headers
Daniel Veditz | 2 Jun 2004 02:28
Picon
Favicon

Re: TrojanHorse with Mozilla / Firefox

Dirk wrote:

> a website tries to install the following software
>      http://www2.flingstone.com/cab/sbc_netscape.xpi
> if you d/l the xpi and expand the zip file your anti virus program will 
> alert you with something like... "keylog-briss" Trojan horse detected

We've noticed attempts like this recently and are taking steps to address
it. As a first stop-gap, sites are no longer be able to launch installs
during page load (easy to work around, but a quick band-aid to specific
abuses we've seen). This is already in recent nightlies of Firefox and
Mozilla. Second, at the cost of greatly reducing the usefulness of
XPInstall, we're restricting its use to whitelisted sites or else people can
explicitly download the file and then launch it (as they can do with an .exe
install).

> You can turn the software installation off on Mozilla but not in the 
> FireFox preferences.

you can turn it off manually through about:config, and I believe UI is being
added as part of the new "Extension Manager" interface going into 0.9

> I think most people believe they have no virus problems with 
> Mozilla/FireFox but that's not true...

This still requires the user to agree to install something on their machine
so it's not exactly a virus or worm, but probably too many people could
fooled into installing it. That's why we're changing things.

-Dan Veditz
(Continue reading)

Permalink | Reply |
headers
Maciej Mróz | 15 Jun 2004 09:12
Picon

Re: TrojanHorse with Mozilla / Firefox

Użytkownik Daniel Veditz napisał:
> Dirk wrote:
> 
> 
>>a website tries to install the following software
>>     http://www2.flingstone.com/cab/sbc_netscape.xpi
>>if you d/l the xpi and expand the zip file your anti virus program will 
>>alert you with something like... "keylog-briss" Trojan horse detected
> 
> 
> We've noticed attempts like this recently and are taking steps to address
> it. As a first stop-gap, sites are no longer be able to launch installs
> during page load (easy to work around, but a quick band-aid to specific
> abuses we've seen). This is already in recent nightlies of Firefox and
> Mozilla. Second, at the cost of greatly reducing the usefulness of
> XPInstall, we're restricting its use to whitelisted sites or else people can
> explicitly download the file and then launch it (as they can do with an .exe
> install).

So this is why in newest rc's of Mozilla and firefox I am not able to 
install any .xpi files? Coworker told me that he gets immediate "user 
cancel" in installation script.
Up to now we had behavior that is consistent with ActiveX installation 
under IE, and even XP SP2 shows nice and wisible warning when it blocks 
ActiveX control (so that the user knows what's going on and can easily 
allow it for that specific site, we are ok with that), with newest 
Firefox it just silently fails. Is there any way aroud this?
If not how to differentiate between Mozilla browsers that do it the old 
way and the new ones?
(Continue reading)

Permalink | Reply |
headers
Daniel Veditz | 25 Jun 2004 09:14
Picon
Favicon

Re: TrojanHorse with Mozilla / Firefox

Maciej Mróz wrote:
> Is it possible to check that setting from JavaScript on webpage? FireFox 
> users are generally much more educated when it goes to browser config 
> than IE users but it would still be nice if I could somehow inform them 
> what specific setting prevents automatic xpi installation. If it just 
> fails without warning or info of any kind it's quite a problem for me 
> (my company develops online gaming portal with currently _tens_ of xpi 
> game plugins).

InstallTrigger.enabled() returns false. The web site will not be able to
tell whether the user has turned off the entire feature or blocked only that
site, but it can tell if it will be able to launch an install.

If Javascript is used to launch the install (again the InstallTrigger
object) then a "true" return value means the install was able to be
launched, false means it was not able to begin because the feature was
turned off (or blocked).

A "true" value does not mean the install was successful, just that it was
able to start. If you want a status code from the install you should use
InstallTrigger.install() and pass an optional callback function. See the
manual for details.

-Dan Veditz
Permalink | Reply |
headers
Sailfish | 12 Jun 2004 21:32
Favicon

Re: TrojanHorse with Mozilla / Firefox

Daniel Veditz wrote:

> Dirk wrote:
> 
> 
>>a website tries to install the following software
>>     http://www2.flingstone.com/cab/sbc_netscape.xpi
>>if you d/l the xpi and expand the zip file your anti virus program will 
>>alert you with something like... "keylog-briss" Trojan horse detected
> 
> 
> We've noticed attempts like this recently and are taking steps to address
> it. As a first stop-gap, sites are no longer be able to launch installs
> during page load (easy to work around, but a quick band-aid to specific
> abuses we've seen). This is already in recent nightlies of Firefox and
> Mozilla. Second, at the cost of greatly reducing the usefulness of
> XPInstall, we're restricting its use to whitelisted sites or else people can
> explicitly download the file and then launch it (as they can do with an .exe
> install).
> 
Unfortunately, it's also restricting non-scripting, assumedly safe, 
theme jar installs. Are there plans to come up with a solution to not 
have to whitelist those sites?

--

-- 

Netscape FAQs: http://www.ufaq.org/
Netscape 6/7 Tips: http://www.holgermetzger.de/net6e.html
Web page validation: http://validator.w3.org
About Mozilla: http://www.mozilla.org
(Continue reading)

Permalink | Reply |
headers
GuruJ | 12 Jun 2004 07:23
Picon

Re: TrojanHorse with Mozilla / Firefox

Daniel Veditz wrote:
<snip>
> We've noticed attempts like this recently and are taking steps to address
> it. As a first stop-gap, sites are no longer be able to launch installs
> during page load (easy to work around, but a quick band-aid to specific
> abuses we've seen). This is already in recent nightlies of Firefox and
> Mozilla. Second, at the cost of greatly reducing the usefulness of
> XPInstall, we're restricting its use to whitelisted sites or else people can
> explicitly download the file and then launch it (as they can do with an .exe
> install).

Daniel,

This is great news, but if you're going to restrict XPInstall sites to a 
whitelist, can you make sure there's a UI option for it?  Or at least 
make sure people get a pop-up to let them know what's going on when an 
XPInstall trigger is blocked?

XPInstall is a great feature, despite its flaws, and I think people 
should be able to continue using it if they want to.

-- GuruJ.
Permalink | Reply |
headers
Dirk | 2 Jun 2004 18:09
Picon
Favicon

Re: TrojanHorse with Mozilla / Firefox

Daniel,

thanks for the fast and useful answer, I turned the installation off...

Ciao
  dirk
Daniel Veditz wrote:
> Dirk wrote:
> 
> 
>>a website tries to install the following software
>>     http://www2.flingstone.com/cab/sbc_netscape.xpi
>>if you d/l the xpi and expand the zip file your anti virus program will 
>>alert you with something like... "keylog-briss" Trojan horse detected
> 
> 
> We've noticed attempts like this recently and are taking steps to address
> it. As a first stop-gap, sites are no longer be able to launch installs
> during page load (easy to work around, but a quick band-aid to specific
> abuses we've seen). This is already in recent nightlies of Firefox and
> Mozilla. Second, at the cost of greatly reducing the usefulness of
> XPInstall, we're restricting its use to whitelisted sites or else people can
> explicitly download the file and then launch it (as they can do with an .exe
> install).
> 
> 
>>You can turn the software installation off on Mozilla but not in the 
>>FireFox preferences.
> 
>
(Continue reading)

Permalink | Reply |

Gmane