User seeing "Critical Firefox Update" window which attempts to download update file called firefox.patch.js

RESOLVED DUPLICATE of bug 1342300

Status

()

Firefox
Security
RESOLVED DUPLICATE of bug 1342300
11 months ago
11 months ago

People

(Reporter: Alice Weiss, Unassigned)

Tracking

51 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

11 months ago
Created attachment 8843735 [details]
Firefox Critical Update.jpg

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

I opened Firefox and browsed to a news website.  A new tab opened up displaying what looked like a Firefox page, including the Firefox logo.  The page said "Critical Firefox Update" and included a button saying "Download Now."  I did not click on "Download Now".  Nevertheless, a download window popped up immediately asking me to save a download called "firefox.patch.js."  I did not approve the download.

The web address for the page was:
https://goaqugorodnabire.net/4941159548972/7c8e9a8efd045dad7fd86bb04d463742/41ef75afa7a37c4c928e06828b7e568c.html

I have set Firefox to manually check for updates, and I had checked my Firefox version only 5 minutes earlier, and Firefox told me I had the latest version, so I knew that no "critical update" was required, and that this popup was not legitimate.

I closed Firefox immediately.

The next day the same thing happened again.  Firefox "Help" continues to tell me that I have the latest version installed.

I am using Firefox 51.0.1 (32-bit) on a Dell Windows 8.1 desktop computer.  


Actual results:

Nothing.
(Reporter)

Comment 1

11 months ago
Forgot to mention that I run Norton AntiVirus, fully updated.  After seeing this "Critical Update" window the first time, I ran the free version of Spybot Search & Destroy (fully updated) and the free version of Malwarebytes Anti-Malware (fully updated) and neither one detected any obvious problem related to Firefox, or any bots.  I checked Task Manager, and did not find any obvious bot running.  

I also run the most recent version of CCleaner, and have been doing so for 10 years, which deletes all temporary files every time I boot my computer.  I shut down my computer every evening, and the false update window appeared again the next day.  

I ran Spybot and Malwarebytes again the second day, and again neither one detected any major problems.  

I am using Windows Firewall, and also the firewall that came with my CenturyLink modem.  I am also using Windows Defender.  

I keep my computer updated with Windows Updates, which I run manually. The only recent Windows Update was an update to Flash Player, which I installed yesterday, AFTER the false Firefox "Critical Update" alert first occurred.  This Flash Player update caused a lot of problems with browsing - extremely slow page loading, freezing, etc., and I uninstalled it this morning, but this occurred after the false Firefox "Critical Update" alertm, so it is probably not related.
From bug 1342300 comment 3:
> The page you describe has been around for a while. It's a "social
> engineering" attempt to get you to download and open the "patch". If you do
> nothing it's not harmful, it's just a pop-up ad web page. People using other
> browsers often see a similar message except branded with their browser of
> choice. If you download and open the file it is a JScript file that will be
> run by the built-in Windows Scripting Host and infect your machine. Last
> time this was tracked down it was the Kovter malware, but I'm sure it could
> be easily adapted to the malware du jour.
> 
> The source of the ads is unknown. The URL shown in the popup is a random
> host and quickly changes. This campaign has been going on for a while and
> hasn't been seen often on legit/popular sites -- most of the ad networks
> seem to be on the watch for it. If you getting this a lot look for patterns
> in your browsing to see if you can identify a common source site and maybe
> from there we can figure out what ad network that site uses and start
> digging there. --OR-- you already have local ad-ware running
> and these are just one of the poor quality ads
> it's injecting into your browsing.

Your computer might be infected by a malware, see the FAQ to clean it:
https://support.mozilla.org/t5/Procedures-to-diagnose-and-fix/Troubleshoot-Firefox-issues-caused-by-malware/ta-p/1595

As it's a support question, you should use the official support, not Bugzilla which is not intented for that:
https://support.mozilla.org/t5/Firefox/bd-p/Privacy-Security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Component: Untriaged → Security
Resolution: --- → DUPLICATE
Duplicate of bug: 1342300
You need to log in before you can comment on or make changes to this bug.