Closed Bug 445455 Opened 16 years ago Closed 16 years ago

The new "Reported Attack Site" fails to stop infection

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 438831

People

(Reporter: eurolite, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0

The new "Reported Attack Site" feature in Firefox 3.0 will block the site and not stop the infection at all.



Reproducible: Always

Steps to Reproduce:
1. MAKE SURE you're running anti-virus software 
2. Go to www.keygen.us
3. Watch your anti-virus software go psycho
Actual Results:  
The attached photo explains it all but it triggered my anti-virus software

Expected Results:  
Completely blocked the site not triggering any virus alerts or potentially infecting the user.

I checked to keep this confidential due to the malicious content contained in this report. If a user tried to replicate this security failure it is possible they may become infected with malicious software. I personally consider this a major issue due to the fact a user may get a false sense of security from the notice of the site being blocked. I am sorry but I cannot report technical data on what exploit is triggering this alarm due to the fact that viewing the source of the blocked page only opens the view-source window with another notice saying it is a "Reported attack site" and the ignore this warning feature fails to work (Inside the newly opened window)(Which I am guessing is another bug all together).
The site mentioned is blocked for me as intended.  I suspect that the antivirus is using a similar list, and is responding to bug 438831.  LiveHTTPHeaders confirms no other traffic.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Group: core-security
(In reply to comment #0)
> (...)
> on what exploit is triggering this alarm due to the fact that viewing the
> source of the blocked page only opens the view-source window with another
> notice saying it is a "Reported attack site" and the ignore this warning
> feature fails to work (Inside the newly opened window)(Which I am guessing is
> another bug all together).

Your guess is right - see bug 435726 (it has "phishing protection" in the title, but underlying mechanisms for phishing and malware "protection" are actually the same).
You need to log in before you can comment on or make changes to this bug.