You cannot prevent this from happening as long as users continue executing
email attachments that contain viruses. Once an executable is ran, it can
do anything at all, including uninstalling FF and replacing it with a
different version.
Even signed installationss won't help in this case, because there was no
installation. Maybe it is possible to sign the extensions and keep them
signed and encrypted and decrypt them in run-time, once FF starts and check
the signatures in run-time etc.etc.etc. but it won't prevent such things
from happening as long as the users continue executing unknown code on their
computers.
This is a job for the OS, to make sure that the code that is executed does
not modify installation files and such, but the OS won't do it. The code in
question modifies files in user preferences area for FF application, why is
another application allowed to do this? Well, that's because the OS does
not understand the context and the boundaries of the installation and of the
running processes.
All you can do is educate the users.
Roman
Hi,
I have just been alerted that malware has been found[1] which installs
a trojaned version of numberedlinks, an extension I maintain here at
mozdev.
It seems to have been sent out in spam email with an EXE
attachment[2]. Alternatively, it was also spread via an Internet
Explorer exploit[3].
I have not been able to get my hands on a copy of the malware.
McAfee's profile and TechWeb[4] show it is a Windows trojan which
sends various sensitive information (sniffed ICQ, FTP, POP3, and IMAP
passwords, as well as form contents on web pages) to a compromised web
server.
Slightly interesting, but not surprising, is the fact that the fake
extension is not "installed" via the GUI. The files are placed
directly into the user's Firefox profile.
I have seen legitimate extension code which goes as far as patching up
Firefox chrome code at run-time. I am surprised the malware authors
bothered to even use an extension or at least haven't "cloaked" it by
patching up relevant Firefox chrome code.
Obviously this incident could have affected any Firefox extension and
I have the feeling similar things will happen in the future. The
question is how we can make it harder to abuse extensions.
Any suggestions how we can make life a little harder for these people?
Thanks to Martijn Weisbeek (MozBrowser.nl) for alerting me.
Stefan
[1]
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=140256
[2]
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=140257
[3] http://vil.nai.com/vil/content/v_140256.htm
[4] http://www.techweb.com/wire/security/191101268
_______________________________________________
Project_owners mailing list
[email protected]
http://mozdev.org/mailman/listinfo/project_owners
_______________________________________________
Project_owners mailing list
[email protected]
http://mozdev.org/mailman/listinfo/project_owners
