Malware can download in ZIP/TAR format without block or detection in STRICT mode
Categories
(Toolkit :: Safe Browsing, defect)
Tracking
()
People
(Reporter: sm.tomal741, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
9.03 MB,
video/mp4
|
Details |
Description: A pure Trojan which is detected by every security feature (AsyncRAt.exe) can be downloaded in ZIP/TAR format without getting any block or restrictions by Firefox in STRICT mode, which should trigger in Firefox. Same file can be triggered in exe format but it is capable to escape in ZIP/TAR format.
Reproduce:
- upload TROJAN into URL and download as ZIP/TAR format.
- NO block or security restrictions apply for this file.
|
||
Comment 1•2 years ago
|
||
The "strict" setting is for the "tracking protection" privacy feature. It has no effect on any other feature in the browser; specifically, it has no effect on the "Safe Browsing" feature.
Firefox does not have a built-in anti-virus, and it is not a substitute for having one. The "Safe Browsing" feature that offers some download protection is entirely based on matching context (for example, the site and URL of the download) and file hashes. In the best case of a popular scam it will be matched by URL and blocked before downloading anything. After the download we calculate the file hash to see if it matches anything known by Google's Safe Browsing service, but it's easy to modify the file to generate a new hash. Apparently that specific RAT is known to Safe Browsing, but putting it in an archive is not something that's been seen by Google often enough for them to incorporate it into the list.
This problem should be reported to Google since they are the ones who operate the Safe Browsing service.
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•