Comments on: Spyware via Firefox? It’s true. http://www.edbott.com/weblog/?p=562 Helping PC users make sense of Microsoft software since 1991 Fri, 20 Nov 2009 18:54:09 -0700 http://wordpress.org/?v=2.8.6 hourly 1 By: Ralph Cook http://www.edbott.com/weblog/?p=562&cpage=2#comment-4220 Ralph Cook Sun, 08 Jan 2006 05:36:55 +0000 http://www.edbott.com/wordpress/?p=562#comment-4220 I don't think anyone who understands how malware works would argue that firefox solves the problem in general. I do think IE is MUCH more prone to be a problem, whether by poor programming or just being the biggest in the market doesn't really matter to the poor users. I guess we'll find out if Firefox ever equals its market share -- let's all try it! It is interesting that the Sun site claims that this was only possible using the Microsoft VM -- was the author using that VM? It wouldn't likely have come with Firefox, so I guess it would have had to be on his machine already. I, for one, am more in favor of user education than trying to disable anything that might be a problem. After all, phising scams and email attachments are STILL there, we can't plug all the holes if the users insist on "just clicking on things". Disclaimer: I'm a 30-year veteran of the programming industry, and just got caught by a usenet message purporting to hold the group's new charter in an HTML file that turned out to automatically download an EXE, so I just got done running a 2-hour scan on the machine to see if it got anything on here. And found this trojan-loader on the machine in places where it's already been! Fortunately I refuse to run MS's so-called Java VM, so that may have saved me. I refuse to run IE, also. rc I don’t think anyone who understands how malware works would argue that firefox solves the problem in general. I do think IE is MUCH more prone to be a problem, whether by poor programming or just being the biggest in the market doesn’t really matter to the poor users. I guess we’ll find out if Firefox ever equals its market share — let’s all try it!

It is interesting that the Sun site claims that this was only possible using the Microsoft VM — was the author using that VM? It wouldn’t likely have come with Firefox, so I guess it would have had to be on his machine already.

I, for one, am more in favor of user education than trying to disable anything that might be a problem. After all, phising scams and email attachments are STILL there, we can’t plug all the holes if the users insist on “just clicking on things”.

Disclaimer: I’m a 30-year veteran of the programming industry, and just got caught by a usenet message purporting to hold the group’s new charter in an HTML file that turned out to automatically download an EXE, so I just got done running a 2-hour scan on the machine to see if it got anything on here. And found this trojan-loader on the machine in places where it’s already been! Fortunately I refuse to run MS’s so-called Java VM, so that may have saved me. I refuse to run IE, also.

rc

]]> By: Pranab Salian http://www.edbott.com/weblog/?p=562&cpage=1#comment-3684 Pranab Salian Thu, 24 Nov 2005 10:44:32 +0000 http://www.edbott.com/wordpress/?p=562#comment-3684 Here is what Sun has to say.. These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011). If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer. http://www.java.com/en/download/help/cache_virus.xml Here is what Sun has to say..

These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011).

If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer.

http://www.java.com/en/download/help/cache_virus.xml

]]> By: rick http://www.edbott.com/weblog/?p=562&cpage=1#comment-2872 rick Wed, 28 Sep 2005 19:50:39 +0000 http://www.edbott.com/wordpress/?p=562#comment-2872 On a related issue, I've tried using the deployment.config with the mandatory setting and with the apporpriate deployment.properties file. It's not working, though -- still pulling my user settings. With the mandatory setting, isn't it supposed not to use my user settings? Did I miss something to enable this? Thanks. Rick On a related issue, I’ve tried using the deployment.config with the mandatory setting and with the apporpriate deployment.properties file. It’s not working, though — still pulling my user settings.

With the mandatory setting, isn’t it supposed not to use my user settings? Did I miss something to enable this?

Thanks.
Rick

]]> By: harrison http://www.edbott.com/weblog/?p=562&cpage=1#comment-2773 harrison Wed, 21 Sep 2005 16:27:05 +0000 http://www.edbott.com/wordpress/?p=562#comment-2773 ok i just recently installed foxfire and after my next restart, i notice mt browser is much slower than before including my download speed also. Is foxfire doing all this? thanks ok i just recently installed foxfire and after my next restart, i notice mt browser is much slower than before including my download speed also. Is foxfire doing all this? thanks

]]> By: suzi http://www.edbott.com/weblog/?p=562&cpage=1#comment-1177 suzi Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1177 Excellent analysis and write up, Ed. Yours write up is quite a contrast with <a href="http://www.spywareinfo.com/newsletter/archives/2005/mar13.php" rel="nofollow">this newsletter</a> from Spywareinfo.com. I'd be interested in your comments regarding the editor's article on Firefox and spyware. Excellent analysis and write up, Ed. Yours write up is quite a contrast with this newsletter from Spywareinfo.com.

I’d be interested in your comments regarding the editor’s article on Firefox and spyware.

]]> By: Neil T. http://www.edbott.com/weblog/?p=562&cpage=1#comment-1178 Neil T. Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1178 The one point I would make is that you were using Java 5 Update 1. Sun have just released Update 2 so you might want to see if they have made the security warning dialog more intuitive. I didn't see it in the changelog though, and you are right in saying that the security wanring's message is too obscure for most users. And that More Details dialog is just scary. The one point I would make is that you were using Java 5 Update 1. Sun have just released Update 2 so you might want to see if they have made the security warning dialog more intuitive. I didn’t see it in the changelog though, and you are right in saying that the security wanring’s message is too obscure for most users. And that More Details dialog is just scary.

]]> By: Donna http://www.edbott.com/weblog/?p=562&cpage=1#comment-1179 Donna Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1179 Symantec's Norton AV detects it as Trojan.ByteVerify. <a href="http://www.dozleng.com/updates/topic4255" rel="nofollow">http://www.dozleng.com/updates/topic4255</a> Symantec’s Norton AV detects it as Trojan.ByteVerify.

http://www.dozleng.com/updates/topic4255

]]> By: Ed Bott http://www.edbott.com/weblog/?p=562&cpage=1#comment-1180 Ed Bott Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1180 Well, the Java 5 Update 1 code was what I was offered by Firefox. After it was installed, Java's Auto-Update module offered me Update 2. And I just tested it - the security dialog box is exactly the same in Update 2. Well, the Java 5 Update 1 code was what I was offered by Firefox. After it was installed, Java’s Auto-Update module offered me Update 2.

And I just tested it – the security dialog box is exactly the same in Update 2.

]]> By: John Hood http://www.edbott.com/weblog/?p=562&cpage=1#comment-1181 John Hood Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1181 ...But the Spywareinfo.com author's question still stands: Why target Firefox? It's a problem for all browsers. …But the Spywareinfo.com author’s question still stands: Why target Firefox? It’s a problem for all browsers.

]]> By: Ed Bott http://www.edbott.com/weblog/?p=562&cpage=1#comment-1182 Ed Bott Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1182 The developers of this exploit are clearly attempting to target Firefox, which has had 25 million downloads since last November and has gained a substantial amount of market share. The applet doesn't run on Internet Explorer. It might run on Opera (I don't have Opera installed here to test it), but Opera has minuscule share. the target is clearly Firefox, and this exploit was developed precisely because Firefox has been successful and because the formerly reliable ActiveX-based methods of installing spyware don't work with it. The developers of this exploit are clearly attempting to target Firefox, which has had 25 million downloads since last November and has gained a substantial amount of market share. The applet doesn’t run on Internet Explorer. It might run on Opera (I don’t have Opera installed here to test it), but Opera has minuscule share. the target is clearly Firefox, and this exploit was developed precisely because Firefox has been successful and because the formerly reliable ActiveX-based methods of installing spyware don’t work with it.

]]> By: Priva http://www.edbott.com/weblog/?p=562&cpage=1#comment-1183 Priva Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1183 >The applet doesn't run on Internet Explorer. Lets keep this clear. Applets run on Java VM IE also uses Sun's Java and practically all XP users have Sun Java installed on their computer. Applet itself runs nicely also with IE and Sun's Java. It is just that Lyricspy site has JavaScript launcher which decides installation method. if (IE) use activeX installer if (Netscape/Mozilla) use Java installer The point is that there is nothing that prevent malicious sites using this applet approach with IE too instead of ActiveX or in cases where ActiveX installation fails. >The applet doesn’t run on Internet Explorer.
Lets keep this clear. Applets run on Java VM
IE also uses Sun’s Java and practically all XP users have Sun Java installed on their computer.

Applet itself runs nicely also with IE and Sun’s Java.

It is just that Lyricspy site has JavaScript launcher which decides installation method.
if (IE) use activeX installer
if (Netscape/Mozilla) use Java installer

The point is that there is nothing that prevent malicious sites using this applet approach with IE too instead of ActiveX or in cases where ActiveX installation fails.

]]> By: Ed Bott http://www.edbott.com/weblog/?p=562&cpage=1#comment-1184 Ed Bott Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1184 Right, Priva. That was my point all along. There is nothing that prevents IE from running this as well. That's not news. But there is nothing that prevents Firefox from running this, and that IS news. Right, Priva. That was my point all along. There is nothing that prevents IE from running this as well. That’s not news. But there is nothing that prevents Firefox from running this, and that IS news.

]]> By: Tim http://www.edbott.com/weblog/?p=562&cpage=1#comment-1185 Tim Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1185 Ed, Thanks for posting this analysis. I came to the same conclusions that you did after first hearing about this exploit. I think it is a very serious security flaw and find it appalling that an applet can execute arbitrary code from a temp directory. The implications or this are that NO target platform or application is immune from this exploit given enough time and energy by the malware authors. Ed, Thanks for posting this analysis. I came to the same conclusions that you did after first hearing about this exploit. I think it is a very serious security flaw and find it appalling that an applet can execute arbitrary code from a temp directory. The implications or this are that NO target platform or application is immune from this exploit given enough time and energy by the malware authors.

]]> By: martinelli http://www.edbott.com/weblog/?p=562&cpage=1#comment-1186 martinelli Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1186 Thank you for the information and the testing. Spyware vendors are looking for all the open doors eh? :^) More important at this point is this. Does the installer work under limited user accounts? Is it able to install enough junk to infect IE or is this only able to happen to power users and above? Thank you for the information and the testing. Spyware vendors are looking for all the open doors eh? :^)

More important at this point is this. Does the installer work under limited user accounts? Is it able to install enough junk to infect IE or is this only able to happen to power users and above?

]]> By: brad http://www.edbott.com/weblog/?p=562&cpage=1#comment-1187 brad Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=562#comment-1187 This is a Java problem. If you do not trust yourself not to <i>click on things</i> (or to clean up after yourself when you do) then you can disable this function. Open the Java Control Panel; choose the "Advanced" tab; expand the "Security" option; clear all of the checkboxes labeled "Allow user to grant...". Make double sure you clear the second such box. This is a Java problem. If you do not trust yourself not to click on things (or to clean up after yourself when you do) then you can disable this function.

Open the Java Control Panel; choose the “Advanced” tab; expand the “Security” option; clear all of the checkboxes labeled “Allow user to grant…”. Make double sure you clear the second such box.

]]>