Open
Bug 1169417
Opened 10 years ago
Updated 3 years ago
Please ignore 3rd-party code injected into <fxdir>/browser/components/
Categories
(Firefox :: General, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: ToddAndMargo, Unassigned)
Details
Attachments
(1 file)
|
59.88 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150513174244
Steps to reproduce:
Dear Firefox developers,
Windows 7
FF 38.0.1
I found some junk ware last week that kept reinstalling AVG Search Bar. It even kept writing itself back into prefs.js after I manually removed it (Firefox wasn't running at the time I edited it).
And this one managed not to show up in Firefox's search providers or extensions. But every time you opened a new tab ...
Would please you consider ignoring *.js entries in program files\MozillaFirefox\browser\searchplugins?
I am tagging this a security bug, as the exploit can be user for far nastier things.
Many thanks,
-T
|
||
Comment 1•10 years ago
|
||
Florian/Gavin, how does this tie into our current search hijacking plans?
Flags: needinfo?(gavin.sharp)
Flags: needinfo?(florian)
|
||
Comment 2•10 years ago
|
||
Since bug 1162569 (currently landed for Firefox 41; will probably be uplifted to 40), we no longer load engines from browser/searchplugins by default. I'm not aware of us loading any .js file from that folder though (even before the patch).
Todd, you say you see unwanted things whenever you open a new tab. This should be fixed by bug 1118285, for Firefox 41.
Flags: needinfo?(florian)
|
||
Updated•10 years ago
|
Flags: needinfo?(gavin.sharp)
(In reply to Florian Quèze [:florian] [:flo] from comment #2)
> Since bug 1162569 (currently landed for Firefox 41; will probably be
> uplifted to 40), we no longer load engines from browser/searchplugins by
> default. I'm not aware of us loading any .js file from that folder though
> (even before the patch).
>
> Todd, you say you see unwanted things whenever you open a new tab. This
> should be fixed by bug 1118285, for Firefox 41.
In this instance, AVG Search Bar loaded its Java script from, plugins. It added about 10 entries into perfs.js. When you opened a new tab, you got AVG's garbage, not the tiles. A bad guy could do some real damage with this mechanism. As it stood, it was only obnoxious
|
||
Comment 4•10 years ago
|
||
Todd: can you please upload to this bug (there's an "Add an attachment" link above) the .js files you're finding in ..\browser\searchplugins?
Also, please open the about:support page ("Troubleshooting Information" on the Help menu) and look at the "Important Modified Preferences" section. Let us know if browser.newtab.url shows up in that list, and if so what the contents are (and whether they match what you are seeing when you open a new tab).
If it looks like that pref is the problem then this is the same issue as bug 1118285. If that's not it and it really is .js files in the searchplugins directory then it's something new and we'll probably have more questions.
Flags: needinfo?(ToddAndMargo)
It wasn't in search plugins.
C:\Program Files\Mozilla Firefox\browser\components\avgMozXPCOM.js
I will attach the buzzard with an extra .bin extension
Flags: needinfo?(ToddAndMargo)
|
|
||
Updated•10 years ago
|
Attachment #8613824 -
Attachment mime type: application/octet-stream → text/plain
|
|
||
Comment 7•10 years ago
|
||
This doesn't need to be hidden, this trick is clearly already being used.
If something is able to write into the Firefox installation directory then in the end there's very little Firefox can do to protect itself -- malicious software could simply replace Firefox if it wanted to. We are taking some steps to make simple extension points harder. For example, the default search engine is no longer a preference in builds we'll be releasing soon, and we have a bug filed to do the same with the newtab page.
In theory your security software should set off alarms when a program modifies the installation directory of another program. It's a tricky case when the offending party _is_ your security software. AVG's claim is going to be that this is making you safer by preventing other programs from changing these settings, but clearly these settings are financially advantageous to AVG for the same reasons other programs are trying to change it to settings that benefit them.
Either you trust AVG and you can complain to their technical support that you don't like this aspect of their program, or you don't trust AVG and you should uninstall it completely. If you have uninstalled AVG and this component remains you can manually delete it (they would probably claim "it's a bug" it didn't go away). If there is something still running on your computer restoring this component even if AVG has been uninstalled that's definitely malware/rootkit-like behavior and you should find a different anti-virus company whose software will help you deal with this.
Group: core-security
Component: Untriaged → General
Summary: Please ignore .js in search directory → Please ignore 3rd-party code injected into <fxdir>/browser/components/
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•