Mozilla Malware Fail
Apparently Mozilla has been spreading malware in the form of a few user-submitted Firefox addons. They were infected with trojans, and some 4,600 people downloaded them. This fail doesn't suprise me- people have been talking about potential exploits from Firefox addons for years now.
I am a bit surprised that it was client-pwning malware, and not Chrome-based sniffers or keystroke loggers or something else that could work within the DOM. I have to wonder if any of those exist... Somebody should download all the extensions off addons.mozilla.org and do some static code analysis. Maybe I will, if I find myself bored in the next few weeks.
But you know what really grinds my gears? Here's the quote from Mozilla:
Now, I don't have much personal experience with the Mozilla team, and what I have had has been generally very good, but really? Your malware-scanning approach didn't work, so you decided... to add more scanners? Really? Do you think that's solving your problem?
I want to know more about these "additional steps," because I'm not sold. Considering this last round of screwups, I don't have a lot of faith in your scanning.
I am a bit surprised that it was client-pwning malware, and not Chrome-based sniffers or keystroke loggers or something else that could work within the DOM. I have to wonder if any of those exist... Somebody should download all the extensions off addons.mozilla.org and do some static code analysis. Maybe I will, if I find myself bored in the next few weeks.
But you know what really grinds my gears? Here's the quote from Mozilla:
These were not originally detected with the anti-malware scanning tools that we have been using. We have since increased the number of scanning tools, and will be taking additional steps to minimize the risk of further incidents.
Now, I don't have much personal experience with the Mozilla team, and what I have had has been generally very good, but really? Your malware-scanning approach didn't work, so you decided... to add more scanners? Really? Do you think that's solving your problem?
I want to know more about these "additional steps," because I'm not sold. Considering this last round of screwups, I don't have a lot of faith in your scanning.
Labels: rants
posted by mckt at
3:03 PM
1 Comments:
Ok, I know that this is a rant which everyone is entitled to, but I would raise the question: if malware scanning isn't the solution, what is? And a few constraints: it should be automatizable (ie. no "human looking at each file"), currently existing and affordable.
Given these constraints, IMHO the Mozilla solution is a pragmatic one which increases security.
By
cdman83, At
February 8, 2010 6:40 AM
Post a Comment
<< Home