MozillaZine

Site(s) try to install malicious XPI when I visit them

Discussion of general topics about Mozilla Firefox
Flexer
 
Posts: 149
Joined: September 25th, 2003, 6:19 am
Location: Bulgaria

Post Posted March 25th, 2004, 10:47 am

When I visited the site http://cracks.ss.ru/download/tsrh/tsrh- ... e.zip.html Firefox promted to install Content Access Plugin 1.01, that is happening for first time for me and I was interested in waht this could be. I saved (not installed) the xpi and after unarchiving it it occures that it contains and .exe file which install.js run when you install the plugin. I found that this is porn toolbar spyware/adware, info for this can be found at spywareguide.com.

Now after this I think that the install prompt should contains the URL that is requesting the install (in this case it was http://install.xxxtoolbar.com/ist/scripts/prompt.php and a way to block sites from requesting installin of xpi.

Paradox52525

User avatar
 
Posts: 1219
Joined: April 23rd, 2003, 9:13 am
Location: Middle of nowhere

Post Posted March 25th, 2004, 12:10 pm

Interesting...this is the first time I've ever seen spyware in xpi form. It does launch the xpi installer for a file at address:

http://www.xxxtoolbar.com/ist/softwares ... tscape.xpi

It appears to be just an xpi based installer for the same xxxtoolbar that uses ActiveX exploits to install in Internet Explorer, although I haven't had a chance to examine it. What's really surprising is that someone actually sat down and figured out how to target spyware specifically at Mozilla browsers. There have been several discussions about the potential for malicious xpi's in the time I've been here, but this is the first one I've actually ever seen. I can reassure you to the fact that unlike ActiveX/VBScript XPI's cannot install without user permission, so as long as you don't click "install" without knowing what you are installing, you will be fine. I still think this is something that merits further discussion though.

TheOneKEA

User avatar
 
Posts: 4864
Joined: October 16th, 2003, 5:47 am
Location: Somewhere in London, riding the Underground

Post Posted March 25th, 2004, 12:17 pm

This is the first one I've seen as well!

Perhaps now is the time for sboulema, jedbro and Ben to start churning out licenses for XPI files?
Proud user of teh Fox of Fire
Registered Linux User #289618

yamal

User avatar
 
Posts: 3667
Joined: January 8th, 2004, 9:12 pm
Location: near A'dam

Post Posted March 25th, 2004, 12:21 pm

There a number of people who set signed.applets.codebase_principal_support to true
this or something sim. could effect them.
Quis custodiet ipsos custodes?
Awas, kelapa jatuh!

Flexer
 
Posts: 149
Joined: September 25th, 2003, 6:19 am
Location: Bulgaria

Post Posted March 25th, 2004, 12:28 pm

I know that without clickin the 'Install" it wont trigger the installer.js (I am also extensions developer ;) ) but I am sure that many users out there are not so techie gurus and when they some .cpi with good/interesting name they click install.

I do think that there should be and exceptions/blocks list for xpi's just like for the cookies.

TheOneKEA

User avatar
 
Posts: 4864
Joined: October 16th, 2003, 5:47 am
Location: Somewhere in London, riding the Underground

Post Posted March 25th, 2004, 12:58 pm

The new XPInstall code has some sort of provision for digital signatures, so that when you install an XPI you know that somebody has QA'd it and knows that it is safe to use. With all the extension installer problems repaired now, perhaps it's time to turn our attention to this particular issue.
Proud user of teh Fox of Fire
Registered Linux User #289618

arch

User avatar
 
Posts: 85
Joined: May 4th, 2003, 8:58 am

Post Posted March 25th, 2004, 1:05 pm

Perhaps now is the time for sboulema, jedbro and Ben to start churning out licenses for XPI files?


Perhaps onload installs should be blocked by default?

Note that IE has also signature system that doesn't help much. Stupid users still click Install button. And onload installs are also annoying.

Not mentioning Firefox image as secure browser...

Filed a bug: http://bugzilla.mozilla.org/show_bug.cgi?id=238684
Image
(Mock-up)
Last edited by arch on March 25th, 2004, 1:34 pm, edited 3 times in total.
"No good deed goes ever unpunished"
http://archonon.sytes.net

TheOneKEA

User avatar
 
Posts: 4864
Joined: October 16th, 2003, 5:47 am
Location: Somewhere in London, riding the Underground

Post Posted March 25th, 2004, 1:11 pm

arch wrote:
Perhaps now is the time for sboulema, jedbro and Ben to start churning out licenses for XPI files?


Perhaps onload installs should be bloacked by default?

Note that IE has also signature system that doesn't help much. Stupid users still click Install button. And onload installs are also annoying.


Maybe they already can - Ben said that the download manager (which includes the extension installer) has a LOT of hidden prefs; maybe one of them prevents the installer code from being called via onload.
Proud user of teh Fox of Fire
Registered Linux User #289618

chapas

User avatar
 
Posts: 186
Joined: March 22nd, 2004, 12:37 pm
Location: Buenos Aires, Argentina

Post Posted March 25th, 2004, 1:17 pm

arch's suggestion is cool. Blocking onload installs seems to be a good idea. If Fx goes mainstream, this will be a common practice on such sites. I think this has to be fixed asap.

Racer
 
Posts: 6108
Joined: November 18th, 2002, 11:07 am

Post Posted March 25th, 2004, 3:35 pm

So is there any kind of long term plan to have a de-facto acceptable (or evil) list for signers (or even xpi files)?

David James

User avatar
 
Posts: 1321
Joined: November 4th, 2002, 10:19 pm
Location: Ottawa, Ontario, Canada

Post Posted March 25th, 2004, 4:51 pm

Heh - I got an error message telling me that my browser wasn't "Win32 Compatible" ;) Despite that, it still prompted me to install it.

Well that's what you should expect from a site with a url like "cracks.ss.ru".
Pinball-Firefox maintainer.
http://david.jamesnet.ca/
Debian Sid, KDE 3.3

Paradox52525

User avatar
 
Posts: 1219
Joined: April 23rd, 2003, 9:13 am
Location: Middle of nowhere

Post Posted March 25th, 2004, 5:26 pm

The OP said that the xpi installer is just used to run an exe file. Doesn't the fact that it CAN do that represent a much much bigger security risk? Rather than trying to control when things are or aren't launching the xpi installer, why not just revise the xpi installer to block executable code? (Or maybe prompt...something like "This installer is attempting to execute...filename, ect"). AFAIK xpi installers should never need to execute any code outside of it's own javascript. All extension installers really do is copy files to the harddrive (extracting them from the xpi) and "register" them, which involves adding lines to text files like chrome.rdf, overlays.rdf, ect. I could be missing some legitimate uses, but I'm can't think of any reason that an xpi installer should be allowed to launch an exe...

MonkeeSage

User avatar
 
Posts: 1011
Joined: December 20th, 2002, 8:15 pm

Post Posted March 25th, 2004, 5:41 pm

Paradox52525:

I mainly agree, but I do think a prompt would be better than blocking executables altogether, because I can think of at least one good use: say you've written a plugin, or are including a trunk plugin that is not built by default (e.g., Adam Lock's ActiveX plugin), and want to call regsvr32 after copying the file. But granted, that is the single legitimate use I can think of, so even if executables were blocked it wouldn't have a very big impact...a prompt could be presented instead, something like 'Now run "regsvr32 c:/path/to/blah.dll" to activate the plugin'


Shelumi`El
Jordan

S.D.G

laszlo

User avatar
 
Posts: 5198
Joined: November 4th, 2002, 6:13 pm
Location: .de

Post Posted March 25th, 2004, 6:09 pm

I'd like to know why nothing at all happens for me. I've looked for custom settings that could have an influence, but whatever I changed, nothing happened. What builds are you all running?

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040320 Firefox/0.8.0+
"I'll be dead after I die. I was dead before I was born. Life is a break from death." - Hlynur, 101 Reykjavík

old momokatte
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted March 25th, 2004, 6:41 pm

Paradox52525 wrote:The OP said that the xpi installer is just used to run an exe file. Doesn't the fact that it CAN do that represent a much much bigger security risk? Rather than trying to control when things are or aren't launching the xpi installer, why not just revise the xpi installer to block executable code?

The XPInstall API is not just for installing Mozilla extensions, plugins, components, or patches. It is also a vehicle for software installation not related to the browser.

Also, extensions are considered "exectuable code" and they are given full control over your computer. A malicious extension has the potential to be worse than a standalone executable because it's less likely to be flagged by a firewall and it already has full file access through the browser's API.

CAPS may provide a way to enable XPInstall only for certain sites. I'll have to look into that, since it would be a very good long-term solution. Disable XPInstall for all but a few trusted sites and you won't have to worry as much about the malware.

Return to Firefox General


Who is online

Users browsing this forum: No registered users and 1 guest