What did you do? ================ 1. Installed and activated "Open with Adobe PDF Reader" extension 2. 3. What happened? ============== Norton Internet Security immediately began reporting that it had blocked JScoinminer12 malware. After I disabled the extension, the warnings stopped. What should have happened? ========================== Should not have gotten such warnings. Is there anything else we should know? ====================================== After leaving the extension disabled for a few days, and getting no warning, I enabled it again a few minutes ago and within seconds got the warning from NIS again. Once I disabled the extension again, the warnings stopped coming.
Group: websites-security → client-services-security
Component: Security → Security
Product: Mozilla Developer Network → addons.mozilla.org
Out of curiosity, I ran the latest version of the add-on through virus total. At the time of scanning, it appears to not trigger anything by any of the various scanners. Results can be found here: https://www.virustotal.com/#/file/88f955f07de4dfe9db4aa06769662539d0bde7f65142bba69b3c95131369bd58/detection
Interesting. Given this, I tried enabling the extension again. Within 5 seconds, I got this alert from Norton Internet Security: "Norton blocked an attack by: Web Attack: JSCoinminer Download 12." The "View Details" link produced this information: Severity: High Activity: An intrusion attempt was blocked. IPS Alert Name: JSCoinminer Download 12 Attacker URL: https://coinhive.com/lib/cryptonight.wasm Network traffic was detected that matches the signature of a known attack. The attack was resulted from C:\Program Files\Mozilla Firefox\firefox.exe. When I first started encountering these alerts, I ran a Norton full system scan. It found three instances of this malware and was able to remove two of them, but not the third. The Norton web site recommended I download, install, and run FixToolKotver64.exe. I did, but it produced no results after the first run. Per Norton's instructions in this case, I ran it a second time, which was supposed to confirm that the malware had, in fact, been removed. I've recently seen a Wordfence blog post (http://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/?utm_source=list&utm_medium=email&utm_campaign=122017) about coinminer malware that install itself, then hides its existence. Could this be an example of that? That post has to do with attacks on WordPress-based web sites but there's no reason why an attacker couldn't use the same techniques against Firefox.
Just to verify, you are talking about this add-on, correct? https://addons.mozilla.org/en-US/firefox/addon/open-with-adobe-pdf-reader/
RBLampert: Can you also share the Firefox version and the version of the add-on you are running?
Component: Security → Blocklisting
Product: addons.mozilla.org → Toolkit
The version currently available on AMO (1.2.3) doesn't have a coin miner, but a version previously submitted with a higher version number (2.0.0) did have one and was rejected by a reviewer. Most current users are still on version 2.0.0 and won't upgrade because it's a higher version number, so they are still affected. We will ask the developer to resubmit the clean version with a higher version number, so users are updated to it. If there's no response after some time, we will move forward with a block.
(In reply to Jorge Villalobos [:jorgev] from comment #5) > The version currently available on AMO (1.2.3) doesn't have a coin miner, > but a version previously submitted with a higher version number (2.0.0) did > have one and was rejected by a reviewer. Most current users are still on > version 2.0.0 and won't upgrade because it's a higher version number, so > they are still affected. > > We will ask the developer to resubmit the clean version with a higher > version number, so users are updated to it. If there's no response after > some time, we will move forward with a block. Thanks, Jorge! I did install AMO version 2.0.0. I'm running 64-bit Firefox version 57.0.2.
:jorgev - Any reason why we wouldn't block the add-on now if we know the 2.0.0 version is malicious and the 1.2.3 can't be upgraded to?
The add-on doesn't meet the bar for blocklisting per our policy: https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews We will block it only if the developer doesn't update it in time.
To me, I don't believe the policy makes considerations for a malicious version of an add-on being released at a higher version of latest. I was reading this part of the policy... "If an add-on is considered malicious or its developers have proven unreachable or unresponsive, or in case of repeat violations, blocklisting may be immediate." And as I read it, the latest version of the add-on, as known by a Firefox install is considered the malicious version. I wonder if there is a means by which we could force-fully invalidate the known malicious version of this add-on in the browser rather than revoke the plugin directly. That to me, seems in the best interest of our users.
Added context, to help color this in future... - SKCom (the add-on developer) is a brand new user (created on Nov. 29, 2017) - There are 3,042 users of the Open With Adobe PDF Reader plugin - I believe the default of AddOn updates (at-least in nightly) is automatic, so all 3,042 or so of those users (assuming they were not post 2.0.0 revocation) are running and stuck on the malicious 2.0.0 version until a new version is released or the product were to somehow render that add-on version useless given it's blacklist status - SKCom has two other Firefox AddOns that likely warrant a closer look, but Open With Adobe PDF Reader seems to be the most interesting
Jorge, there haven't been any new submissions so far. Should we start blocking?
The block is staged now. Please review and push.
Flags: needinfo?(jorge) → needinfo?(awagner)
The block is now live.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Andreas: To confirm, the block effectively does two things; (1) prevents people from downloading any version of the add-on and (2) makes it no longer function in the browser. Is that an accurate statement?
The block targets affected versions only, not the entire add-on. Users that have the affected version installed will have it disabled automatically, as soon as Firefox pulls the blocklist update. https://blocked.cdn.mozilla.net/ should pick up the new block shortly.
Thanks, guys! Glad to see this action taken. The web's a little bit safer place.
You need to log in before you can comment on or make changes to this bug.