Mozilla Confirms Infected Firefox Extensions Slipped Past Security
Mozilla Confirms Infected Firefox Extensions Slipped Past Security
Posted 02/06/2010 at 3:25pm
| by Justin Kerr
11
Comments
Print
Experimenting with new extensions is part of what makes Firefox great, but if you downloaded either the "Sothink Web Video Downloader", or "Master Filer", you probably snagged a nasty Trojan for your troubles. According to an entry on the Mozilla Blog both these extensions contain code which exploit vulnerabilities in all versions of Windows, and were downloaded close to 5,000 times before being spotted.
The extensions in question were contained in the "experimental" area of the official Firefox add-on site, and while it might seem like little consolation for anyone who got infected, users grabbing extensions from this section are warned before download that this could happen. Mozilla employs a special add-on scanner which supposedly checks all new entries for malicious code, but they were forced to acknowledge that the security process failed. "[Add-ons] performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such," said yesterday's blog posting. "This scanning tool failed to detect the Trojan."
Mac and Linux users who downloaded these add-on's are unaffected, but anyone who used the extensions in Windows are being warned by Mozilla to delete all traces of the infected file, and run a virus scan. Mozilla is promising to boost the number of times it scans files for malware in the future, and will also step up how often it scans its entire catalog of add-on's.
Does this hurt your trust in Firefox extensions? Or was this bound to happen eventually?
More like this
BAFTUB
February 08, 2010 at 3:26am
This was obviosly bound to happen.
I'm just glad that Mozilla doesn't have an app submission system like apple.
This actually makes me trust them more though, because of the fact that they came forward and told the truth, and did not just leave us in the shade on the "dissapearing extensions".
+1 to Mozilla!
Daemon
February 07, 2010 at 3:41am
Indeed, this was bound to happen sooner or later, and eventually will happen to just about any browser or OS you care to name as soon as it becomes popular and gains any sort of following. Always read and understand what you're doing. Prevention is 99% common sense. Will this cause me to stop using a particular browser, no. But being informed and aware goes a long way in todays online world. Sometimes being on the bleeding edge results in paper cuts.
DogPatch1149
February 06, 2010 at 8:41pm
From the experimental section, eh? Sounds like someone's experiment succeeded, and yes, it was bound to happen sooner or later.
Doesn't hurt my love for Firefox, though...until Chrome comes out with extensions that include NoScript and Adblock Plus (or their equivalents), I would never consider switching. Besides, the speed advantage of Chrome isn't much compared with FF 3.6...at least, not on my machine.
To0nces
February 07, 2010 at 2:14pm
Chrome now has a decent adblock script. Still no Noscript however. Lack of a master password though in Chrome is really annoying. I don't want to type in every single password every time but I certainly don't want my user names and passwords viewable to everybody who gets their hands on my computer.
imagonex
February 06, 2010 at 6:21pm
This all seems like much ado about nothing.
Besides, doesn't Mozilla warn the user about the risk of using add-ons and isn't there some button you have to click to accept the terms? Just asking because I don't use Firefox. I use IE8.
They patched their security. There, done. No need to panic. Hackers never sleep so you always have to stay ahead. However, 4 months to remove Master File and Sothink was removed 2 years later...sorry, that's a "fail".
Of course people will keeping using Firefox and add-ons. Duh? On the other hand most users probably aren't aware of this.
On top of that 5000 downloads out of millions is a decimal percentage point.
Additionally, the majority of people, even the neophytes of computing, have an antivirus on their PC or laptop. The majority of big brandnames, big box stores sell them preinstalled. As far as the MaximumPC reader goes, they most likely are running antivirus, antimalware, firewall, etc.
Again, much ado about nothing, I think. Yawn.
GFC
February 06, 2010 at 4:31pm
Nah. People who download from experimental section and don't have a proper antivirus are at fault. I mean really, I bet just a simple antivirus would've picked up that stuff.
Firefox addons are great. Thats the only reason why I'm using FireFox. If 1 out of bazillion is infected - big whoop.
ibgeezer
February 06, 2010 at 4:19pm
Sholuld not have happened. Just like texting and driving; I didn't mean to hit the tree. Yes, I will still use Mozilla.
lhatten
February 07, 2010 at 1:30pm
If you think that this won't happen to Google sooner or later now that they allow "extentions" you have been eating the funny granola and drinking the funny cool-aid.
1337Goose
February 09, 2010 at 5:08pm
Your comment is analogous to saying that we should all avoid elevators because sooner or later the one you're in might drop.
Sure, everything might be eventual, but as it stands right now, Firefox extensions have resulted in a security breach and Chrome extensions have not. Regardless of how you slice that, it represents a slip-up on Firefox that hasn't occurred in Chrome.
~Goose
Bilbert
February 06, 2010 at 3:51pm
glad i didn't download those. and it was bound to happen eventually.
Connect with MaximumPC
Featured Content
We introduce Intel's latest class of tablet killers and review 4 of the first Ultra...
Where have all the memorable videogame enemies gone?
This month's issue
Feature
11 Hardware Hacks
Feature
Overclock Your CPU
How-To
Supercharge Your Smartphone
Build It
A Powerful $830 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Analysts: 9-Inch Kindle Fire This Summer http://t.co/QDYApwCZ1 day 3 hours ago
- maximumpc: Micron: DRAM Prices Likely as Low as They're Going to Get http://t.co/fFUWuFOm1 day 6 hours ago
- maximumpc: Yar, Mateys! All Of Pirate Bay Made Available As A Single 90MB Zip File http://t.co/j5LHlXEZ1 day 8 hours ago
