Created attachment 8843735 [details] Firefox Critical Update.jpg User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: I opened Firefox and browsed to a news website. A new tab opened up displaying what looked like a Firefox page, including the Firefox logo. The page said "Critical Firefox Update" and included a button saying "Download Now." I did not click on "Download Now". Nevertheless, a download window popped up immediately asking me to save a download called "firefox.patch.js." I did not approve the download. The web address for the page was: https://goaqugorodnabire.net/4941159548972/7c8e9a8efd045dad7fd86bb04d463742/41ef75afa7a37c4c928e06828b7e568c.html I have set Firefox to manually check for updates, and I had checked my Firefox version only 5 minutes earlier, and Firefox told me I had the latest version, so I knew that no "critical update" was required, and that this popup was not legitimate. I closed Firefox immediately. The next day the same thing happened again. Firefox "Help" continues to tell me that I have the latest version installed. I am using Firefox 51.0.1 (32-bit) on a Dell Windows 8.1 desktop computer. Actual results: Nothing.
Forgot to mention that I run Norton AntiVirus, fully updated. After seeing this "Critical Update" window the first time, I ran the free version of Spybot Search & Destroy (fully updated) and the free version of Malwarebytes Anti-Malware (fully updated) and neither one detected any obvious problem related to Firefox, or any bots. I checked Task Manager, and did not find any obvious bot running. I also run the most recent version of CCleaner, and have been doing so for 10 years, which deletes all temporary files every time I boot my computer. I shut down my computer every evening, and the false update window appeared again the next day. I ran Spybot and Malwarebytes again the second day, and again neither one detected any major problems. I am using Windows Firewall, and also the firewall that came with my CenturyLink modem. I am also using Windows Defender. I keep my computer updated with Windows Updates, which I run manually. The only recent Windows Update was an update to Flash Player, which I installed yesterday, AFTER the false Firefox "Critical Update" alert first occurred. This Flash Player update caused a lot of problems with browsing - extremely slow page loading, freezing, etc., and I uninstalled it this morning, but this occurred after the false Firefox "Critical Update" alertm, so it is probably not related.
From bug 1342300 comment 3: > The page you describe has been around for a while. It's a "social > engineering" attempt to get you to download and open the "patch". If you do > nothing it's not harmful, it's just a pop-up ad web page. People using other > browsers often see a similar message except branded with their browser of > choice. If you download and open the file it is a JScript file that will be > run by the built-in Windows Scripting Host and infect your machine. Last > time this was tracked down it was the Kovter malware, but I'm sure it could > be easily adapted to the malware du jour. > > The source of the ads is unknown. The URL shown in the popup is a random > host and quickly changes. This campaign has been going on for a while and > hasn't been seen often on legit/popular sites -- most of the ad networks > seem to be on the watch for it. If you getting this a lot look for patterns > in your browsing to see if you can identify a common source site and maybe > from there we can figure out what ad network that site uses and start > digging there. --OR-- you already have local ad-ware running > and these are just one of the poor quality ads > it's injecting into your browsing. Your computer might be infected by a malware, see the FAQ to clean it: https://support.mozilla.org/t5/Procedures-to-diagnose-and-fix/Troubleshoot-Firefox-issues-caused-by-malware/ta-p/1595 As it's a support question, you should use the official support, not Bugzilla which is not intented for that: https://support.mozilla.org/t5/Firefox/bd-p/Privacy-Security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Component: Untriaged → Security
Resolution: --- → DUPLICATE
Duplicate of bug: 1342300
You need to log in before you can comment on or make changes to this bug.