Experts predict Firefox spyware will show up this year

Discussion in 'other software & services' started by rdsu, Feb 7, 2005.

Thread Status:
Not open for further replies.
  1. rdsu

    rdsu Registered Member

    Jun 28, 2003
  2. dog

    dog Guest

    No worries ... as exploits are found they will quickly be patch, unlike IE exploits that remain unpatch for months.

    I still find it hard to believe that Spyware Writers, would target FF, generally people who do use FF are pretty security conscious, employ a layer defence, and likely use a filtering app such as Proxomitron, which would pretty much eliminate any chance of success.

    They're opportunist, who pray on the unwary and I don't think that will change. It would require too much effort for a small return.

    The Anti-Spy companies will naturally play up the FF/Spyware Story to generate more sales. Their opportunist too, and this is easy marketing for them. ;) ~No offense intend~ Business is Business ;) :)

    My Two Cents,

    Last edited by a moderator: Feb 7, 2005
  3. meneer

    meneer Registered Member

    Nov 27, 2002
    The Netherlands
    I doubt if the impact of spyware in firefox, or Opera for that matter, will be as big as the impact on IE systems. Simply because the firefox process is not as priviliged as IE processes. Even if ff surpasses the 50% market share (not there yet) and it way be the browser of choice for the rest of the world, the threats are less.
  4. dog

    dog Guest

    Very Good Point Andre.

    System rights are one of IE's biggest issues; as well as ActiveX & BHOs that were mentioned in the article.

  5. Cochise

    Cochise A missed friend

    Jan 26, 2003
    North Thoresby Lincs Good Olde England
    Aye!...don't be too complacent Folks, those Buggers (People who Bug Computer users), don't miss a trick or a chance......with everybody and his dog (Nothing personal dog) going on about how all and sundry should get the old FF on their OS.....I'm afaraid that in a short time the Head of the Gorgon will be looking your way.....batten down the hatches....

    Cochise, :cool:
  6. nadirah

    nadirah Registered Member

    Oct 14, 2003
    Firefox should be safe from most of the spyware, and also the exploits for firefox should be fixed faster than the ones in IE, in general firefox is a pretty secure browser IMHO.
    Another thing: ActiveX
    By now everybody should be aware that most spyware also gets in via the ActiveX technology found in IE. Javacool's Spywareblaster program can prevent most of the spyware from coming in via ActiveX. Firefox does not use the ActiveX technology, so its safe from all the spyware that gets in via ActiveX.
    Overall, it all boils down to the computer user's surfing habits, his security programs and how they're configured and what kind of sites are visited on the internet.
    Remember that computer security is ever-changing, be vigilant at every second to counter new threats that may emerge.

    Just my two cents.
  7. gottadoit

    gottadoit Security Expert

    Jul 12, 2004
    An ActiveX plugin is actually available for firefox, rather sensibly the author made it active only on a whitelist and that file needs to be edited using a text editor because there are no gui controls for it

    Probably the easiest vector into firefox would be for someone to write a must-have extension and somehow convince ppl to install it and then leave it sit dormant for a few months to get better penetration into the community

    I wonder how many firefox users actually pay a lot of attention to the code they are running on their computer that comes with the extensions...
  8. nadirah

    nadirah Registered Member

    Oct 14, 2003
    Yeah, I myself do know that spyware does get in through many forms and not just ActiveX.
    I'll just have to make my comments clearer the next time I say something about this.
  9. dog

    dog Guest

    Hi Spanner,

    Please do enlighten us. Could you please highlight some of the other vehicles/attack vectors malware uses to infiltrate a users system while the user is meerly browsing the web? Please also provide some statisical evidence of the different types of attack vectors you mention vs Active X ... and their frequency of occurance in regards to infection. (Just to be very clear we're not talking about bundled spyware included with some freeware apps & P2P programs ... we're talking about stealth installations, where No user interaction is required other than meerly browsing)


  10. dog

    dog Guest

    Well Spanner the article is discussing using browser exploits to install spyware, and nothing else - and it is somewhat of a comparative of IE, and Firefox, but it mostly focuses on Firefox, and it's possible future concern in regards to Spyware and possible Attack Vectors (You can't try and change the topic now). With that in mind, Nadirah's original comment is correct, active X is the most used/common vehicle for infecting users. You won't find any spyware on a machine only used to browse the net, with Firefox.
    Bundled spyware packaged with certain programs, and user controlled/initiated downloads, and the installation, execution of such aren't what we're discussing, neither are trojans, virus etc. as doing so would blur the line between the difference of the accepted definitions of "Spyware" and "Malware". BTW, to date there are no known exploits for Firefox, concerning javascript and the installation of spyware ... although there are some exploits, such as a continually redirect that can trap users on a certain site (a tactic commonly deployed by porn sites) ... but any browser that has javascript enabled can be made victim of this, and has nothing to do with spyware. With that said, the rest of your list is address by the previous comment to the last. In regards to the extension gotadoit mentioned ... you need to do a little homework on this.


    Ps. One of the main reasons IE is so dangerous is that it has the same system rights as the OS. And such it has the ability to do things no other browser or program can, which run less privileged.
    Last edited by a moderator: Feb 9, 2005
  11. "Spyware for firefox"

    I have no doubt such software can and does exist, and while firefox doesn't use IE technologies like BHOs and ActiveX, they can easily be implemented as a XPI installation for spyware . So you can happily install adware if you want.

    However from the debate going on between Dog and Spanner, I guess the question of greater concern is whether spyware/adware can be installed on your computer with little or no user interaction. The cannonial example, would be surfing to a webpage and the malware is downaloaded and installed silently without any warning.

    Can such a thing happen to firefox?

    One of the most common ways in which ActiveX can be dangerous is when a way is found to bypass all the restrictions on it. There are multiple ways this has being done for IE in the past, Cross site scripting attacks, local resource access vulnerbailities, buffer overflows (various) or even errors in activeX controls marked as "safe for scripting" have existed.

    Firefox allows XPI installs which are functionally the same as ActiveX controls. So the potential for abuse is there. Granted firefox has put a lot of thought into protecting users from such abuse (default whitelist allows sites to install extensions has only one official site for example) , I don't think it's impossible that such protection can be bypassed due to a bug.

    Already we see that firefox like most other browsers is vulnerable to a lot of spoofing , frame injection etc due to cross site scripting attacks. I'm not surprised at this, because such actions are generally not restricted because they are less dangerous (they don't write to your local machine system), so I don't expect firefox to be stronger against phishing than IE. In fact , the additonal of tab browsing which complicates matters, might make it worse.

    More importanly though so far there is only one critical case that allows remote executation of code (so far).

    This is no doubt due to the wise policy in firefox of not having a "safe zone" (the only exception is XPI white list) or mycomputer zone where anything goes, so unlike Internet explorer, if hackers want to lower the security level of firefox they have to come of with something clever (via some other avenue) rather than merely trying to work around a restriction.

    Hmm, if i read this the way I do, this is not correct. If you are running as administrator, firefox or IE will have exactly the same prvilages.

    The difference though is that firefox unlike IE is not designed in mind to be intergreted with the operating system (mycomputer zone anyone?). Firefox literally does not allow certain operations, protocols and there is a strict seperation between the browser and the Operating system.

    Still firefox has slipped up at least once, when they forgot to restrict functionality of the windows shell procotol. That was a serious exploit, the most serious one so far I have seen, that can literally do anything, if you click on the link. It was patched within a few days of course.

    The scary thing about IE is that a sizable proportion are exploits that are at this level or worse. Firefox for example consists currently of 60% spoofing attacks, while only 10% are security bypass exploits, 10% data mantipulation, 10% are crosssite scriptting attacks (cookie problem) and 10% are classed as security bypasses.

    While for IE, of the exploits listed fully 30% allow system access and 18% are security bypasses! And in IE, security bypasses means basically game over, this is of course reflected in the fact that IE has over 43% of exploits rated as extremely or highly, while for firefox 0% are of this level.

    That is one factor people should keep in mind when looking at Secunia. Look at the nature of the exploit rather than merely count the number.

    As for Java being a vector of infection, that's possible, but AFAIK the blame for these seen so far, lies with problems in SUN's sandboxing technology rather than with the browser that uses it.

    I think it would be reasonable to expect that spyware will exist for firefox, but most (all) would require user's (foolish) interaction. To hedge my bets I would expect major one major critical flaw each year that either involve working around the XPI whitelist or something else seperating (bufferoverflow attacks on the gecko engine or some overlooked windows shell protocol not restricted)

    I don't expect it to be as insecure as IE though, simply because there are fewer avenues to attack.
  12. dog

    dog Guest

    Excellent post Cluelessnobbie ... Intelligent, accurate, and technical, very well done. ;) Thank You. :)

    In regards to my quote within your post, yes, it certainly could've been worded better, but you have expressed well what the intent of the statement was, in your second paragraph following the quote.

    Thanks, ;)

  13. lynchknot

    lynchknot Registered Member

    Jun 26, 2004
    SW WA
    Disable Java in Firefox, I do. That is the only other vehicle (drive-by, no user input) for distribution that I heard about (and experienced, but wasn't spyware...worse!)

    **edit - ok I went back and read parts of Cluelessnobbie post. I don't read long posts generally. Anyway, I was hit with the Java exploit while using 5.0 beta. It killed ALL my security apps, including process guard, on restart.
    Last edited: Feb 9, 2005
  14. kareldjag

    kareldjag Registered Member

    Nov 13, 2004

    Generally, no technical an neutraly speaking:

    ***In security's computing, it's better to have no certitude.

    Which is quite secure today could be insecure tomorrow, and which is imposible and unbelievable today could radically change tomorrow.

    Vulnerabilities and exploits are discoverd each day.
    And there's no untouchable browser, OS, System, Code or Software.

    ***Each piece of code could be used in malicious ways or intentions.

    Therefore, each part of Mozilla/Firefox's components could be utilized for an exploit and consequently for or by a Malware.

    Great code also requires total assertions of all incoming data, and i'm not sure there's many to do that.

    In many cases, developers and programmers don't "close totaly their work" because they don't want to spend their time by recompiling it for a new use (patch, new version...).
    It's a question of flexibility.But this flexibility could really became a weakness.

    In the past, the german version of Firefox has been accused to contain an adware:

    Open source products are sometimes great, but "open source" has sometimes more weaknesses than proprietor's projects.

    ***Is Firefox more secure than IE?

    First of all, just some statistics:



    IE is the browser of the majority of internet users.
    That's why IE is more attacked than the others browsers like Firefox or Opera.

    Witout ActiveX the geko's engine is surely a little bit more secure.
    But it does not mean that Mozilla/Firefox are under shelter of spyware, critical hole or security issue.

    As i sometimes say:the best hacking methods are a mix of well-known techniques and personal research.


    ***In any case Gentlemen, i hope that we work together for a better security, and not in order to prove which one is in the right or not.
    It's the most important.

    Thanks for this thread more interesting than AV/AT/Firawall.1 VS AV/AT/Firewall.2 :D ;)

    Best Regards
  15. gottadoit

    gottadoit Security Expert

    Jul 12, 2004
    One other thing to keep in mind is that using Bluetack's Blocklist Manager (or something similar) can be quite a useful security addition (if you happen to be running windows)

    Obviously it isn't an up to the minute solution because the IP blocklists are bound to be at least a little out of date at source and this particular program will only pick up new ones once a day

    I find it quite useful to use a handful of the blocklists to augment my ad and trojan blocking... and it is an extra layer (of sorts) or at least an extra method in the never-ending quest for protection

    FWIW for sightly safer surfing I use the blocklist lists :
    • Ad Trackers
    • Bogon Ranges
    • DShield Recommended Blocklist
    • Hijacked IP Blocks
    • Master Exclusions
    • Spyware List
    • Trojan List
    All of these are served from which is where you can get the blocklist application from
    The application can convert the lists into quite a number of formats to import into firewall configuration

    It works nicely with firefox ad blocking, when I see my firewall app showing blocked packets I have a look on the webpage and see what was being blocked and then filter that site or an appropriate url pattern from being loaded in future...
Thread Status:
Not open for further replies.