Closed Bug 276752 Opened 20 years ago Closed 20 years ago

firefox crashed and error report crashed upon sending data report. Followed by system was infected with "Bloodhound.Exploit.6"

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: Hypnotoad86, Assigned: bugzilla)

Details

(Keywords: crash, Whiteboard: [sg:nse]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Upon entering http://www.railroadtycoon3.com/rt3/us/downloads/game.html Firefox
performs an illegal operation.  This is quickly followed by the "Report this
problem program" to load up.  After clicking continue/next three times the
reporting application also performs an illegal operation.  A window then appears
notifying me that i was infected by a Bloodhound.Exploit.6.

Norton explains the technical details of Bloodhound.Exploit.6 as "By embedding a
specially crafted URL in a Web page and having that URL refer to a CHM file
containing an HTML file with scripts in it, an attacker could force the user who
views the Web page with a vulnerable version of Internet Explorer to download
and execute files."

I have only use internet explorer to run updates and because it is linked to my
virus definition encyclopedia quoted above.

The virus was found in "Source: C:\Documents and Settings\[username]\Application
Data\Mozilla\Firefox\Profiles\gegze1d2.Default User\Cache\_CACHE_001_"

Reproducible: Couldn't Reproduce

Steps to Reproduce:
1.entered http://www.railroadtycoon3.com/rt3/us/downloads/game.html
2.waited as the shockwave application loaded
3.Firefox crash followed by "Report this problem" crash followed by Virus Alert

Actual Results:  
After attempting to reproduce above steps nothing occurred.  Website loaded
regularly.  Does not explain why the virus was inside the cache files.  I was also 

Expected Results:  
The software should not have crashed, and the cache should not have been
infected with a virus.

Furthermore, the virus could not be deleted by Norton.  The cache had to be
manually cleared.  Auto-Protect was enabled and has been since the first
installation of the PC. Auto-Protect works like this: as soon as a file is
created, modified, etc it is scanned to check for viruses.  I am fully updated
and patched in everything possible windows, norton, firefox.  Sygate firewall
was turned off earlier in the day to allow my lan network to access me, I am
also behind a router with a built in firewall.  I am unsure if the report was
accuretly sent to your data server but the time it was sent was 7:08:18 AM est
on 1/2/2005.  Checking logs might provide for some more information.

After running a full system virus scan I also had Trojan.ByteVerify infected
within Jvb.class, and a generic TrojanHorse in MainApp.class.  Both were 
located inside Sun Microsystem's java cache.  I have never had a problem of this
magnitude with firefox before.  I run a weekly virus scan at 8pm every Friday
and today is Sunday.  

I could not recreate the occurrance and do not have the offset values which the
crash occured at, I copied it into clipboard and forgot to jot it down.
Apologies.  Hope this helps current or future occurances.
Firefox is not vulnerable to .CHM exploits, and the "virus" in the cache is not
a problem. Only the browser will load files from there and if Firefox were
vulnerable to this exploit code (it's not) it would have attacked when you
visited the page whether the page was cached or not. This way your AV can warn
you dodgy content was found and you can
 - look up the exploit to make sure your browser and version is safe
 - note that you've wandered into a potentially dangerous part of the web.

In this case since the game site is legit the exploit code may have been cached
from some other site and only detected later by the AV. It might have come in
from a hacked 3rd-party advertising server, which would also explain the
difficulty in reproducing, since you'd presumably get different ads each time.

I can't repro the crash. Since it's a flash game do you have an old version of
flash? Since there's not much else on the page it's most likely the flash plugin
that crashed.

Unfortunately not enough info to be able to fix this.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Keywords: crash
Resolution: --- → WORKSFORME
Whiteboard: [sg:nse]
You need to log in before you can comment on or make changes to this bug.