Site(s) try to install malicious XPI when I visit them
-
- Posts: 149
- Joined: September 25th, 2003, 6:19 am
- Location: Bulgaria
- Contact:
Site(s) try to install malicious XPI when I visit them
When I visited the site http://cracks.ss.ru/download/tsrh/tsrh- ... e.zip.html Firefox promted to install Content Access Plugin 1.01, that is happening for first time for me and I was interested in waht this could be. I saved (not installed) the xpi and after unarchiving it it occures that it contains and .exe file which install.js run when you install the plugin. I found that this is porn toolbar spyware/adware, info for this can be found at spywareguide.com.
Now after this I think that the install prompt should contains the URL that is requesting the install (in this case it was http://install.xxxtoolbar.com/ist/scripts/prompt.php and a way to block sites from requesting installin of xpi.
Now after this I think that the install prompt should contains the URL that is requesting the install (in this case it was http://install.xxxtoolbar.com/ist/scripts/prompt.php and a way to block sites from requesting installin of xpi.
- Paradox52525
- Posts: 1219
- Joined: April 23rd, 2003, 9:13 am
- Location: Middle of nowhere
- Contact:
Interesting...this is the first time I've ever seen spyware in xpi form. It does launch the xpi installer for a file at address:
http://www.xxxtoolbar.com/ist/softwares ... tscape.xpi
It appears to be just an xpi based installer for the same xxxtoolbar that uses ActiveX exploits to install in Internet Explorer, although I haven't had a chance to examine it. What's really surprising is that someone actually sat down and figured out how to target spyware specifically at Mozilla browsers. There have been several discussions about the potential for malicious xpi's in the time I've been here, but this is the first one I've actually ever seen. I can reassure you to the fact that unlike ActiveX/VBScript XPI's cannot install without user permission, so as long as you don't click "install" without knowing what you are installing, you will be fine. I still think this is something that merits further discussion though.
http://www.xxxtoolbar.com/ist/softwares ... tscape.xpi
It appears to be just an xpi based installer for the same xxxtoolbar that uses ActiveX exploits to install in Internet Explorer, although I haven't had a chance to examine it. What's really surprising is that someone actually sat down and figured out how to target spyware specifically at Mozilla browsers. There have been several discussions about the potential for malicious xpi's in the time I've been here, but this is the first one I've actually ever seen. I can reassure you to the fact that unlike ActiveX/VBScript XPI's cannot install without user permission, so as long as you don't click "install" without knowing what you are installing, you will be fine. I still think this is something that merits further discussion though.
-
- Posts: 4864
- Joined: October 16th, 2003, 5:47 am
- Location: Somewhere in London, riding the Underground
- yamal
- Posts: 3667
- Joined: January 8th, 2004, 9:12 pm
- Location: near A'dam
- Contact:
-
- Posts: 149
- Joined: September 25th, 2003, 6:19 am
- Location: Bulgaria
- Contact:
I know that without clickin the 'Install" it wont trigger the installer.js (I am also extensions developer ) but I am sure that many users out there are not so techie gurus and when they some .cpi with good/interesting name they click install.
I do think that there should be and exceptions/blocks list for xpi's just like for the cookies.
I do think that there should be and exceptions/blocks list for xpi's just like for the cookies.
-
- Posts: 4864
- Joined: October 16th, 2003, 5:47 am
- Location: Somewhere in London, riding the Underground
The new XPInstall code has some sort of provision for digital signatures, so that when you install an XPI you know that somebody has QA'd it and knows that it is safe to use. With all the extension installer problems repaired now, perhaps it's time to turn our attention to this particular issue.
Proud user of teh Fox of Fire
Registered Linux User #289618
Registered Linux User #289618
- arch
- Posts: 85
- Joined: May 4th, 2003, 8:58 am
- Contact:
Perhaps now is the time for sboulema, jedbro and Ben to start churning out licenses for XPI files?
Perhaps onload installs should be blocked by default?
Note that IE has also signature system that doesn't help much. Stupid users still click Install button. And onload installs are also annoying.
Not mentioning Firefox image as secure browser...
Filed a bug: http://bugzilla.mozilla.org/show_bug.cgi?id=238684
(Mock-up)
Last edited by arch on March 25th, 2004, 1:34 pm, edited 3 times in total.
"No good deed goes ever unpunished"
http://archonon.sytes.net
http://archonon.sytes.net
-
- Posts: 4864
- Joined: October 16th, 2003, 5:47 am
- Location: Somewhere in London, riding the Underground
arch wrote:Perhaps now is the time for sboulema, jedbro and Ben to start churning out licenses for XPI files?
Perhaps onload installs should be bloacked by default?
Note that IE has also signature system that doesn't help much. Stupid users still click Install button. And onload installs are also annoying.
Maybe they already can - Ben said that the download manager (which includes the extension installer) has a LOT of hidden prefs; maybe one of them prevents the installer code from being called via onload.
Proud user of teh Fox of Fire
Registered Linux User #289618
Registered Linux User #289618
- David James
- Posts: 1321
- Joined: November 4th, 2002, 10:19 pm
- Location: Ottawa, Ontario, Canada
- Contact:
- Paradox52525
- Posts: 1219
- Joined: April 23rd, 2003, 9:13 am
- Location: Middle of nowhere
- Contact:
The OP said that the xpi installer is just used to run an exe file. Doesn't the fact that it CAN do that represent a much much bigger security risk? Rather than trying to control when things are or aren't launching the xpi installer, why not just revise the xpi installer to block executable code? (Or maybe prompt...something like "This installer is attempting to execute...filename, ect"). AFAIK xpi installers should never need to execute any code outside of it's own javascript. All extension installers really do is copy files to the harddrive (extracting them from the xpi) and "register" them, which involves adding lines to text files like chrome.rdf, overlays.rdf, ect. I could be missing some legitimate uses, but I'm can't think of any reason that an xpi installer should be allowed to launch an exe...
- MonkeeSage
- Posts: 1011
- Joined: December 20th, 2002, 8:15 pm
Paradox52525:
I mainly agree, but I do think a prompt would be better than blocking executables altogether, because I can think of at least one good use: say you've written a plugin, or are including a trunk plugin that is not built by default (e.g., Adam Lock's ActiveX plugin), and want to call regsvr32 after copying the file. But granted, that is the single legitimate use I can think of, so even if executables were blocked it wouldn't have a very big impact...a prompt could be presented instead, something like 'Now run "regsvr32 c:/path/to/blah.dll" to activate the plugin'
Shelumi`El
Jordan
S.D.G
I mainly agree, but I do think a prompt would be better than blocking executables altogether, because I can think of at least one good use: say you've written a plugin, or are including a trunk plugin that is not built by default (e.g., Adam Lock's ActiveX plugin), and want to call regsvr32 after copying the file. But granted, that is the single legitimate use I can think of, so even if executables were blocked it wouldn't have a very big impact...a prompt could be presented instead, something like 'Now run "regsvr32 c:/path/to/blah.dll" to activate the plugin'
Shelumi`El
Jordan
S.D.G
- laszlo
- Posts: 5225
- Joined: November 4th, 2002, 6:13 pm
- Location: .de
- Contact:
I'd like to know why nothing at all happens for me. I've looked for custom settings that could have an influence, but whatever I changed, nothing happened. What builds are you all running?
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040320 Firefox/0.8.0+
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040320 Firefox/0.8.0+
"I'll be dead after I die. I was dead before I was born. Life is a break from death." - Hlynur, 101 Reykjavík
-
- Posts: 0
- Joined: December 31st, 1969, 5:00 pm
Paradox52525 wrote:The OP said that the xpi installer is just used to run an exe file. Doesn't the fact that it CAN do that represent a much much bigger security risk? Rather than trying to control when things are or aren't launching the xpi installer, why not just revise the xpi installer to block executable code?
The XPInstall API is not just for installing Mozilla extensions, plugins, components, or patches. It is also a vehicle for software installation not related to the browser.
Also, extensions are considered "exectuable code" and they are given full control over your computer. A malicious extension has the potential to be worse than a standalone executable because it's less likely to be flagged by a firewall and it already has full file access through the browser's API.
CAPS may provide a way to enable XPInstall only for certain sites. I'll have to look into that, since it would be a very good long-term solution. Disable XPInstall for all but a few trusted sites and you won't have to worry as much about the malware.