-{ Quote: " An identity-stealing keylogger that disguises itself as a Firefox extension and installs silently in the background was discovered Tuesday by security vendor McAfee." }-
Article (http://www.techweb.com/showArticle.jhtml?articleID=191101268)

So use Opera!

But this basically means that there is a serious flaw in the extensions security model, correct? I mean how the heck can a site install an extension without a popup getting displayed? ???
I also think that FF should encourage people to only download extensions form their site, I suppose they have checked out all the extensions to see if they do not contain any malicious stuff or anything.

Hello,
So to get infected, you need to:
Open a bogus mail.
Open a bogus attachment.
Install an extension and not worry that you install an extension that was downloaded NOT from the official site, but if you open strange mails and attachments, you definitely would not bother about something as inconsequential as the validity of the source.
Wow, that's quite a lot stupidity needed.
Mrk

-{ Quote: "So use Opera!" }-

Id switch tomorrow if only roboform was compatible with it.
ellison

-{ Quote: "Install an extension and not worry that you install an extension that was downloaded NOT from the official site" }-

It was not needed in that case. It installed without user intevention.

-{ Quote: "But this basically means that there is a serious flaw in the extensions security model, correct? I mean how the heck can a site install an extension without a popup getting displayed? ???
I also think that FF should encourage people to only download extensions form their site, I suppose they have checked out all the extensions to see if they do not contain any malicious stuff or anything." }-


It is same as drive by download I think.
Even rootkits can be installed just by visiting a malicious site without any intervention, i remember ur thread.

aigle re-read the article ... you need to excute the email attachment. ;)

-{ Quote: "Id switch tomorrow if only roboform was compatible with it.
ellison" }-

Always u get something and at the same time u loose some.
Opera as a form filling option that is too premature.
I have added "open in FF" button to my opera, so if I need something like this, I just open FF at that time via opera but Opera is main browser.

-{ Quote: "aigle re-read the article ... you need to excute the email attachment. ;)" }-

Sorry I thought it was not the case. Infact I had read it in hurry!
thanks for correction.

-{ Quote: "aigle re-read the article ... you need to excute the email attachment. ;)" }-

HI Dog I meant this.

"Normally, Firefox extensions -- which in Windows have the .xpi file extension -- display a confirmation dialog that the user must acknowledge before the add-on installs. The bogus Numberedlinks, however, skips that."

-{ Quote: "HI Dog I meant this.

"Normally, Firefox extensions -- which in Windows have the .xpi file extension -- display a confirmation dialog that the user must acknowledge before the add-on installs. The bogus Numberedlinks, however, skips that."" }-So what? It writes directly to the Firefox directory, IF YOU DOWNLOAD IT AND EXECUTE it. This is a completely different thing from drive-by-download.

Agree.

Wow... And I thought you had to click "Install" to put an extension on Firefox. I like Firefox more than Opera because it is open source but if Firefox wasn't open source I would ditch it for Opera right away.

-{ Quote: "Wow... And I thought you had to click "Install" to put an extension on Firefox. I like Firefox more than Opera because it is open source but if Firefox wasn't open source I would ditch it for Opera right away." }-I'd guess it bypass the whole install routine because the excutable is dropping the package in the firefox doc/user folder ... I doubt FF needs to be open, nor is it required to run thru the regular install routine. Like already stated ... you need to be gullible to fall for this (ie. running an exe attachment).

Ah... I see now. So it puts itself in the extensions folder. OK. That clears that up.

-{ Quote: "Ah... I see now. So it puts itself in the extensions folder. OK. That clears that up." }-

I think this makes the security model pretty weak!

-{ Quote: "Hello,
So to get infected, you need to:
Open a bogus mail.
Open a bogus attachment.
Install an extension and not worry that you install an extension that was downloaded NOT from the official site, but if you open strange mails and attachments, you definitely would not bother about something as inconsequential as the validity of the source.
Wow, that's quite a lot stupidity needed.
Mrk" }-
Agreed, it seems highly unlikely that anyone will actually get this trojan into their system unless they really want to have it in there for some reason.

-{ Quote: "I think this makes the security model pretty weak!" }-"The security model"!?!? ::)

Once you have executed the trojan on your machine it can do whatever it wants. Even if Firefox required that the extensions had been digitally signed to work, the trojan could have patched the Firefox executable so that the signature always matches anyway. It's ridiculous to think this is a Firefox flaw.

I have to agree with TNT. If you choose to run an exe, it can freely replace any legimate file with a copy of itself, and you are dead unless you have some sort of system for checking legimate files (not just exes) like windows file protection??? (assuming it doesn't just work around it).

With a bit more work, the attacker could have just replace the whole firefox.exe file with a trojanised copy, but that would be less stealthy then adding an extension.

Still I suppose the same 'trick' can work with IE, to install BHOs,activex controls and whatnot right?

-{ Quote: ""The security model"!?!? ::)

Once you have executed the trojan on your machine it can do whatever it wants. Even if Firefox required that the extensions had been digitally signed to work, the trojan could have patched the Firefox executable so that the signature always matches anyway. It's ridiculous to think this is a Firefox flaw." }-
Actually, there is every reason to consider this a Firefox flaw. Firefox employs a plugin architecture that can (obviously) be abused. While I agree that it takes manual action to have the trojan installer run in the first place, what it then does is to exploit an identified weakness in Firefox.

I wonder, if the same technique was used to install an ActiveX control in IE, whether you would rush to claim it was not an IE flaw. I suspect not.

-{ Quote: "Actually, there is every reason to consider this a Firefox flaw. Firefox employs a plugin architecture that can (obviously) be abused. While I agree that it takes manual action to have the trojan installer run in the first place, what it then does is to exploit an identified weakness in Firefox.

I wonder, if the same technique was used to install an ActiveX control in IE, whether you would rush to claim it was not an IE flaw. I suspect not." }-

Hello,
You double-click on an installer. It installs. What has this got to do with Firefox? ActiveX install THROUGH IE / Explorer. This Trojan installs from your MAIL ATTACHMENT. For that matter, this trojan can change your desktop, change your theme or change your favorites. Once you execute a file of your computer ...
It did not install THROUGH Firefox while you were browsing a site in Firefox. It did not download itself and install itself by visiting a site. That's why it has nothing to do with Firefox.
As to what can be abused - what cannot be abused when the user is stupid enough to open a strange mail & run a strange .exe attachment. Like asking what bullet-proof vest is good enough for someone: who picks a gun off the street and checks if it's loaded by aiming the barrel into his eye socket and pulling the trigger.
Placing the "extension" is a nice way of diverting the attention to the presence of the trojan from the obvious locations like startup or such. Nothing more. It could also have been an add-on to your favorite p2p or a widget for Opera.
Mrk

- 2 OT posts removed -

-{ Quote: "Actually, there is every reason to consider this a Firefox flaw." }-No, there isn't.

-{ Quote: "Firefox employs a plugin architecture that can (obviously) be abused." }-How? By running a trojan?-{ Quote: "While I agree that it takes manual action to have the trojan installer run in the first place, what it then does is to exploit an identified weakness in Firefox." }-What weakness? If a malware is running on a computer with the privileges to write to a directory, it can do ANYTHING it wants with the files in that directory. What would you do to prevent this? Execute plugins only if they're "trusted"? The malware could then replace the executable so that it runs plugins even if they're not trusted. That's not a security flaw in a program, it's a basic filesystem permission concept: if a trojan can write to a directory, there is nothing that prevents it from exploiting the programs in it. This applies to every program in existence, not just to Firefox.

-{ Quote: "Placing the "extension" is a nice way of diverting the attention to the presence of the trojan from the obvious locations like startup or such. Nothing more. It could also have been an add-on to your favorite p2p or a widget for Opera." }-Exactly.

Then to get rid of it since it would be in the extension folder would you just have to manually delete the file from the folder? I'm sorry if this is jsut a dumb idea. I'm not very computer smart. ;D

This article from mozillaZine explains what you have to do to get this on your system and it's quite a lot of work.

http://www.mozillazine.org

Lamehand

-{ Quote: "aigle re-read the article ... you need to excute the email attachment. ;)" }-

No you don't. It can infect your machine if you haven't patched IE against the VBS/Psyme vulnerability (which is unlikely to be a problem for anyone on here) as a Drive By installation as mentioned by previous posters earlier in this thread.

There seams to be a lot of hostility to this story (not referring to any individual but just to some responses I have read around the net) and I suspect it indicates that some people have a huge emotional attachment to Firefox. I would like to see a trust certificate model in Firefox with checks against a banned list of extensions on loading an extension to make this sort of disruption more difficult. Hence my comment about the "security model".

This "extension" is interesting as it uses an old exploit to knobble a browser that users are often very trusting of. I for one do all my financial transactions in Firefox and not in IE and I suspect I am not alone in this (for those whose banks don't use ActiveX).

Fairy

Hello,

You need to do at least 2 deliberate steps to get infected.

To some of your points:

1. .... haven't patched IE ... - says everything.

2. Hostility - trying to present Firefox as a security liability just so the "experts" can say "Firefox is as vulnerable as IE" or "it has had as many vulnerabilities as IE" or "this only ever happened in IE but can also happen in Firefox" truly sincerely piss me off.

Such statements are:

Inaccurate
intented to monger fear
Aggressive marketing

Firefox does not need certificate against a user being a moron. As to certificates, for 600 dollars, ANYONE can buy a certificate.

For that matter, the exploit could just invisibly patched Firefox executable. And then what? You would still be infected and not even know it.

As to Firefox vulnerabilities, people only talk, "experts" only talk. I want one demonstration with screenshots or even a movie showing how you get hit by a drive-by-download in Firefox. No one has ever even remotely hinted at such a demonstration. Something like:

Here, I go to this site:
screenshot

I move my mouse cursor about:
screenshot

I exit the site and I'm infected:
screenshot

Here are the infections (HJT, startup etc):
screenshots

Once someone shows me a live example of Firefox actually doing something bad, I'll stop being annoyed by stupid stories.

Mrk

-{ Quote: "

2. Hostility - trying to present Firefox as a security liability just so the "experts" can say "Firefox is as vulnerable as IE" or "it has had as many vulnerabilities as IE" or "this only ever happened in IE but can also happen in Firefox" truly sincerely piss me off.
" }-

I haven't said "Firefox is as vulnerable as IE" or any of your other quotes and neither have the experts that you refer to. I really don't understand the anger/hostility being expressed here. Nobody is insulting peoples mothers here! All that has happened is that a couple of peices of malware have collaborated to produce a nasty that targets Firefox (via IE). Many users seam to be in denial and don't want to have any bad publicity about their browser even when the publicity is factual.

The unsigned Extensions in Firefox remain a weakness. It doesn't make it a bad browser (it's my browser of choice). However this is a sign that Firefox is now a target for malware authors and that the community is reacting in a "head in the sand" manner.

Fairy

-{ Quote: "The unsigned Extensions in Firefox remain a weakness." }-This trojan could have targeted Firefox no matter the extensions being signed or not, that's the point. If you let it overwrite files in the Firefox directory, it can do whatever it wants with the executable or dlls, so the fact that it created an extension to do its evil deed is completely irrelevant. It could have done ANYTHING.

Other than that, there is "signed" ActiveX malware (look up for the Carima trojan-dialers for an example).

I'm all for "signed" extensions, but this trojan's method nothing to do with a Firefox "vulnerability". All a signature does for an extension is verifying that the extension has not been tampered with after it was put on the distributing site. All it does is tell you that the distributing site was not compromised, but it doesn't verify that it's not malware, nor absolutely it makes Firefox "uncorruptable" by trojans.

-{ Quote: "However this is a sign that Firefox is now a target for malware authors and that the community is reacting in a "head in the sand" manner." }-
Indeed. It is a fact that for some time now, more vulnerabilities have been discovered in FF than in IE. Sure, that doesn't make it a 'bad' browser - it is good for a number of reasons, as is IE (irrespective of certain people being completely unable to accept this). Then again, you can't argue with zealots, because only they are 'right', only they know the 'facts'. Of course, that is wrong, and all but the zealots know that.

If you have to be using an unpatched vulnerable version of IE to get hit with a drive by download (whose payload then delivers into a FF directory), then that is a drive by download caused by a vulnerability in IE not FF.

Signed extensions sound good, but they should be free. Otherwise, it will stifle creativity in the extension community.
And it seems that signed extensions wouldn't really protect you from this type of attack vector (executing an attachment). User education about not running email attacments would do the most good here.

-{ Quote: "Then again, you can't argue with zealots, because only they are 'right', only they know the 'facts'. Of course, that is wrong, and all but the zealots know that." }-"Zealots"? Don't make me laugh. I do not even think Firefox implements an acceptable security model for a complex application like a modern web browser, that's why I always run it sandboxed.

What you fail to understand is a basic security concept, as in "a trojan can replace any file it has permissions to write to". To claim an application is vulnerable because a trojan that already got complete access to the system can write to its binaries is laughable. Simple as that.

It is utterly, completely obvious that if Firefox used signed extensions the malware authors would have modeled the trojan to target Firefox on something else (you think compromising it's "signature verification" routines couldn't have been done? Why?). To claim that Firefox is vulnerable because it can be compromised by a trojan running already on the system is like saying an application is vulnerable because I can go and delete it. It's absolute nonsense.

Hello,
Like I said 655 times till now: Please someone show me how you get infected through Firefox - by a drive-by-download thingie. Could someone please demonstrate this and shatter my bubble? Please, someone create a short article with 4-5 screenies, showing this procedure - you visit a site, you get infected. Could someone please convince me that I'm wrong?
Mrk

Some off topic posts removed. Focus on the issue not the posters.

-{ Quote: "No you don't. It can infect your machine if you haven't patched IE against the VBS/Psyme vulnerability (which is unlikely to be a problem for anyone on here) as a Drive By installation as mentioned by previous posters earlier in this thread." }-

Later development I think. But again this is a IE flaw, not a firefox flaw. Using that vulnerability, it can pretty much target anyway it wants anyway and do anything it wants anyway. It doesn't have to use firefox.


-{ Quote: "
There seams to be a lot of hostility to this story (not referring to any individual but just to some responses I have read around the net) and I suspect it indicates that some people have a huge emotional attachment to Firefox.
" }-

Altough I agree with you that this sometimes happens, this is not the case here.

We are talking about a method of infection that depends on user error (choosing to run the attachment yourself) and/or vulnerabilities in another product (in IE to be exact!) after which the malware can do as it pleases.

It's fairly unique in that it choose to target firefox, but it can easily attack any other target. Given that the problem stems not from firefox vulnerabilities, there isn't much firefox can do.

-{ Quote: "
I would like to see a trust certificate model in Firefox with checks against a banned list of extensions on loading an extension to make this sort of disruption more difficult. Hence my comment about the "security model".
" }-

This unfortunately doesn't help much not against the type of attack we are talking about. I can't see why the malware added cannot be signed , after all anyone can write an extension and sign it.

That's assuming the trojan doesn't just directly patch the exe and dlls to bypass the signature checking.