Spyware for Firefox Coming This Year? 630
EvilCowzGoMoo writes "One of the main reasons for the Firefox browser's successful seizure of market share from Microsoft's Internet Explorer is the desire to escape the inundation of PC-slowing spyware. However, spyware experts indicate that with its increased popularity, Firefox itself will become a target for spyware creators." From the article: "Basically, if you use Firefox today, you're not susceptible to any spyware, other than what you download when you're on Kazaa...The spyware writers target mostly Explorer users because that's the most fertile feeding ground for piranha-like (spyware) attacks. They'll watch as Firefox becomes mainstream, they'll see opportunity there and start targeting them."
Malicious XPI's exist already (Score:5, Interesting)
How? (Score:1, Interesting)
On IE there is the mess that is called ActiveX. Are we talking up XUL? Or perhaps malicious plug-ins?
Signed java applets (Score:1, Interesting)
The user only needs to press 'OK'(which they usually do) and the applet gets full system access(because of the signing).
Doesn't look very safe to me.
I know you can configure this, but normal users doesn't do that
Spy vs Spy (Score:4, Interesting)
Re:Open Source Disadvantage (Score:3, Interesting)
At least I have a better chance of less exploits created because there are so many eyes on the code.
I've heard that openBSD developers have founded and fixed other security bugs while working to fix exploits, so I still don't see an inherent disadvantage to using FireFox vs. Explorer.
YES. (Score:1, Interesting)
Spywares will exploit this
The security of Firefox is an illusion. Security through obscurity is not a viable plan for security permanence - if your product is good enough and marketed aggressively enough (and I do count word-of-mouth marketing in this), it will spread and be targeted. It is that simple. It's not until you have the full force of virus/spyware writers coming against you that you know whether all your previous big-talking statements about your security will stand up for crap. My belief? Firefox is going to find itself besieged and it will be a huge test for the OSS community, to see if they can really handle these problems as well as they always say they can.
FUD. (Score:3, Interesting)
Installing spyware on Firefox would be much more about social engineering (if you want to see this website, follow these instructions: download, choose "save as...". Then double click on it, yadda yadda..."
Of course, with people falling for phishing attacks, it wouldn't surprise me they'd be so stupid to do this. In that case, Firefox should issue a warning about "evil XPI files". At least that way when some moron says "bwaaa they told me firefox was spyware-free", we can ask: "Did you follow the evil website's instructions when they told you to install this XPI?"
Then all we have to do is repeat the worldy-famous Nelson quote.
Re:But is firefox as vulnerable? (Score:2, Interesting)
Real security is something which can be accomplished.
*BSD is secure because it was designed to be secure, not simply because it's less common than other solutions. Likewise, if Internet Explorer 6.0 only represented about 15% of the market, it would still be hacked with shocking regularity, because Microsoft's security is a joke.
I'm not saying that all this means Firefox is as secure as some of the other technolgies I just mentioned. I'm no expert on the codebase for Firefox. It might be downright vulnerable. I will say, however, that it's hard to imagine it being worse than IE.
Re:Duh. (Score:2, Interesting)
To be fair to Windows, I've found that FF 1.0 installs extensions into the users' profile folder, even when I'm in as Administrator.
Re:IE and Firefox have different problems (Score:3, Interesting)
Re:duh (Score:3, Interesting)
Yes, we will see more Firefox/Linux/Mac viruses/exploits in the future.
However, the 'barriers to entry' will be higher, because these systems simply are MORE secure.
Evidence? Server marketshare. Linux has comparable marketshare to Windows, yet Linux is compromised less often.
Not never. Linux IS indeed compromised, and at statistically significant levels.
But given the comparable marketshare, linux is compromised quite a bit less.
I suspect the desktop landscape will become similar. Linux/Mac marketshare will approach windows. Linux/Mac viruses/exploits will become more popular.
But they will never reach the levels of Windows exploits in their heyday.
Re:Why more than just two browsers is a good thing (Score:3, Interesting)
Let's let them continue to forget, so that I can browse the web in peace, huh?
If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to create viruses, or take over computers for monetary purposes.
This is very true, that our security is well served by heterogeneity. And not just in browsers, but in platforms. I'd bet we'll find that some of the attempts to infect Firefox are targeted specifically at Windows exploits, and even don't work on Linux/OSX. Maybe they'll come up with an extension/toolbar that reports searches and browsing habits back to some marketing team, but that in itself doesn't bother me so much.
The shear fact of spyware, that some software reports some kind of information back to someone, that's one issue, but at least users can choose that for themselves. It's the self-installing programs, impossible to remove, inflicting damage on your system as you force-remove them, installing other spyware as it goes, reinstalling itself as it's removed, etc.-- those facets of spyware are what trouble me. And I doubt it will be terrifically easy to create platform-agnostic spyware that exhibits those properties, even if you have a common browser.
Given the response time of Mozilla's development.. (Score:2, Interesting)
So while the author may be right that malware and spyware authors may target Firefox as it gains popularity -- Mozilla and its hordes of programming legions (the open source community) will work together to close the holes that open and see they can't be opened in different ways. In IE, if you closed one hole, you opened another, very similar one. Not that IE is bad, but it was really just abandoned and now that Firefox has the head start -- it's going to stay ahead for the foreseeable future. We will see what Longhorn brings to the table, with the next iteration of IE though.
Either way, I am the type of person that's convinced we will see the end of SPAM in the foreseeable future... I don't see why continual development can stop spam entirely.
Re:Malicious XPI's exist already (Score:3, Interesting)
So, erm, there. XPI doesn't mean you cannot put shit in there, the same way that
A zip file can contain any shit you want.
If they are awarding prizes for gratuitous uses of explitives on
One thing that's often overlooked (Score:2, Interesting)
Re:A Grand Day For Firefox (Score:4, Interesting)
The hoped-for result would be that people would be discouraged from switching because they believed it didn't matter. They'd think I was going to get them one way or the other, so they might as well stick with what they're used to. The hoped-for result would be that people stay on IE and keep my job easier.
I'm not saying that this is what's happening, but I wouldn't be surprised if it were to happen.
Re:Malicious XPI's exist already (Score:3, Interesting)
Re:Malicious XPI's exist already (Score:3, Interesting)
Personally, I know if I'm making a program, even if I didn't intend on having as many options, they end up being put in anyway because its not much hassle to do so, and its much more beneficial when it comes to using the program. Like someone has said, if you don't want all the features there are, use linx.
Re:YES. (Score:0, Interesting)
Uh, the "new, superior" experience you speak of is the yellow bar at the top. The yellow bar was stolen verbatim from the SP2 IE. The look, the sound, the behavior. It was 100% lifted from IE. So get your facts straight... oh wait, this is Slashdot... I must be new here.
Re:It's a different problem (Score:2, Interesting)
Chances are any spyware for FF will launch popups and whatnot when you run FF.. Whereas IE spyware can launch popups even if IE isn't running (cause it actually is always running)
Worst that can happen is you delete firefox and reinstall it. All better
With IE, worst that can happen is you format and reinstall windows.
Yay FF! =P
Re:Malicious XPI's exist already (Score:3, Interesting)
The people that get infected by crap this way when they use IE are not going to be any safer when they switch to Firefox because it is just as vulnerable to this type of "exploit". User education is the key to reducing the problem. Install Firefox and telling the user to "use this instead of that blue E" does nothing in the long run.
Security Alert: Whitelist bug in firefox (Score:2, Interesting)
IDN Allows Bypass of Mozilla's "Allowed Sites" List
Background:
DN[International Domain Name] support in Mozilla allows bypass of 'Allow Sites'. Problem is caused in the way Mozilla handles IDN when used to handle checking of the list of allowed sites.
Example:
<a href='http://update.xn--mozill-8nf.org/ malicious.xpi'>Friendly Extension Name</a >Update.mozilla.org will be checked against the whitelist instead of update.xn--mozill-8nf.org.
Threat:
Exploit could be used to trick users into installing malicious extensions.
Solution:
Don't trust 'Software Install Prompts' Use a different browser
Author: Todd Lehr
Re:Malicious XPI's exist already (Score:1, Interesting)
Until they become executable entities, I'm not worried about that.
But will it be possible to "inject" XPIs into an otherwise benign HTML page stream and have Moz run it w/o user initiating it? Hmm... hopefully some UI genius does not promote that.
If users have to click on something, then let it be. The automatic, invisible install that ActiveX controls, BHOs, etc., do on IE is just a bad thing.
Re:Malicious XPI's exist already (Score:3, Interesting)
There sure is. I just posted to freebsd-chat:
Date: Tue, 8 Feb 2005 18:15:32 +0000
Subject: Spyware on FreeBSD!?
Cc: FreeBSD chat
Bad news, looks like my machine has been infected with some Spyware.
I noticed that on surfing to: http://news.bbc.co.uk/ or anything under that domain, I was getting some outgoing activity and Firefox was after a URL (as shown by the status bar) somewhere under the domain:
http://bbcnewscouk.112.2o7.net/
A quick Google on 2o7.net confirmed my worst fears: spyware!
and a 2o7.net cookie planted on my machine.
I cached some pages in my proxy :
Looks like some sort of perl script which returns a 2x2 gif, whilst harvesting your browsing habits (and screen & windowsize - by calling Javascript functions in Firefox?)
I wonder if they use different sub-domains to collect stats on different sites. This particular variant seems to be only activated by a visit to BBC news.
I had a grovel in the source of the BBC news homepage but found no reference to 2o7.net (For a minute I thought the BBC had turned evil on me!)
I'm going to do a little bit more investigation on it - I tried removal by obliterating my Firefox profile but no joy. The only thing I saved was my bookmarks file, which looks sound.
Spyware on a unix machine? Tell me it's not so! :(
BTW:
FreeBSD 4.11-PRERELEASEfirefox-1.0.r1,1
I know the latter has some vulnerabilities and I'll update it in due course (and the OS).
I think I'm going to build Links/Lynx with SSL and use that for my banking from now on (if I can).
Anybody aware of other reports of spyware infecting Unix machines?
Anyway, I'm gutted. I feel like I've been violated and humiliated. In short, I feel like a Windows user does everyday!!
The truth: I feel a bit pissed off but I urge people to take no action against 2o7.net like DOS or cracking their webserver and trashing it.....I'll do that myself ;)
Further information: it uses Javascript and I'm guessing it came with an XPI I installed. I'll try and determine which one and post back to freebsd-chat. To disable: turn off Javascript & firewall off 207.net both outgoing and incoming.
I'll also post back here when this story gets duped in a few days time ;)
Re:Malicious XPI's exist already (Score:3, Interesting)