Forgot your password?
typodupeerror
Bug Mozilla The Internet

Spyware for Firefox Coming This Year? 630

Posted by Zonk
from the deeply-unsettling dept.
EvilCowzGoMoo writes "One of the main reasons for the Firefox browser's successful seizure of market share from Microsoft's Internet Explorer is the desire to escape the inundation of PC-slowing spyware. However, spyware experts indicate that with its increased popularity, Firefox itself will become a target for spyware creators." From the article: "Basically, if you use Firefox today, you're not susceptible to any spyware, other than what you download when you're on Kazaa...The spyware writers target mostly Explorer users because that's the most fertile feeding ground for piranha-like (spyware) attacks. They'll watch as Firefox becomes mainstream, they'll see opportunity there and start targeting them."
This discussion has been archived. No new comments can be posted.

Spyware for Firefox Coming This Year?

Comments Filter:
  • by flyingace (162593) * on Tuesday February 08, 2005 @12:21PM (#11606925) Journal
    Spyware already exists for firefox in XPI form. Please lookout of malicious XPI's More information on this can be found here. http://forums.mozillazine.org/viewtopic.php?t=6434 1
    • by Acts of Attrition (635948) on Tuesday February 08, 2005 @12:29PM (#11607021)
      In the immortal words of G.W.
      "Bring it on"

      How's Firefox supposed to get even more resistant to exploits if hackers aren't sitting there trying the exploit the heck out of it?
      Trial by fire. There's a reason it started out as Phoenix.

    • by hackstraw (262471) * on Tuesday February 08, 2005 @12:51PM (#11607298)
      I hate to be an "I told you so", but I could have predicted that XPI would be the first line of attack for people when I first heard of it.

      Why can't a browser simply be a browser anymore?

      All it needs to do is render html, optionally show pictures, and supply widgets for forms.

      That is it.
      • by Frymaster (171343) on Tuesday February 08, 2005 @01:02PM (#11607439) Homepage Journal
        Why can't a browser simply be a browser anymore?
        All it needs to do is render html, optionally show pictures, and supply widgets for forms.

        well... there is lynx (and links, and dillo). the problem there is that, while you may not get hacked, people will think you're hacking them! [slashdot.org]

      • Dillo is for you.
        http://www.dillo.org/ [dillo.org]

        It has all the features you need.
        I need other features, and I use Firefox + extensions.
      • Nothing does the bare minimum anymore, just look at mobile phones, you'll have a hard time finding a phone that doesn't have games, camera, internet, calculator and all the other junk that gets packed with them. Any why would people make just the bare minimum? They'll never get market share if there are poeple offering so much more for a tiny percentage increase in the cost (or in the browser case, nothing extra at all).
        Personally, I know if I'm making a program, even if I didn't intend on having as many op
      • by Mant (578427) on Tuesday February 08, 2005 @01:58PM (#11608286) Homepage

        I find it's the cumulative effects of lots of XPI extensions that really make browsing with FireFox enjoyable.

        I use adblock, the Sage RSS reader, Spellbound spell checker, GMail notifier and FoxyTunes.

        If all it did was what you suggest, may as well go back to Mosaic. I really enjoy the customisations I can do to get the browser I want.

        I also develop web sites for a living. The reason we have ActiveX, Java, Flash, Javascript, DHTML it because it needs to do more than render HTML.

        The fact is that for some things successful and useful website use this stuff, and need to use this stuff to give a good user experience. They are, of course, also horribly abused no doubt about it. Trade off for a more useful web. If you don't think it's worth it, you can run FireFox without any plugins, or a text only browser.

        I'll be off enjoying the web, and being careful what I install.

    • This cannot be installed without users knowledge, so technically, it is not any more dangaerous than 'you are saving the file untra l3tt p0rno download + last episode 0f ent3rpr1se.exe'.

      So, erm, there. XPI doesn't mean you cannot put shit in there, the same way that .exe doesn't mean you cannot put shit in there.

      A zip file can contain any shit you want.

      If they are awarding prizes for gratuitous uses of explitives on /., please nominate me, today is a shit day.
      • Firefox extension don't have to be installed via the browser. I could download something off of a P2P that, when I ran it, would find my Firefox profile folder, install the malware files, and modify my configuration files directly to turn it on. The uesr would never know, especially if it gave itself an innocent looking name in the Extensions list.

        • by uradu (10768) on Tuesday February 08, 2005 @01:53PM (#11608205)
          And how is that a Firefox problem? You can download and execute any old crap, and whose fault is it other than your own? The point is whether the browser allows sites to push executable content to your machine without your knowledge.
          • My point is that all of Firefox's attempts to block XPI installations by default isn't going to help as much as people want to think it will. A big chunk of spyware people get is crap thats piggybacked with other software. Firefox, as it stands now, can do absolutely nothing about this.

            The people that get infected by crap this way when they use IE are not going to be any safer when they switch to Firefox because it is just as vulnerable to this type of "exploit". User education is the key to reducing t
    • Too bad an XPI can't be installed without direct use intervention, eh? Kinda defeats the purpose of spyware. Of course, that doesn't guard against social engineering, but it significantly reduces the problem...
    • There sure is. I just posted to freebsd-chat:

      Date: Tue, 8 Feb 2005 18:15:32 +0000
      Subject: Spyware on FreeBSD!?
      Cc: FreeBSD chat

      Bad news, looks like my machine has been infected with some Spyware.

      I noticed that on surfing to: http://news.bbc.co.uk/ or anything under that domain, I was getting some outgoing activity and Firefox was after a URL (as shown by the status bar) somewhere under the domain:

      http://bbcnewscouk.112.2o7.net/

      A quick Google on 2o7.net confirmed my worst fears: spyware!

  • by Anonymous Coward on Tuesday February 08, 2005 @12:21PM (#11606927)
    IE's spyware problems were largely due to exploits. Someone not up to date with patches could visit a website and have something remotely installed pretty easily.

    For Firefox, though, it'll take social engineering. The place to look for the spyware threats is in the brand new extension you WANT to install. Most Firefox users have at least one extension, and many have a dozen. How do you know what each of those is doing behind your back? Most people don't bother to scan the code, and while some may do so and report problems publicly, will you find out about them? A firewall won't even help you in this situation since you've probably given Firefox free access to port 80 (plus 443, etc).

    Mozilla should probably create some sort of permission system for extensions. Can it connect to a remote server? Can it write to disk?
    • by maskedbishounen (772174) on Tuesday February 08, 2005 @12:30PM (#11607037)
      This is why Mozilla Update [mozilla.org] exists. A safe haven for users to find extentions that won't screw them over.

      Supposedly.

      If nothing else, at least it has a rating and feedback system, so you'll have a heads up from others.
      • by altstadt (125250) on Tuesday February 08, 2005 @12:46PM (#11607235)

        The loophole here is that people will only see those reviews once, just before they install the extension. A year goes by and everybody hits the software update button which just goes ahead and installs the new stuff. Instant malware.

        I'm not saying this will happen, but it could. Hopefully the developers figure out a defence for this before it does, such as popping up tabs with the lastest reviews of the extensions Firefox wants to upgrade.

    • by j-turkey (187775) on Tuesday February 08, 2005 @12:32PM (#11607076) Homepage
      IE's spyware problems were largely due to exploits. Someone not up to date with patches could visit a website and have something remotely installed pretty easily.

      For you and I, I'd say that exploits are the issue...but in my experience, most average users don't get a malware infestation via browser exploits (mainly because when you and I see the words Gator or Newnet, we say hell no). They simply click "yes" when asked if they'd like to install a piece of software. I don't know if the mentality is "yeah I want more functionality" or "yeah yeah, just show me the damn webpage!". One way or the other (antecdotally), most of the users whom I deal with tend to install the malware themselves. FWIW, these users tend to be on the low end of the learning curve.

      It would be interesting to see a permission based system for this...maybe even registering approved plugins with a crypto signature/hash.

      • It would be interesting to see a permission based system for this...maybe even registering approved plugins with a crypto signature/hash.

        You mean like the way Microsoft handles signed vs. unsigned ActiveX? ;-)
      • For you and I, I'd say that exploits are the issue...but in my experience, most average users don't get a malware infestation via browser exploits (mainly because when you and I see the words Gator or Newnet, we say hell no). They simply click "yes" when asked if they'd like to install a piece of software. I don't know if the mentality is "yeah I want more functionality" or "yeah yeah, just show me the damn webpage!".

        There is a bug in the original IE authenticode interface (fixed in XP SP2) that allows a

      • They click "Yes" because they simply are doing whatever they think will get them to the next screen. It is no different for the 30+ data entry people that I work with. All they are doing is completing as much as needed, as fast as they can, to get to the next screen
      • by iabervon (1971) on Tuesday February 08, 2005 @01:28PM (#11607846) Homepage Journal
        One significant difference is that Firefox (1.0) uses a non-modal section for this sort of thing, so the user is much more likely to completely ignore it. Additionally, the section appears in the same area that the browser offers to let you see pop-ups, so users will quickly be trained to ignore that section as being for getting ads. It won't stop users from getting spyware, but the users will actually have to pay attention to figure out how to get it, rather than being bombarded with offers for it and having to refuse them intentionally.
    • by EvilGrin666 (457869) on Tuesday February 08, 2005 @12:39PM (#11607145) Homepage
      Mozilla should probably create some sort of permission system for extensions. Can it connect to a remote server? Can it write to disk?

      Isn't that just reinventing Java?
    • Yea, like that plugin that supposedly extracted all the graphics form a web site, saved them to disk, and tried to "guess" what other images MIGHT be there based on the file name patterns.

      Seemed like a great idea, right?

      That's when I found out it was infected with that nasty "Piss off your wife" virus. The one where you're denied "marital benefits" for a while when she finds out what happened to all that hard drive space.
  • NO way!! (Score:2, Funny)

    by Anonymous Coward
    because I use linux.
  • Duh. (Score:2, Insightful)

    by Anonymous Coward
    How is this news? If Linux was the #1 desktop operating system in the world, spyware authors would be targeting it, too.
    • Re:Duh. (Score:2, Informative)

      by numbski (515011) *
      FUD.

      FreeBSD, Linux, and MacOS X would still be a less vulnerable target. Worst cast scenario, delete ~/.mozilla/firefox (~/Library/Application Data/Firefox), start over.

      The reason Windows is such a mess is that there's no 'easy' way to clean up the mess. You could wipe out the user's entire home directory on Windows and still be screwed. On a *nix based system, wiping out the home directory would usually fix you right up.
      • Re:Duh. (Score:3, Insightful)

        by owlclownish (553387)
        Oh, yes. Let's remove a spyware infection by "wiping out the home directory" because that "would usually fix you right up." Excellent solution. It's like using a flamethrower to get at that pesky mosquito. No, the proper solution is anti-virus style threat control systems for Web browsers. Systems that scan incoming traffic and look for malicious code, then say something like "I've detected what looks like malicious code. Please think carefully, and go forward only if you trust the site sending you th
      • Re:Duh. (Score:3, Insightful)

        by bonch (38532)
        First thing--I disagree with the tactic of calling anything one disagrees with "FUD." If there was ever an overused term around here, that one would be it.

        Second, Linux would most definitely have exploits galore. We've already seen outright kernel exploits and holes in the 2.6 series of kernels. I don't know about you, but I don't even remember there being a Windows security flaw that used the kernel. Go to LinuxSecurity [linuxsecurity.com] and witness the stream of security advisories that are announced for each Linux di
      • Re:Duh. (Score:3, Insightful)

        by n0-0p (325773)
        Well, I had mod points to use, but I thought your comment merits an explanation rather than modding you down, so here goes. In Windows (2K, XP), if you are running as a normal (non-admin) user, then deleting the users profile should always remove any spyware infection. In fact, due to the way most spyware is written it will not even be able to infect your system if you are not running as an admin. I suppose there could be exceptions that take advantage of escalation exploits, but I have yet to see one.
  • ...and.... (Score:5, Insightful)

    by numbski (515011) * <numbski@hksil[ ].net ['ver' in gap]> on Tuesday February 08, 2005 @12:22PM (#11606937) Homepage Journal
    Since xpi's are blocked by default, they're going to get there how? By a javascript dialogue that says "You must allow this installation to continue."?

    Hmm. That's probably exactly how it'll happen. :(
    • Re:...and.... (Score:5, Informative)

      by arkanes (521690) <arkanes@g[ ]l.com ['mai' in gap]> on Tuesday February 08, 2005 @12:27PM (#11606989) Homepage
      Current versions of firefox don't allow this, unlike the (annoyingly easy to mis-click) ActiveX install dialog in IE. There's a whitelist for sites permitted to install extensions, which (by default) is limited to the offical Mozilla update site. Sites not in the whitelist won't even get a dialog, instead a yellow bar at the top of the screen appears, with a button you can use to access the whitelist and add the site. A site on the whitelist gets the standard dialog, which has a time-delay OK button to help prevent mis-clicks. There's no absolute way to prevent people from installing malicious extensions, but (assuming there's no bugs in, say, the whitelist implementation) Firefoxes current model is about as good as you could get.

      Note that older versions of Firefox (and Mozilla) don't have the whitelist, and even older ones don't even have the dialog and are in fact vulnerable.

    • Re:...and.... (Score:2, Insightful)

      by slungsolow (722380)
      The article does state that adware would be "invited in". This doesn't really suprise me. There will be some users who will think that they are protected by default and won't be afraid to click "yes" (or in some cases click "no" or hell, just click on the ad itself).

      Security is only as good as the person keeping watch. Sure, having all the bells and whistles is grand, but in the end human interaction (or lack thereof) can bring the biggest ship down.
    • Yep. The majority of computer users are dangerously oblivious to the possible consequences of installing something. Remember that many viruses in the Klez family require an absurdly long chain of user actions...
      1. receive infected email on an unprotected PC
      2. believe its contents
      3. download the attached zip file
      4. extract the zip (sometimes even password protected)
      5. run the resulting executable

      ...and these buggers infected hundreds of thousands of PCs.

      So yes, if a web site promises all sorts of cool stuff if o

      • Re:...and.... (Score:3, Insightful)

        by gbjbaanb (229885)
        It won't be Firefox's fault, but it will be the FF community's fault.

        Read some of the other posts on this thread, they're all going on about how FF can't be affected because it was 'designed from the ground up to be more secure', and 'there is inbuilt protection from viruses', and 'the developers would release a patch way quicker than microsoft'.

        The advert telling people to get FF claimed it was more secure. So when people (deliberatly)install their IM smiley-banner-weather-forecast-search-toolbar extensi
  • I doubt it ... (Score:5, Insightful)

    by NitroWolf (72977) on Tuesday February 08, 2005 @12:23PM (#11606947)
    While the spyware makers may initially try to target Firefox... the fact is, Firefox is written to prevent just these sort of things. Is it possible there will be bugs that allow unauthorized code to run? Yeah... but they will be patched, and patche quickly.

    Overall, no matter how you slice it, Firefox is more secure and is designed from the ground up to prevent the "fertile feeding ground" that IE offers Spyware writers.

    So no, you aren't going to see the same rampant irresponsibility that you see with IE, and the threat is a tempest in a teapot.

    Of course, nothing is going to protect your computer from your own stupidity when opening executables, etc... that's all on the user whether or not they authorize code to run or not.

    • While the spyware makers may initially try to target Firefox... the fact is, Firefox is written to prevent just these sort of things. Is it possible there will be bugs that allow unauthorized code to run? Yeah... but they will be patched, and patche (sic) quickly.

      How quickly would a Firefox security hole be patched compared to a similar hole in IE? Not trying to troll, just genuinely curious if someone in the know could give an insight into the patching/debugging procedures for IE and FF, and compare the

    • Re:I doubt it ... (Score:3, Insightful)

      by bano (410)
      While the spyware makers may initially try to target Firefox... the fact is, Firefox is written to prevent just these sort of things. Is it possible there will be bugs that allow unauthorized code to run? Yeah... but they will be patched, and patche quickly.


      But getting users to actually run the patch is a problem, wether it be IE, Windows, Firefox, Fedora, or Solaris.
      The problem is most users dont patch unless they have a specific problem that warrents a patch. I think that more things need to nag when
  • by Anonymous Coward on Tuesday February 08, 2005 @12:23PM (#11606949)
    Security is a process, not a product. There is no magical one product or suite of products that will protect you while online. Security is risk mitigation, plain and simple. Far less people would be vulnerable to the tricks of the miscreants out there trying to do people harm if they would just employ a little common sense. But, alas, common sense isn't that common.
  • Oh boy I can't wait. :) But I don't think FireFox is going to have anywhere near the problems of spyware that IE has. But I think the bigger threat is phishing attacks. I have already received e-mails from spammers trying to give my information to PayPal. And this was only announced yesterday. What is this world comming too. Can't anybody make an honest dollar anymore.
  • by Shayde (189538) on Tuesday February 08, 2005 @12:25PM (#11606963) Homepage

    The issue isn't really how many people are using it. That certainly does figure into it, but the very basic design philosophy of IE allows spyware to propogate easily.

    Firefox has far better controls on what programs can be installed and can't be. Also, the very multi-platform nature of the code makes it harder to write an app that will work well.

    I'm not worried. On the IE side, the only people who can fix the code are microsoft drones, and they won't do it. On the firefox side, the people who fix the code are the people who use it, namely us.

    Planet-Geek [planet-geek.com]
  • by gatesh8r (182908) on Tuesday February 08, 2005 @12:25PM (#11606968)
    "The only reason why X has $BAD_THING is because the system is popular. I'm 100% certain when Y has such popularity it too will have such problems." -- while ignoring any design differences that make Y less suceptable to $BAD_THING. Firefox is better designed from the ground up. Not saying that it's bullet-proof (it's not...), just less suceptable and less desirable to target. Would you rather target a locked door with an alarm system, or a door that's wide open and no security measures taken?
  • Ever saw one of those nice signed applets from toolbarz.foo.com which requested UtterAndCompleteControlOverComputerPermission when browsing with firefox?

    Have you noticed how easy it is to click 'ok' without even reading the dialog box?

    The JRE plugin should include a time-delayed OK button, just as firefox does when installing plugins.
  • Spy vs Spy (Score:4, Interesting)

    by Doc Ruby (173196) on Tuesday February 08, 2005 @12:26PM (#11606985) Homepage Journal
    How about a program that takes the cryptohash of the virgin final installed code, and checks against that hash periodically (every 5 minutes, every new website, every app launch)? When spyware strikes, it changes the app fingerprint, and this sentinel could keep a log of recent traffic for analysis, and offer to reinstall. Our desktop immune system should take advantage of our "known good" info to detect these cancers when they start, and track them to their source.
  • by eno2001 (527078) on Tuesday February 08, 2005 @12:26PM (#11606986) Homepage Journal
    ...being a 100% full time user of Firefox, I was surprised to find a site in a random web search a week or two ago that actually got a pop-up window going, but also appeared to attempt to execute some code as Firefox popped open a dialog asking me what I wanted to do with the file that was being downloaded. Thankfully, I have it ask me what I want to do, but if I was a typical user, I would have already associated the *.DOT file with MS Word and god knows what would have happened. Keep in mind that I didn't actually click on any links that indicated a download, I only clicked on a Google search result which took me to a site that displayed a blank screen and then the pop-up. I have to wonder what would have happened if I had associated OpenOffice.org with the *.DOT file since I run Linux. Probably not much... but it definitely indicates that Firefox will be targetted. The real question is: will the Mozilla project be able to keep up any better than MS has with IE? I'm guessing that they will.
  • This months browser stats:

    Firefox No 1231 50.4 %
    Mozilla No 953 39 %
    MS Internet Explorer No 237 9.7 %
    Safari No 10 0.4 %
    Opera No 7 0.2 %
    Unknown ? 2 0 %

    Starting to look like a tempting target, no?

    (FWIW the same month last year was 72% IE for rougly the same number of hits.)
  • The presumption in the article is that, from a security standpoint, the only thing separating IE from Firefox is popularity. Doesn't ActiveX, etc. etc. etc. represent a serious qualitative difference in security problems?
  • is in part a bunch of Hooey. They are attacked because they are vulnerable and buggy. There are sevral products that dominate their respective areas that don't happen to be MS products and they are extremely secure compared to their MS counterpart. Like Apache....

    "We are the subject of attacks because we're the biggest" is just so much horn blowing on the part of MS.
  • Firefox should implement defensive measures. For example, I use a standalone utility that lists all the current plug-ins for IE. I can disable anything I wish from it. Be nice if Firefox included a built-in list to allow managing of plug-ins.

    Maybe it even does, and I just haven't found it yet.

  • I'm not completely skeptical of this statement and will actually be interested in seeing how Firefox will hold up. After all, it's not perfect, flaws exist. But, I have to believe that the approach behind the development of the Mozilla/Geko/etc has differed substantially from IE. After all, it's well known how tied to the os IE is and the fact that Moz/FF have (obviously for more than one reason) steered clear of this, I tend to think that user error/judgement will be a more likely cause of any kind of mal
  • "Expert"? (Score:5, Informative)

    by Kupek (75469) on Tuesday February 08, 2005 @12:30PM (#11607048)
    Their expert is the Vice President of Threat Research at Webroot [webroot.com]. That much is from the article. The article doesn't take the next logical step, however, and point out that Webroot is in the business of developing and selling software to prevent, detect and eleminate spyware. So it's certainly in this guy's interest for people to think that spyware is still a problem.

    Their other expert is also from a company that makes similar software. So people who make anti-spyware software agree: you need anti-spyware software.

    I'll be more concerned when independent parties think spyware in Firefox is an issue.
    • Re:"Expert"? (Score:3, Insightful)

      by Mr.Ned (79679)
      "Their expert is the Vice President of Threat Research at Webroot. That much is from the article. The article doesn't take the next logical step, however, and point out that Webroot is in the business of developing and selling software to prevent, detect and eleminate spyware. So it's certainly in this guy's interest for people to think that spyware is still a problem."

      At the same time, to be fair, his current position _is_ researching spyware - it is likely that he has a good understanding of it.

      What kin
      • Re:"Expert"? (Score:3, Informative)

        by Kupek (75469)
        Security experts in academia? I realize that some (a lot?) of them are more theoretical, but seems to be a good place to start. I know some research groups have been the ones to first report various security holes in software.

        The difficulty with people in a VP position is there's no way of knowing if they have a technical background; I was part of a small startup company where our VP of engineering was also a primary developer, but it's not necessarily the case. My gut reaction is he's just presenting i
  • If we posit that Firefox is a more difficult environment for malware, and I believe this to be true; then malware authors will continue to go after the low-hanging fruit of IE, even as its marketshare falls.

    Infecting 60% of the population with a small amount of work, is far easier than infecting 40% of the population with an enormous outlay of effort.

    Of course I'm living in a fantasy world, because I think that FF will reach 40% market penetration.

  • by hkmwbz (531650) on Tuesday February 08, 2005 @12:32PM (#11607077) Journal
    Sometimes it sounds like the new browser war is between Internet Explorer and Firefox, and only those. But people often forget that there are other browsers out there, such as Opera and Safari/Konqueror (when will we get a decent KHTML browser for Windows?).

    If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to create viruses, or take over computers for monetary purposes.

    What we need is several browsers that each have a significant part of the market. Not just IE and Firefox/Gecko based browsers, but also Opera and KHTML based browsers. Maybe there would be room for even more as well.

    It is good that an alternative browser is growing rapidly, but monoculture or duoculture makes life easier for virus makers. With four browsers, it would take four times the effort to get as much "bang for your buck" for virus authors looking to make money by infecting people.

    • Sometimes it sounds like the new browser war is between Internet Explorer and Firefox, and only those. But people often forget that there are other browsers out there, such as Opera and Safari/Konqueror (when will we get a decent KHTML browser for Windows?).

      Let's let them continue to forget, so that I can browse the web in peace, huh?

      If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to crea

  • by blueZhift (652272) on Tuesday February 08, 2005 @12:35PM (#11607110) Homepage Journal
    Heh, when spyware makers really do begin to actively target Firefox users en masse, maybe a toast is in order. Pop open the bubbly! Why? Because spyware and spam are playing a numbers game. Of all the spam sent out and machines infested with spyware, only about 1 percent of those are going to make any money for the exploiter. But because we're talking about total numbers in the tens of millions at least, that 1 percent is good money.

    So when Firefox becomes worth the effort, the folks in Redmond will really have to worry. In this game, nothing flags success like being the target of abuse! Tens of millions of Firefox users might just mean ten of millions of people considering something other than Windows. And that affects the bottom line for Microsoft. Hmmm, anyone heard of any OpenOffice exploits yet?

    • by nine-times (778537) <nine.times@gmail.com> on Tuesday February 08, 2005 @01:26PM (#11607806) Homepage
      Maybe spyware authors are just hoping to make the appearance that they're focussing on Firefox in order to prevent switching. If I were a spyware author, and I knew that people switching to Firefox would make my job harder, and I knew the reason people are switching was the understanding that "using Firefox makes you less likely to get infected with spyware," I know what I'd do: try to make noise that I'm working on Firefox spyware.

      The hoped-for result would be that people would be discouraged from switching because they believed it didn't matter. They'd think I was going to get them one way or the other, so they might as well stick with what they're used to. The hoped-for result would be that people stay on IE and keep my job easier.

      I'm not saying that this is what's happening, but I wouldn't be surprised if it were to happen.

  • FUD. (Score:3, Interesting)

    by Spy der Mann (805235) <spydermann DOT slashdot AT gmail DOT com> on Tuesday February 08, 2005 @12:37PM (#11607130) Homepage Journal
    IMHO that's a lot of FUD. Firefox is not nearly as vulnerable to spyware as IE is. Firefox by default has XPI installation disabled except by approved sites.

    Installing spyware on Firefox would be much more about social engineering (if you want to see this website, follow these instructions: download, choose "save as...". Then double click on it, yadda yadda..."

    Of course, with people falling for phishing attacks, it wouldn't surprise me they'd be so stupid to do this. In that case, Firefox should issue a warning about "evil XPI files". At least that way when some moron says "bwaaa they told me firefox was spyware-free", we can ask: "Did you follow the evil website's instructions when they told you to install this XPI?"

    Then all we have to do is repeat the worldy-famous Nelson quote.
  • by beef curtains (792692) on Tuesday February 08, 2005 @12:41PM (#11607170)
    Nevertheless, Stiennon also indicated the creators, maintainers, and even users of Firefox will quickly and aggressively step up their anti-spyware efforts along with the increased threat. "The people who use Firefox -- their reaction to any spyware-type attacks will be pretty vehement," he said. "There'll be fast reaction from both Firefox developers and users."

    I think this part sums up the beauty of Firefox, and the reason why I don't think this is any sort of cause for alarm:

    There is a whole community of brilliant frickin' people out there who have taken a personal interest in making sure Mozilla products are secure & as bug-free as possible. I don't think it would be an exaggeration to say that they might look at Firefox as "their baby."

    More importantly, some of these individuals are well-versed with the shadier aspects of software...so I predict Firefox security holes being patched as quickly as they're found.

    Not only that, but I don't see many Firefox users (especially not those that have used it since its early days) taking spyware/adware lightly...turning the other cheek or throwing hands up in frustration don't seem to be personality traits of bastards like us ;)
  • same old story... (Score:3, Insightful)

    by l3v1 (787564) on Tuesday February 08, 2005 @12:44PM (#11607210)
    ...same old argument: spyware experts indicate that with its increased popularity, Firefox itself will become a target Like when they say Unix/Linux is just as insecure as anything else, it just doesn't have a large enough userbase for viruses/trojans/spyware/whatever to be fashionable.

    I don't doubt snippets written to exploit Firefox's vulnerabilities will pop up, eventually in larger numbers. But that does not make the above argumentation any more valid, nor any less stupid. And we've been trhough argumentations about that, so I'll just skip that one.

  • by lamz (60321) * on Tuesday February 08, 2005 @01:24PM (#11607778) Homepage Journal
    ...Microsoft begins developing spyware for FireFox.
  • by jht (5006) on Tuesday February 08, 2005 @01:40PM (#11608005) Homepage Journal
    Sure, Firefox will be attacked. But the implications of a successful attack are much less likely to disrupt the whole system - Firefox is a self-contained application with pretty good controls for avoiding non-trusted XPIs from being installed. IE is really just the front-end for a whole series of system-level tools that are, for better or for worse, completely linked in to the OS itself.

    So the consequences of an IE exploit are typically far worse than the consequences of a Firefox exploit. This is just how it works with modular applications instead of system-level everything.

    Of course, if you run ActiveX within Firefox, all bets are off...
  • The difference? (Score:3, Informative)

    by jhylkema (545853) on Tuesday February 08, 2005 @02:26PM (#11608623)
    Security is a priority for Firefox. For M$, it isn't. The Firefox folks won't deliberately leave obvious unpatched security holes the way His Billness does.
  • by WaterBreath (812358) on Tuesday February 08, 2005 @02:33PM (#11608708)
    At least on Windows, Firefox has Java enabled by default, and also the "allow web sites to install software" option. If you don't turn those off, you're be vulnerable to a lot of stuff. I have both off. When I need to install a Firefox update, extension, or theme, I just turn on "allow installs" to do it, then turn it back off. Same for making use of Java applets that I trust.

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...