MozillaZine

Malware Authors Target Mozilla, Developers Respond with Enhanced Safeguards

Monday July 12th, 2004

Over the past few months, it has become apparent that many authors of malware (a category of malicious software that includes viruses and spyware) have started targetting Mozilla users. While it is not believed that any attackers have managed to exploit the XPInstall mechanism to install software without the user's consent, several sites have tried tricks such as repeatedly asking to install an XPI package when a page loads, taking advantage of the fact that many users will accept the installation to make the dialogues go away.

Fortunately, users of recent Mozilla-based browsers now enjoy several new security safeguards designed to protect against these sorts of attacks. During the 1.7 release cycle, Daniel Veditz developed a patch that blocks XPI installs from being triggered by a page load, preventing software installation dialogues from appearing as soon as a user visits a site (bug 238684). Later in the same release cycle, a whitelist of sites that are allowed to ask the user for permission to install software was implemented (bug 240552). The default whitelist for Mozilla 1.7 features mozilla.org, mozdev.org and texturizer.net (home of Firefox Help and Thunderbird Help). Mozilla Firefox 0.9 just allows update.mozilla.org (though this has since being expanded to the whole of mozilla.org).

The most recent Firefox nightlies feature a new user-interface to manage the XPInstall whitelist. When a user tries to install software from a site that is not on the whitelist, a thin non-modal yellow bar appears at the top of the content area, informing the user that the install has been blocked (bug 241705). A button allows the user to add the site to the whitelist if they choose. Testers of the beta release of Windows XP Service Pack 2 will probably find the yellow bar familiar: it's almost a carbon copy of the new Internet Explorer Information Bar that appears when an ActiveX control is blocked. If you cannot wait for Firefox 1.0 to try this feature, grab a nightly build from the 0.9 branch but remember that there may be bugs.


#25 Re: Re: Reply

by noelley

Tuesday July 13th, 2004 5:16 PM

You are replying to this message

Yep I agree, put a message on the web page telling people to click on the accept button for a better browser experience and a bunch of them will. I think a less obvious icon like the popup blocker has would be a better way to go with this, less invasive, doesn't really matter if it's a few more steps (how often are you going to use it ligitimately), and hopefully less obvious to an unexperienced user (the sort of person who would need protecting from this sort of thing). I can't tell you the number of people that are suprised when I tell them I actually read the licence agreements before I click yes, and don't just treat them as unavoidable click through annoyances - if this ends up feeling like one of those click here please type things for most people, it'll do very little to really protect people from themselves. I know that a webpage could also instruct them how to allow it even if it was in the popup type format, but I think the extra steps and the more space that a dialoge can give can mean that people take it more seriously than a simple "click ok to get rid of this message" type thing.

Just my thoughts on it.

cheers.