redemption in a blog
Rails, Firefox, Anime, Mac
Malicious XPIs run executable binaries
In: Mozilla
27 Mar 2004Flexer recently posted his encounter with a website that tried to get him to install a malicious XPI (Firefox extension). Upon the user clicking “Install”, the install.js (the script that performs the actual installation) tries to execute the contained executable, which is xxxtoolbar, as Paradox52525 reports.
Here’s a snippet of the code in the install.js:
initInstall(“Adding a File”,
“addFile”,
“1.0.1.7″,
1);
f = getFolder(“Temporary”);
setPackageFolder(f);
addFile(xpiSrc);
execute(xpiSrc,”",false);
Arthur_Dent breaks down exactly what the XPI and the contained executable does in his post.
Best solution, to me? Verified and digitally signed XPIs are allowed to run without hindrance. For unverified XPIs, warn the user that of that fact, and that the XPI will directly run executable code. Require an extra step of confirmation. That’s what I think at the moment, but there are some pretty good ideas in that thread. It’ll be interesting to see how this is dealt with in the near future.
Follow the discussion on MozillaZine forums.
Update: See relevant bug 238684.
Categories
Archives
- July 2011
- September 2010
- June 2010
- February 2010
- January 2010
- November 2009
- September 2009
- July 2009
- June 2009
- March 2009
- November 2008
- September 2008
- August 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- July 2005
- April 2005
- March 2005
- February 2005
- January 2005
- December 2004
- November 2004
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
- February 2004
- January 2004
- December 2003
- November 2003
- October 2003
- September 2003
- August 2003
- July 2003
- June 2003
- May 2003
5 Responses to Malicious XPIs run executable binaries
Minh Nguyễn
March 29th, 2004 at 10am
I’m not so sure that David Tenser verifying all the XPIs alone would scale too well. :)
Dark Reflexions
March 29th, 2004 at 11pm
Disappointing
A malicious Firefox .XPI was created I’m just gunna trackback and link you to the blog of a person I know (internet-wise), because his post was very well written. It will be fixed by the Mozilla developement project somehow, but…
Cheah Chu Yeow
March 28th, 2004 at 11am
I’d say a good, trusted authority is good enough. The people at mozdev.org, David Tenser, mozilla.org are possible candidates.
0zone
March 28th, 2004 at 11am
There should be a team that checks packages that are submitted, if the team finds that the packages are ok then they add the file name and md5 of the file to a database that gets checked by the installer. If the installer can’t find the entry then it should display a warning stating that the package could not be verified and ask them if they want to continue (no should be default).
Jesse Ruderman
March 28th, 2004 at 9am
“Best solution, to me? Verified and digitally signed XPIs are allowed to run without hindrance.”
Verified by whom? mozilla.org?