Big Oops: Mozilla Releases Compromised Vietnamese Language Pack
I think it’s safe to say that a lot of Firefox users associate the browser with security. It may normally keep you out of harms way, but that’s not the case if you downloaded the Vietnamese language pack after February 18, 2008. It turns out that Mozilla released a copy of that particular language pack which was modified by a virus on their system. Since November 2007 there have been over 16,000 downloads of the add-on, but they aren’t sure how many of those downloads came after February 18th.
The actual language pack itself does not contain the virus, but it was modified by a virus to load remote content. They believe that it was mostly used for showing the user ads, but they don’t deny that it could be used for more malicious purposes.
The script that was injected into the language pack will be detected as HTML.Xorer by most antivirus applications. It was first recognized as a virus on April 14th, but it wasn’t found sooner by Mozilla because they only perform scans when the add-ons are uploaded. There are no subsequent scans, but they assure us that this will be changing in the future.
This makes me a little leery of installing any add-ons now. Just because it is coming from a trusted developer doesn’t mean that the extension hasn’t unintentionally been compromised. We just saw it happen right here, and it affects all operating systems since it is merely a script that has to run. I guess this is even more of a reason not to install an abundance of extensions.
The Vietnamese language pack has since been removed from the add-ons site.
Mozilla Security Blog [via Heise]
Enjoyed the post? Subscribe to our feed to get a daily dose of CyberNet!
Tags: Firefox, Freeware, Software, Browser, Mozilla, Vulnerabilities
Related Posts:
- Yes, Firefox does Phone Home Everyday
- Mozilla Officially Releases Firefox 2 Beta 2
- Google Pack Goes Global
- Mozilla Sunbird And Lightning 0.3 RC1 Available
- Google Releases A Whole Package Of Software
i use the Dr.web Firefox extension to scan all extension before i install them.
or you can download the extension manually be using save link as on the extension and have your antivirus scan it locally
Yeah,
When I first heard this information on another security site I was initially a bit concerned for two reasons:
1) Mozilla is often touted (rightly/wrongly) as being a “secure” browser. I expect to see some finger-wagging and Firefox bashing in the blog-o-sphere out of this.
2) It really is a wake-up call for just downloading and installing Mozilla Add-ons without considering the potential risk…although to my recollection, Mozilla has always been cognizant and public about this risk to its users.
However, I am a bit more relaxed about it for these reasons:
1) Mozilla and the community work hard to ensure these situations don’t happen if the Add-ons are included and downloaded from the approved Add-on site: Mozilla Add-ons - https://addons.mozilla.org/ (Even if in this particular case it actually got in there.)
2) I am not a programmer, but the Add-on format makes it relatively simple for the average Mozilla user to download, open, and inspect the contents of the Add-on code, prior to installing it.
With a good (and free) file compression program (I use 7-Zip) you can unpack the .XPI file Add-ons are bundled up in.
From there you can open almost all of the elements with Notepad or a good freeware alternative (Notepad++) to view the XML/XUL and JavaScript code.
Even if I don’t know all the details of programming, I can probably pick out a suspicious URL and IP calls or other obvious “gothcas” that might warrant a followup email to a Mozilla forum or even the developer to clarify.
Lifehacker has a nice intro: How to build a Firefox extension - http://lifehacker.com/software.....264490.php
I guess having a “relatively” secure source for authorized Mozilla Add-ons as well as the format of Add-ons being open for content inspection brings me a bit more comfort.
But it does certainly brings a bit more pause-before-install to my own Add-on love and usage.
In most cases that will work well, but you still aren’t completely protected. In this situation it took about two months for antivirus apps to pick up on the virus, and so you were left vulnerable for that entire period of time.
That is one of the beauties with the extensions, but some are so complex that it could take a long time to try and find any insecure parts. Plus, from what I gather with this vulnerability the URL was disguised using HTML encodings. So it’s not like you’re looking for a URL that points to an IP address or something like that.
You folks still don’t get it do you?? Mozilla markets Firefox on the fact that it’s suppose too be a more secure browser. But you can’t go adding a bunch of extensions too something and expect it too remain more secure. Your just adding “possible cracks”, and I’m still “laughing now”. I’m sure Window Snyder is laughing too when she’s not trying too get it patched. Toldja folks. (Beat up on IE 7 now Firefox faithful)
I don’t think anyone would ever deny that using extensions decreases the security of the browser. I know I’ve never said anything along those lines.
The only extension I know of that truly increases security in Firefox is NoScript http://noscript.net It truly does make me feel safer when using Firefox because I decide which sites can run scripts, use plug-ins, and it provides XSS protection. I love the fact that it puts me in control. However I definitely tend to stay away from new or unknown extensions unless I am trying it in a Sandbox so I can limit it’s access to the system.
I’ve used that NoScript for a little while before, but so many of my favorite sites use JavaScript so it hinders my experience more than anything. What would be cool is if you could automatically have it whitelist a site once you’ve visited it over a dozen times or so. That way the ones you are just skimming through from a Google search and whatnot will have JavaScript disabled.
That’s what I thought about NoScript as well, but I decided to give it a good try. What I found was it was so easy to whitelist a site that it really was no harder than normal browsing. I only whitelist important sites I visit a lot or ones that won’t work otherwise. Less frequent sites I temporarily whitelist just in case they ever get infected in the future. One other thing, with NoScript even if you disable the scripting protection you still get the anti-XSS protection. With the growth of malware delivered through the browser it seems the only safe thing to do unless you want to live in a sandbox like Sandboxie which works quite well for keeping bad stuff out. Either way just be safe; that’s what is important.