Site(s) try to install malicious XPI when I visit them

[Flexer]

When I visited the site http://cracks.ss.ru/download/tsrh/tsrh- ... e.zip.html Firefox promted to install Content Access Plugin 1.01, that is happening for first time for me and I was interested in waht this could be. I saved (not installed) the xpi and after unarchiving it it occures that it contains and .exe file which install.js run when you install the plugin. I found that this is porn toolbar spyware/adware, info for this can be found at spywareguide.com.

Now after this I think that the install prompt should contains the URL that is requesting the install (in this case it was http://install.xxxtoolbar.com/ist/scripts/prompt.php and a way to block sites from requesting installin of xpi.

[Paradox52525]

Interesting...this is the first time I've ever seen spyware in xpi form. It does launch the xpi installer for a file at address:

http://www.xxxtoolbar.com/ist/softwares ... tscape.xpi

It appears to be just an xpi based installer for the same xxxtoolbar that uses ActiveX exploits to install in Internet Explorer, although I haven't had a chance to examine it. What's really surprising is that someone actually sat down and figured out how to target spyware specifically at Mozilla browsers. There have been several discussions about the potential for malicious xpi's in the time I've been here, but this is the first one I've actually ever seen. I can reassure you to the fact that unlike ActiveX/VBScript XPI's cannot install without user permission, so as long as you don't click "install" without knowing what you are installing, you will be fine. I still think this is something that merits further discussion though.

[TheOneKEA]

This is the first one I've seen as well!

Perhaps now is the time for sboulema, jedbro and Ben to start churning out licenses for XPI files?

[yamal]

There a number of people who set signed.applets.codebase_principal_support to true
this or something sim. could effect them.

[Flexer]

I know that without clickin the 'Install" it wont trigger the installer.js (I am also extensions developer ) but I am sure that many users out there are not so techie gurus and when they some .cpi with good/interesting name they click install.

I do think that there should be and exceptions/blocks list for xpi's just like for the cookies.

[TheOneKEA]

The new XPInstall code has some sort of provision for digital signatures, so that when you install an XPI you know that somebody has QA'd it and knows that it is safe to use. With all the extension installer problems repaired now, perhaps it's time to turn our attention to this particular issue.

[arch]

Perhaps now is the time for sboulema, jedbro and Ben to start churning out licenses for XPI files?

Perhaps onload installs should be blocked by default?

Note that IE has also signature system that doesn't help much. Stupid users still click Install button. And onload installs are also annoying.

Not mentioning Firefox image as secure browser...

Filed a bug: http://bugzilla.mozilla.org/show_bug.cgi?id=238684

(Mock-up)

[TheOneKEA]

Perhaps now is the time for sboulema, jedbro and Ben to start churning out licenses for XPI files?

Perhaps onload installs should be bloacked by default?

Note that IE has also signature system that doesn't help much. Stupid users still click Install button. And onload installs are also annoying.

Maybe they already can - Ben said that the download manager (which includes the extension installer) has a LOT of hidden prefs; maybe one of them prevents the installer code from being called via onload.

[chapas]

arch's suggestion is cool. Blocking onload installs seems to be a good idea. If Fx goes mainstream, this will be a common practice on such sites. I think this has to be fixed asap.

[Racer]

So is there any kind of long term plan to have a de-facto acceptable (or evil) list for signers (or even xpi files)?

[David James]

Heh - I got an error message telling me that my browser wasn't "Win32 Compatible" Despite that, it still prompted me to install it.

Well that's what you should expect from a site with a url like "cracks.ss.ru".

[Paradox52525]

The OP said that the xpi installer is just used to run an exe file. Doesn't the fact that it CAN do that represent a much much bigger security risk? Rather than trying to control when things are or aren't launching the xpi installer, why not just revise the xpi installer to block executable code? (Or maybe prompt...something like "This installer is attempting to execute...filename, ect"). AFAIK xpi installers should never need to execute any code outside of it's own javascript. All extension installers really do is copy files to the harddrive (extracting them from the xpi) and "register" them, which involves adding lines to text files like chrome.rdf, overlays.rdf, ect. I could be missing some legitimate uses, but I'm can't think of any reason that an xpi installer should be allowed to launch an exe...

[MonkeeSage]

Paradox52525:

I mainly agree, but I do think a prompt would be better than blocking executables altogether, because I can think of at least one good use: say you've written a plugin, or are including a trunk plugin that is not built by default (e.g., Adam Lock's ActiveX plugin), and want to call regsvr32 after copying the file. But granted, that is the single legitimate use I can think of, so even if executables were blocked it wouldn't have a very big impact...a prompt could be presented instead, something like 'Now run "regsvr32 c:/path/to/blah.dll" to activate the plugin'


Shelumi`El
Jordan

S.D.G

[laszlo]

I'd like to know why nothing at all happens for me. I've looked for custom settings that could have an influence, but whatever I changed, nothing happened. What builds are you all running?

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040320 Firefox/0.8.0+

[old momokatte]

The OP said that the xpi installer is just used to run an exe file. Doesn't the fact that it CAN do that represent a much much bigger security risk? Rather than trying to control when things are or aren't launching the xpi installer, why not just revise the xpi installer to block executable code?

The XPInstall API is not just for installing Mozilla extensions, plugins, components, or patches. It is also a vehicle for software installation not related to the browser.

Also, extensions are considered "exectuable code" and they are given full control over your computer. A malicious extension has the potential to be worse than a standalone executable because it's less likely to be flagged by a firewall and it already has full file access through the browser's API.

CAPS may provide a way to enable XPInstall only for certain sites. I'll have to look into that, since it would be a very good long-term solution. Disable XPInstall for all but a few trusted sites and you won't have to worry as much about the malware.