then no amount of signature verification is going to protect you. The reality is that no technical process can exist that will prevent this kind of attack so long as users can install their own software.
Looking at the big picture! (Score:3, Insightful)
Re:It is a vulnerability. (Score:3, Insightful)
By way of example, at my previous job I used a linux boot floppy to change the local administrator password on a Windows NT4 system, thus owning the machine at the next boot. By an extension of your standard, this represented a Windows vulnerability, because whatever measures Windows may have taken to prevent such a thing (like NTFS) were ineffective.
I think that's a clear mis-assessment of the true vulnerability: the problem wasn't that Windows couldn't handle tampering, but that the machine itself was physically unprotected from tampering. (Fortunately, I was an authorized tamperer.)
Likewise, it is unreasonable to expect any app to successfully defend itself from its host OS. Firefox might make OS-level tampering harder, but it cannot prevent it. Therefore I agree with the grandparent poster that this is not a firefox vulnerability.
Re: Emphasis on that. (Score:5, Insightful)
Any extension downloaded from addons.mozilla.org has been tested, is widely used, and subject to an enormous amount of user feedback.
Now, if you download an extension from kickme.to/malware, you get what you deserve.
firefox -safe-mode & (Score:2, Insightful)
i also change a few settings in options->content and about:config to prevent javascript from doing anything but the basics. since i'm always bouncing back between windows xp, linux, freebsd, and mac os x - it's nice to be able to acheive such consistency and still know what my baseline for browser security posture is.
there is worse spyware out there these days anyways. see: http://theinvisiblethings.blogspot.com/2006/06/in
Re:Not a vulnerability. (Score:5, Insightful)
Re:Not a vulnerability. (Score:3, Insightful)
Re:Emphasis on that. (Score:5, Insightful)
Okay, and then the next trojan will simply add itself to the file that Firefox checks to see if the extension is new, and you're back to square one.
Firefox isn't the problem. The fact that the thing can write to the application's directory means the computer is already compromised.
Re:Not a vulnerability. (Score:3, Insightful)
Re:Emphasis on that. (Score:3, Insightful)
Although I agree with this statement, a lot of the time the really nasty ones are spread by people you *DO* know. You know the type. This is the user that actually believes clicking "Remove me from this list" will actually remove them from that spammer's list. These also tend to be those people that clog the email system with "try this! It really works!" messages.
B.
Re:Not a vulnerability. (Score:1, Insightful)
"winbloze"
Please remember that for the future. It's sad *nix fanboyism to write such words, as are forms of "Microsoft" with a string symbol($) in it, variations on "Windows" and constructions with "Internet Explorer". Thank you.
Your comment was otherwise insightful, and you hit the nail on the head, but then you had to go and spoil it all by saying "Winbloze"