User seeing "Critical Firefox Update" window which attempts to download update file called firefox.patch.js




11 months ago
11 months ago


(Reporter: Alice Weiss, Unassigned)


51 Branch

Firefox Tracking Flags

(Not tracked)



(1 attachment)



11 months ago
Created attachment 8843735 [details]
Firefox Critical Update.jpg

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

I opened Firefox and browsed to a news website.  A new tab opened up displaying what looked like a Firefox page, including the Firefox logo.  The page said "Critical Firefox Update" and included a button saying "Download Now."  I did not click on "Download Now".  Nevertheless, a download window popped up immediately asking me to save a download called "firefox.patch.js."  I did not approve the download.

The web address for the page was:

I have set Firefox to manually check for updates, and I had checked my Firefox version only 5 minutes earlier, and Firefox told me I had the latest version, so I knew that no "critical update" was required, and that this popup was not legitimate.

I closed Firefox immediately.

The next day the same thing happened again.  Firefox "Help" continues to tell me that I have the latest version installed.

I am using Firefox 51.0.1 (32-bit) on a Dell Windows 8.1 desktop computer.  

Actual results:


Comment 1

11 months ago
Forgot to mention that I run Norton AntiVirus, fully updated.  After seeing this "Critical Update" window the first time, I ran the free version of Spybot Search & Destroy (fully updated) and the free version of Malwarebytes Anti-Malware (fully updated) and neither one detected any obvious problem related to Firefox, or any bots.  I checked Task Manager, and did not find any obvious bot running.  

I also run the most recent version of CCleaner, and have been doing so for 10 years, which deletes all temporary files every time I boot my computer.  I shut down my computer every evening, and the false update window appeared again the next day.  

I ran Spybot and Malwarebytes again the second day, and again neither one detected any major problems.  

I am using Windows Firewall, and also the firewall that came with my CenturyLink modem.  I am also using Windows Defender.  

I keep my computer updated with Windows Updates, which I run manually. The only recent Windows Update was an update to Flash Player, which I installed yesterday, AFTER the false Firefox "Critical Update" alert first occurred.  This Flash Player update caused a lot of problems with browsing - extremely slow page loading, freezing, etc., and I uninstalled it this morning, but this occurred after the false Firefox "Critical Update" alertm, so it is probably not related.
From bug 1342300 comment 3:
> The page you describe has been around for a while. It's a "social
> engineering" attempt to get you to download and open the "patch". If you do
> nothing it's not harmful, it's just a pop-up ad web page. People using other
> browsers often see a similar message except branded with their browser of
> choice. If you download and open the file it is a JScript file that will be
> run by the built-in Windows Scripting Host and infect your machine. Last
> time this was tracked down it was the Kovter malware, but I'm sure it could
> be easily adapted to the malware du jour.
> The source of the ads is unknown. The URL shown in the popup is a random
> host and quickly changes. This campaign has been going on for a while and
> hasn't been seen often on legit/popular sites -- most of the ad networks
> seem to be on the watch for it. If you getting this a lot look for patterns
> in your browsing to see if you can identify a common source site and maybe
> from there we can figure out what ad network that site uses and start
> digging there. --OR-- you already have local ad-ware running
> and these are just one of the poor quality ads
> it's injecting into your browsing.

Your computer might be infected by a malware, see the FAQ to clean it:

As it's a support question, you should use the official support, not Bugzilla which is not intented for that:
Last Resolved: 11 months ago
Component: Untriaged → Security
Resolution: --- → DUPLICATE
Duplicate of bug: 1342300
You need to log in before you can comment on or make changes to this bug.