Closed Bug 1282106 Opened 9 years ago Closed 9 years ago

Suspect ad on various websites displays alert to offer false Firefox update

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: hraxx, Unassigned)

References

Details

User Story

Summarizing a bit (2016-10-27)

Malicious ad opens a Firefox-orange page with the headline "Urgent Firefox update". Earlier versions downloaded an .exe, more recent versions download a .js file apparently to evade SafeBrowsing and anti-virus. If you click on the downloaded javascript file it will not run in Firefox, it runs in something on Windows (power shell? Edge?) that has more privileges than normal web content and can infect the machine.

We don't need more copies of the downloaded payload.

We don't need the HTML code of the malicious ad: it's just social engineering.

We don't need the URL of the malicious ad: those are throwaway domains and constantly change. Registration of those domains is a dead end unless we manage to get law enforcement interested enough to crack the (probably out-of-country) private registrars.

What might help is the origin of the ads, or the ad network, that's opening the page. That might be registered with privacy protection too, but it gets us a step closer.

The next time one of these pops up, rather than copy the URL of the ad use DevTools. On Mac its command-option-K, Windows might be Ctrl-Shift-K. If the menu is present (might not be on a pop-up) it's on the tools menu under Web Developer.
* In the console type "document.referrer" and hit enter/return
* In the console type "opener" and hit enter/return.
==> enter those values in a comment on this bug.

I'm kind of hoping for a popup because the opener has a better chance of being useful; too many ways to scrub the referrer. If it's not a popup the opener should be null and won't help.

Attachments

(1 file)

Fake Update
39.66 KB, image/jpeg
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160604131506 Steps to reproduce: Got a full screen orange colored ALERT, supposedly from Firefox - https address but did not click on it. Went to your website direct which said my version was up-to-date THIS LOOKS REALLY BAD hope you can straighten it out.
Any screenshot of the alert pop-up? Are you sure your computer is not infected by malwares? https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware
Flags: needinfo?(hraxx)
I can't give a screenshot as it is gone and was NOT in History. I checked for Malware, etc - no problems. My point in contacting you only to report the issue and alert you and since no-one else has reported it I guess we can forget about it.
Without at least a screenshot of the pop-up in question, or at least an URL of the page that generated the pop-up we really can't do anything. Could you please keep an eye out for pages that you have visited that might have caused this and report back when you have something(a screenshot or an URL)?
Flags: needinfo?(hraxx)
this is a scam tactic trying to trick users into installing malware. the thread at https://support.mozilla.org/questions/1129014 contains a screenshot of how this looks like. another affected user on sumo suspected that this was triggered by ads while playing farmville - reporter, might this be the case for you as well?
James, can you help us pass this along to someone within Zynga? We have multiple reports from users about this and it may be Farmville (ad) related. Thanks!
Flags: needinfo?(jgregory)
hubert harriman <hraxx@outlook.com> Today 1:05 PMBugzilla@Mozilla (bugzilla-daemon@mozilla.org) The screenshot someone else posted is the same one I saw. i might have accidentally clicked on some ad, and the "warning" came up. I don't know where it came from and I haven't seen it again. (i do not play computer games) ________________________________________
Will follow-up internally and see what I can find. Thanks for the report.
Attached image Fake Update
Summary: Firefox URGENT ALERT??? 12:40 pm edt → Suspect ad on various websites displays alert to offer false Firefox update
Hi, can we please get more context behind this? Is there any geo data indicating where the ad was shown? Is there a list of affected users, or at least a count of them? Any info would be helpful in narrowing this down to a single ad provider.
If we could get someone who is currently reproducing this issue to provide a screen shot of the ad on the page and/or the "Inspect Element" log that shows which ad network it comes from, that would be ideal.
This is clearly well and truly in the wild and will presumably be affecting a sizeable portion of our userbase. We now have dozens of reports as questions on Sumo many with URLs. Many different sites appear to be responsible for generating these links. Some are news sites & one report mentioned reddit. A lot of this is tabulated in sumo contributors thread https://support.mozilla.org/en-US/forums/contributors/712056 Several of the resultant files have been uploaded to virustotal. There will be several screenshots on sumo. (In reply to Matt Samet from comment #11) > If we could get someone who is currently reproducing this issue to provide a > screen shot of the ad on the page and/or the "Inspect Element" log that > shows which ad network it comes from, that would be ideal. Matt can you please explain in steps suitable for Sumo how a user seeing this should obtain the "Inspect Element"log The urls appear to be personalised, they are not of use to contributors reading these sumo questions or for reporting to the likes of virustotal.com Some of the .exe files have been reported to and scanned by virustotal.com
From what is so far a single sumo post we may now also have a *.js* version. Sumo post > https://support.mozilla.org/questions/1130586 > Is "firefox-patch.js" from "nichufreevectordownload.net" legitimate?
An extract of a third party report on this issue (from https://blog.barkly.com/fileless-malware-kovter-posing-as-firefox-update ) > .... drive-by-download — after visiting an infected website they had been tricked into >installing malware that was masquerading as a legitimate Firefox browser update. > >Analyzing the malware, we discovered it was a new variation of Kovter, >a malware family known for hijacking computers, installing remotely upgradable access trojans, >executing click-fraud campaigns, and even executing some ransomware. > >What makes this new variant particularly nasty is that it's the later fileless version of Kovter, >and it's now using an apparently legitimate certificate The original article includes further links in the above quoted text. I am not trying to spam the bug with irelevant information, just trying to indicate this is a genuine malware issue.
Hi John, On https://support.mozilla.org/en-US/questions/1129134, there's a user "cabinettags" who mentions seeing the malware in a FarmVille2 ad displayed on ZyngaGames.com, not on Facebook. If this user (or any other affected users) could tell us what the ad URLs are, that would be helpful. They would need to right-click on the ad image, choose "This Frame -> View Frame Info", and copy/paste the following info: General tab: Address (URL) Media tab: Location (URL) of each item in the list of media in that frame. This will help us isolate the affected ad networks so we can contact them and inform them of the malware. Thanks!
To be clear: the URL of the fake update page (as in attachment 8766521 [details]) does not help us. Those seem to be throw-away domains that come and go quickly. We want the URL of the ad which spawned this page, but that can be difficult to figure out (it might not be visible, it might only be a script, that page might be closed and when you go back you get a different ad). As a "Product=Firefox" bug there's not much we can do to prevent this. Everything this attack does up to and including prompting users to save a downloaded file is something that legitimate sites do all the time. The Firefox dressing is a "social engineering" tactic to convince people to ignore safe-internetting rule #1 -- don't save and open/run unsolicited files! There have been some reports that Windows Defender and other anti-virus products have blocked the downloaded file as malware, but that's a cat-and-mouse game. The attackers can keep tweaking their file and stay ahead of detection for enough victims to be worth the effort. Starting in Firefox 48 we have enabled a feature to detect and warn users about "Potentially Unwanted Programs"(PUP) -- bug 1265359. It would be interesting to see if anyone running Beta has gotten these ads or not, and try to distinguish between the various possibilities: a) Beta folks report getting fake updates, but that there IS a PUP warning (yay -- progress!) b) Beta folks have gotten fake updates just like Release users: without warning (uh oh -- need to investigate PUP feature for bugs) c) no reports from Beta users (inconclusive: not enough beta users? campaign actively avoiding builds with PUP feature?)
Component: Untriaged → Application Update
Product: Firefox → Toolkit
Just to verify, is there anything to do in the app update component for this bug? It seems like this is a malware website that uses the word update in the web page to fool people into installing malware.
Reported by mkaply, visit http://www.chicagotribune.com/ with no ad-blocker, refresh multiple times, allow page to load. eventually you will redirect to something like https://wegoobackonpointe.org/3061147806634/cff2b213dc4b8a53659ab79ac1bfef67.html This appears to be an ad by checkm8.com
And yeah, I'm not sure why this is in toolkit, it has nothing to do with the updater. If anything it is a legal thing. There may be a bug in Firefox we need to fix but I'm not sure. I have the .js file this page tries to load if anyone wants to inspect it.
Status: UNCONFIRMED → NEW
Component: Application Update → General
Ever confirmed: true
Product: Toolkit → Firefox
Version: 47 Branch → unspecified
(In reply to Tyler Downer [:Tyler] from comment #21) > And yeah, I'm not sure why this is in toolkit, it has nothing to do with the > updater. If anything it is a legal thing. There may be a bug in Firefox we > need to fix but I'm not sure. So if we're not sure, it shouldn't be marked new and it should be in untriaged, not general. In any case, even if we found a Firefox bug I probably wouldn't want it fixed in here, I'd file a dep. > I have the .js file this page tries to load if anyone wants to inspect it. Just attach it and mark the attachment private? If you don't have access to those flags, please email the file to me in an encrypted (password'd) zip file.
Status: NEW → UNCONFIRMED
Component: General → Untriaged
Ever confirmed: false
Flags: needinfo?(tdowner)
Flags: needinfo?(tdowner)
(In reply to :Gijs Kruitbosch from comment #22) > (In reply to Tyler Downer [:Tyler] from comment #21) > > I have the .js file this page tries to load if anyone wants to inspect it. > > Just attach it and mark the attachment private? If you don't have access to > those flags, please email the file to me in an encrypted (password'd) zip > file. Is this file the only file? It has Windows Script stuff - it wouldn't work if executed in the browser, I think not even in MSIE (though I haven't verified that). How is the page running it? (In reply to Tyler Downer [:Tyler] from comment #20) > Reported by mkaply, > > visit http://www.chicagotribune.com/ with no ad-blocker, refresh multiple > times, allow page to load. > > eventually you will redirect to something like > https://wegoobackonpointe.org/3061147806634/cff2b213dc4b8a53659ab79ac1bfef67. > html > This appears to be an ad by checkm8.com Of course by now this is no longer online. :-(
Flags: needinfo?(tdowner)
We still get hundreds of reports at sumo. Affected sites have varied cnn.com & bleachereport.com were mentioned today but I could not reproduce on those sites. Some users are commenting on the code on Sumo, and such users may be able to send copies if required. Some posts on sumo that may be potentially helpful as points of contact https://support.mozilla.org/en-US/forums/contributors/712056?page=3#post-69652 https://support.mozilla.org/en-US/forums/contributors/712075#post-69647 https://support.mozilla.org/en-US/forums/contributors/712056?page=3#post-69649 Are others in this bug able to find STR & any files they need or is further info required. If so what informatin should we try to obtain from those seeing this issue ? (In reply to Matt Samet from comment #16) > Hi John, > .... > If this user (or any other affected users) could tell us what the ad URLs > are, that would be helpful. > They would need to right-click on the ad image, choose "This Frame -> View > Frame Info", and copy/paste the following info: > General tab: Address (URL) > Media tab: Location (URL) of each item in the list of media in that frame. > > This will help us isolate the affected ad networks so we can contact them > and inform them of the malware. > > Thanks! I am not even certain users seeing this issue actually see any ad where they can get frame information.
(In reply to John Hesling [:John99] from comment #24) > We still get hundreds of reports at sumo. Affected sites have varied cnn.com > & bleachereport.com were mentioned today but I could not reproduce on those > sites. Some users are commenting on the code on Sumo, and such users may be > able to send copies if required. > > Some posts on sumo that may be potentially helpful as points of contact > https://support.mozilla.org/en-US/forums/contributors/712056?page=3#post- > 69652 > https://support.mozilla.org/en-US/forums/contributors/712075#post-69647 > https://support.mozilla.org/en-US/forums/contributors/712056?page=3#post- > 69649 > > Are others in this bug able to find STR & any files they need or is further > info required. > If so what informatin should we try to obtain from those seeing this issue ? TBH, based on those threads, I don't see what we can do besides figuring out what ad-network has been compromised / is being used. We could try to chase down e.g. the free cert that was used ( https://crt.sh/?q=caihusamillionaire.org ) but I would imagine it's a throwaway email account of some description, and the whois for the domain is whoisguarded. By the time that you've gone through legal proceedings to find out who's behind it all I'd imagine we're well into 2017. As for Firefox's own security: the site is obviously malicious in terms of intent, but it doesn't look like it exploits anything besides phishing: it prompts the user to download and run an executable or a Windows Scripting file (the one I was asking questions about in comment #24). The JS file has unused 'salt' in it that isn't an operative part of what it does, but does live in the code, and I would fully expect the salt to be random so checksum-based checks on the file would not detect it (meaning it'd be hard to detect with e.g. the google malware list stuff). If the user does download and run the file (not in Firefox, but on Windows), game over.
(In reply to :Gijs Kruitbosch from comment #25) Thanks for the reply. Anyone happen to know if this issue is being discussed elsewhere in Mozilla besides Sumo ? Clearly we don't want to waste peoples time discussing this unnecessarily in a bug. This is not going to do Mozilla's reputation any good and is targeting & likely to harm Firefox users. Maybe more education and blogging about this would help, or as someone on Sumo suggested produce a snippet about the issue which some users will then see on their home pages. >If the user does download and run the file (not in Firefox, but on Windows), game over. Interestingly it seems far from game over when it is downloaded and Run. I do not notice posts about massive problems or the ransomware from some that have run this fake update. That makes me wonder if it could be a rehearsal or a ticking timbomb that will be activated at a later date, possibly once more are infected. That of course is just speculation. (In reply to John Hesling [:John99] from comment #24) > ... > (In reply to Matt Samet from comment #16) > > Hi John, > > .... > > If this user (or any other affected users) could tell us what the ad URLs > > are, that would be helpful. > > They would need to right-click on the ad image, choose "This Frame -> View > > Frame Info", and copy/paste the following info: > > General tab: Address (URL) > > Media tab: Location (URL) of each item in the list of media in that frame. > > > > This will help us isolate the affected ad networks so we can contact them > > and inform them of the malware. > > > > Thanks! > > I am not even certain users seeing this issue actually see any ad where they > can get frame information. Someone who has seen this issue did mention on Sumo https://support.mozilla.org/en-US/forums/contributors/712056?page=3#post-69659 > No frames. No ads. No popups. >None of the things that you would typically expect to see malware come from. >It's Just a blatant redirect of the existing open tab. >Once you are fed to this random site, you are prompted to download a JS file.
(In reply to John Hesling [:John99] from comment #26) > Someone who has seen this issue did mention on Sumo > https://support.mozilla.org/en-US/forums/contributors/712056?page=3#post- > 69659 > > No frames. No ads. No popups. > >None of the things that you would typically expect to see malware come from. > >It's Just a blatant redirect of the existing open tab. > >Once you are fed to this random site, you are prompted to download a JS file. One possible (dare I say likely) reason would be that the JS loaded to present an ad actually redirects the window it's loaded in. It would be difficult to figure out which ad did that after the fact. :-(
All this pages tries to do it get you to download the .js file. I'm not sure if that is a bug on the page's side, it was giving users an .exe to download and run but that was being caught by anti-virus, so maybe this is their way of trying to work around it.
Flags: needinfo?(tdowner)
The fact that it's a JS file means it's not going to be run through our download protection checks: https://dxr.mozilla.org/mozilla-central/rev/4c05938a64a7fde3ac2d7f4493aee1c5f2ad8a0a/toolkit/components/downloads/ApplicationReputation.cpp#387-425 until bug 1213459 is fixed.
This attack is still going around, the most recent report we've seen is on http://finance.yahoo.com
Very definitely still active[3]. Dozens[1] of reports per week on Sumo one single thread[2] approaching 9000 views, that exceeds the 3000+ views on our KB article. But that is dwarfed by a malvert site having a 47k views spike on the 18th. [1] I tagged some of the questions I came across to make them easier to find. This is the tag search https://support.mozilla.org/questions/firefox?tagged=bug1282106&show=all [2] This thread currently has 44 votes this week. It shows as having been viewed 8764 times > Urgent Fire Fox Update Notice >https://support.mozilla.org/questions/1129758 [3] An active site for a few days very recently was https://afahshowtosay.net & sportsplays.com with a Sumo contributor "cliffontheroad" commenting > Another interesting thing with sportsplay/gwtennille is the site went from 0 to 47K visits on the 18th. > https://support.mozilla.org/en-US/forums/contributors/712056?last=69997&page=5#post-69997 That included a link to a third party forum on the subject > Another site/blog reported a unique one (prob unregistered by now) but it has another pix of that unique orange screen: > http://support.proboards.com/thread/589765/got-forwarded-eitoodomain-attempted-download?page=2&scrollTo=6792487
Now turning up on courant.com . Has anyone tried to figure out what ad network is (networks are) running these?
courant.com is the Hartford Courant, which is owned by Chicago Tribune. In addition to the screenshot I sent today, I have prior screenshots which show other urls if needed.
(In reply to :Gijs Kruitbosch from comment #36) > Now turning up on courant.com . > > Has anyone tried to figure out what ad network is (networks are) running > these? We have a long list of the URLs that are reported on Sumo. Additionally we have many reports showing the sites that users think these come from and some posts mentioning the ad networks that could be involved. If you need us to look out for specific information or take specific action please let us know. However in many cases others do not see these fake updates and when it is seen it may be only for a day or so. Any instructions need to be simple and easy for a naive user to be able to complete. For instance asking someone to use a bookmarklet may be both possible and practicable, whilst long complex instructions will not get followed. On the other hand those contributors able to reproduce this will be much more helpful. We certainly have one contributor on sumo who seems to be able to reproducibly see these fake updates on various sites See for instance these posts from "cliffontheroad " https://support.mozilla.org/en-US/questions/1129758?page=3#answer-914063 https://support.mozilla.org/en-US/forums/contributors/712056?last=70106&page=5#post-70005
(In reply to John Hesling [:John99] (NeedInfo me) from comment #38) > (In reply to :Gijs Kruitbosch from comment #36) > > Now turning up on courant.com . > > > > Has anyone tried to figure out what ad network is (networks are) running > > these? > > We have a long list of the URLs that are reported on Sumo. Additionally we > have many reports showing the sites that users think these come from and > some posts mentioning the ad networks that could be involved. > > If you need us to look out for specific information or take specific action > please let us know. The problem is not knowing end-sites where this happens, the problem is knowing how the script that opens the window that offers the update download gets onto that site. We can be reasonably sure that yahoo.com and courant.com aren't *knowingly* serving users malware. The problem is likely that one of the scripts that gets included into their site in order for it to serve ads is opening these windows. Alternatively, this may be a symptom of existing malware on the machine or in an add-on these users have downloaded, but that seems less likely at this point. > However in many cases others do not see these fake updates and when it is > seen it may be only for a day or so. Any instructions need to be simple and > easy for a naive user to be able to complete. For instance asking someone to > use a bookmarklet may be both possible and practicable, whilst long complex > instructions will not get followed. On the other hand those contributors > able to reproduce this will be much more helpful. Saving the page that pops up the fake update screen (not the markup of the update screen, but of the page that creates it) using ctrl-s (cmd-s on osx) and saving it once as "web page, complete" and once as "web page, HTML only", and uploading both of those as zip files (including the <pagename-you-enter-in-save-dialog>_files directory) onto this bug might help. It's hard to be sure or give detailed instructions when we don't know how exactly how the webpage is opening the window. If the update thing is now redirecting the main tab as loaded (which seems to be what some users are suggesting/experiencing) then the only thing that'll really help make sense of what's happening is a network trace from wireshark, or detailed screenshots of the firefox network console that provide similar information.
Commentary; later I will supply the source code of the orange screen, the suspected reason there are near no repeats, whois registering (person and firm) and some routing information. There are going to be my ruff (rough) notes. Also what machines are still up but not giving the orange screen, and again, perhaps why. If this is not a good idea, please inform me ASAP. There is interest here (thanks john for moving info here from perhaps the wrong pages on support) but I'm afraid that too much public info will just cause the bad guys to hid better. But no, I don't know who dem are, and requests for info from some companies involved have flown like the Hindenburg.
The orange-screen on 9/2/16 via "view-source". This of course was modified for my machine before xmission, hence the hard coded values would differ from someone else IMO. https://oowiibenessere.net/2641815562835/59f7e28dfb7e8854c3bb793d8b2f0460.html <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]--> <!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]--> <!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js"> <!--<![endif]--> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="/PR1-2/css/normalize.css"> <link rel="stylesheet" href="/PR1-2/css/main.css"> <link href='https://fonts.googleapis.com/css?family=Open+Sans:400,300' rel='stylesheet' type='text/css'> <script src="/PR1-2/js/vendor/modernizr-2.6.2.min.js"></script> </head> <body> <div class="container"> <h1>Urgent Firefox update</h1> <a class="btn" href="/2641815562835/1472830138784070/firefox-patch.js">Download Now</a> </div> <script>window.jQuery || document.write('<script src="/PR1-2/js/vendor/jquery-1.10.2.min.js"><\/script>')</script> <script src="/PR1-2/js/plugins.js"></script> <script src="/PR1-2/js/main.js"></script> <script> setTimeout("location.href = '/2641815562835/1472830138784070/firefox-patch.js';", 1000); </script> </body> </html>
Could something be in our face and we not see? As a scientist for PICK/MultiValue/Mentor OS (DBMS?) at ADDS/NCR I would often do a 'what if' during alpha testing. View-Source on FF is used alot recently. Sometimes I invoke the subroutine calls within a program then do the VS. https://fonts.googleapis.com/PR1-2/js/vendor/modernizr-2.6.2.min.js was followed by view-source:chrome://browser/content/newtab/newTab.js and also view-source:about:newtab and also view-source:chrome://browser/content/newtab/newTab.js and also view-source:chrome://browser/content/contentSearchUI.js in unknown order and maybe not all and I may have (or had to) do an HTTP prior to the VS. WHY are the http "calls" (my word) in the orange page? Using DuckDuckGo search engine has produced some information INCLUDING http://support.proboards.com/thread/588105/malicious-redirect-happening-forum-banner?page=1 There is a copy of my previos posting of source code, but different. I was going to ask if there was a reason/pattern for the n1 slash n2 where n2 varies by 10. Might the bad guy have the n1 folder in his machine and the n2 file (we called them items) be important? The real-time analysis routines know when pages/items are accessed and maybe the n2 item gets deleted or changed so we can not get to the orange screen again. Please, someone who knows what the heck they are doing, take up this bug, or get to the ear of http://googleapis.com to figure out if this hijacking can be stopped. Today FF, tomorrow the world.
I've seen this on a page that only had a google ad iframe; I presume they're selling the ad that causes this via multiple networks and all sorts of 'shells', and it looks innocuous initially to avoid their ads getting blocked by any automated checks by the ad networks. We have captured at least a few copies of the HTML and JS.
i think we should publicly campaign for the use of adblockers until ad networks can get their act together and root out such bad actors. this is happening unimpeded for months now & hurting publishers as well since users get redirected from the page they are visiting...
What is known (suspected?) so far by me follows. I had posted it in a support forum but removed same but for here, some expansion. Orange screen is NOT reproducible on the same day. The URL of the target site, which surely would be helpful to them, includes #1/#2 and probably is tracked by the orange screen so as to cause reentry to fail (one orange screen per day allowed and if you go there again you just timeout.) The site the user was on B 4 the orange screen is helpful in isolating the root cause but vales/curtains/secrets by companies will prevent disclosure of who the bad guy is. We (?) are unsure what gets downloaded when the user approves the phony upgrade, nor what may follow someday. Think 'bootstrap.' Maybe if you aren't a bank or nuclear facility, the bad guys won't care. The fault lies everywhere or should I say with many companies. The registration of the orange screen, and the network/ISP/who owns the server; it is not in THEIR interest in solving this. (two were contacted) The web site visited will probably deny knowledge or involvement, as they are mainly concerned with advertising income IMO. Can you say "stonewall?" and 'not our fault' and 'send example.' The companies that 'wholesale' the ads, or middleman ads from several companies do not check well enough, as well as making it harder because it is not one-trackable ad per web page. And that web site may use multiple middlemen (ad agencies) too. The last fault is the tools available from places such as Google & Microsoft (and the middleman advertisers) which disect you (without your name), your preferences/history, and can send targeted or specalized ads to certain groups or locations. Moatads, doubleclick, outbrain are but 3 sites of the many that have tools and affect what you see. They are more interested in being able to tell their clients how many people who saw their ad were wearing green underwear then (omission on purpose.) They have gotten smarter and their tools more powerful over time. Yhe earliest example of this flaw was reported in 2013. When you visit a web site, watch all the URL's flashing on the bottom left of your screen. Dozens / hundreds. Page 1 runs/calls pgm 2 which might run/call pgm 3. These are 'nested.' But page 1 has already begun running other "subroutines" (ie, program 4) without waiting for the results of pgm2 because it is possible. Since the orange screen is always associated with an ad (one?), somewhere the decision is made to jump to the orange screen if you weren't there today already. If you have been, the response is probably "no ad for him/her. Go pick another one" and you will waste the rest of your day trying as the web page displays any benine ad. When the site is disabled (daily), the registering company does not collect their fee but one, so far, seems to have no interest in preventing a new URL tomorrow, which will thus allow more 'orange screens' to users. More rambling by me will follow. I just didn't want the above notes lost in case I get hit by a bus. Yet if movies such as TRON are a reality, even this will disappear when all computer records of me do too. LOL Disputing John99's post, and a sad thing is, I have NOT reproduced the problem or even seen an orange screen since July. What I changed in my machine I not sure, but an adblocker was NOT one of them. Perhaps my machine configuration and location is checked by the orange-screen-people and return a 404. https://support.mozilla.org/en-US/questions/1129758
I've asked RyanVM for advice on this and we both believe that there isn't anything more we can do for this issue from QA's point of view. This seems to be an ongoing security issue, do we need to escalate? The last report of the issue being experienced is 3 days ago. https://support.mozilla.org/en-US/questions/1129758
Flags: needinfo?(jgriffiths)
(In reply to Ciprian Muresan [:cmuresan] from comment #48) > I've asked RyanVM for advice on this and we both believe that there isn't > anything more we can do for this issue from QA's point of view. > This seems to be an ongoing security issue, do we need to escalate? > > The last report of the issue being experienced is 3 days ago. > https://support.mozilla.org/en-US/questions/1129758 I'm not sure why I'm needinfo'd here. What specifically do you want me to do or what questions do you need answers for?
Flags: needinfo?(jgriffiths) → needinfo?(ciprian.muresan)
We discussed this bug during our visit to Romania and Benjamin said at the time that we probably needed to escalate this with the product team to figure out what the next steps are for this ongoing issue.
Flags: needinfo?(ciprian.muresan) → needinfo?(jgriffiths)
(In reply to Ryan VanderMeulen [:RyanVM] from comment #50) > We discussed this bug during our visit to Romania and Benjamin said at the > time that we probably needed to escalate this with the product team to > figure out what the next steps are for this ongoing issue. Sorry, I'm going to repeat myself: I'm not sure why I'm needinfo'd here. What specifically do you want me to do or what questions do you need answers for? Is there some analysis we've made in the 50 comments on this bug that you want a decision on? dveditz says this: "As a "Product=Firefox" bug there's not much we can do to prevent this." I'm unsure how to proceed, asking Dan if has advice.
Flags: needinfo?(jgriffiths) → needinfo?(dveditz)
In the short run we could compare download names to "firefox_patch.js" and block them, but the ads could work around that before we get such a change out of beta. Bug 1213459 ought to help, too. Francois: what would it take to finish out that bug? Or did the changes in bug 1291472 do enough? That was uplifted to Fx 49, has anyone seen these ads in Firefox 49 or 50? Is there some way to see the version of SUMO commenters? the folks in the linked thread usually don't say what version they have.
User Story: (updated)
Flags: needinfo?(dveditz) → needinfo?(francois)
You can see the useragent from people asking a question at sumo by expanding the question details section on the right and clicking on "more system details". And yes, users on 49 are still affected by this issue - it is a popular topic on all our support channels.
If bug 1291472 didn't have much of an impact, then bug 1213459 isn't going to help. Note that this bug was about blocking the fake firefox update after it's been _downloaded_, not about blocking the offending ads / landing pages. It's possible that it's working in terms of keeping our users safe even though it's not blocking the bad pages.
Flags: needinfo?(francois)
If there was some way to block the iframe from navigating the main document/page, that would restrict them into their little iframe. I.e. <iframe sandbox>. However, part of the problem is that real ads inherently *want* to navigate you. Generally the difference is however that you click on an ad to cause navigation. Perhaps <iframe sandbox="allow-scripts allow-forms allow-popups-to-escape-sandbox"> is what the networks (or rather the sites embedding the networks) should use. For that matter, the networks should force sites embedding their content to use that, OR they should iframe themselves that way. This *would* mean that ads could only redirect you via a popup, not navigating away from the current page (of course)
Flags: needinfo?(dveditz)
I advised softvision QA that Firefox PMs need to decide if there are any next steps on this bug: I don't believe there are in-product engineering steps that are reasonable, so I see the following options: * escalate with safe browsing * escalate with legal/BD to protect our brand * close this bug INCOMPLETE I think Jeff you are the right person to decide the disposition of this bug. There is nothing more that the QA teams can do with it, and we don't want to leave it in Untriaged without a decision-maker.
Flags: needinfo?(jgriffiths)
(In reply to Randell Jesup [:jesup] from comment #55) > If there was some way to block the iframe from navigating [...] We could give ad networks more tools like that, for example prevent the innermost ad content from any navigating at all. The ad registers its target URL with the network when the ad is purchased (or a set of urls) and then on the appropriate event (usually a click) postMessage() to the container "go to url #2" or whatever. That's a long play that depends on the ad ecosystem changing, and not the solution to this particular bug.
Flags: needinfo?(dveditz)
After chatting with François I'm closing this bug as wontfix. We're doing work to improve cases like this in other bugs, and in that light there doesn't seem to be much to do here. Two things about this sort of issue stick out to me: * inherently resolving this sort of thing is a whack-a-mole-esque process until ad networks and the web platform in general make siggnificant changes * the workaround is simple: either install an ad-blocker such as ublock or enable tracking protection ( perhaps by installing Test Pilot and the "Tracking Protection" test pilot experiment ): https://testpilot.firefox.com/experiments/tracking-protection
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jgriffiths)
Resolution: --- → WONTFIX
(In reply to Benjamin Smedberg [:bsmedberg] from comment #56) > * escalate with safe browsing I have talked to Google about this and they are aware of this malware campaign (it also affects other browsers). They are doing what they can, but there are limits to what a blacklist-based system can do when it comes to blocking malicious ads. We are working on implementing the next version of the Safe Browsing protocol (bug 1167038) which should increase the list update frequency. It's not going to solve the problem, but it should reduce the amount of time that the malicious ad can live on the same domain.
FYI, they've started doing it to Chrome too: http://www.nerdjargon.com/2017/01/distractifycom-serving-up-malware.html And oddly, the guy who registered the domain didn't anonymify. The person who registered this domain is the same one who registered the domain for the popup I just got on Firefox (wohzairbsevens.com).
Flags: needinfo?(jgregory)
Flags: needinfo?(hraxx)
What a surprise to get an update after 2 years. I had accepted the WONTFIX decision back then. However, I have not seen the orange screen in at least a year, and many updates to Firefox in 2 years. I had not installed any of the suggested blocking software, hence one might guess the malware (?) group got tired, or infected my machine and didn't need to, or my letter writing campaign to web sites against allowing thred-party ads was sucessfui. I don't visit Yahoo any more, but they were notorious (sp?) for revolving ads without tracking which ads took that 'left turn' (ie didn't display an ad but put a 'branch to the malware site' into the FF stack (after a 5 minute pause sometimes) The only abnormality I see now is 'U R runing an old version of video software' but I will never take a web sites advice and download their plugin code ever again. When I said maybe my machine is infected, I can cite the 10 persent of data trasmission of most anything I receive, and the 50 percent CPU activity when I have just a blank page on FF but I'm using Windows 7 and blame the noticable slow down on programmers doing what in the Pick MultiValue OS world was known as disk-read-ahead. Akin to 'we got this for you thinking you'll want it later' when in Reality (TM), I didn't. I'm too old to get back into programming, and Big Brother seems to be Google these days. Too old to fight too. LOL
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: