Created attachment 176004 [details] The offending JS I risked my life to get you guys the source of the offending page :).
If you're running Firefox this site shouldn't be able to launch a XPI -- you should get the infobar at the top saying an install attempt from that site was blocked. If you unblocked the site and then agreed to install something, well, it was installed. Hard to protect against that. (I'll get back to the close button thing in a bit...) When I opened the captured page it also tried to install something using java, popping up a big scary permission dialog. Do you have Java? If so, what version? (check using about:plugins). I ask because we've seen similar sites take advantage of a Sun JRE flaw in 1.4.2_05 and below to install things without notice. The site appears to throw a lot of potential exploits against different browsers so it *might* use the older java flaw in addition to the straight-forward privilege dialog I saw. Back to the install close button thing. That would be a serious bug, obviously, but not one I've ever seen. Are you sure it was a XPI that ran? If it did it would leave a record in install.log in the installation directory (or your profile if the install dir is write protected). Look and see what you find there. Also interesting is your initial claim that it opened an IE window, and then got infected through that. It would certainly be dangerous if something could open an IE window, but there's no evidence of how it did that. Probably the IE window was opened by the exploit itself after it was already installed.
Now that you mention it, a while earlier on that site, I had a Java popup asking me whether it could install the software appear with the Yes button right under my mouse cursor when I clicked, so I accidentally clicked yes... :/
I uninstalled Java 1.4.0.03 and installed 1.5.0.02 and the problem is gone... I'm happy to be rid of it, but there will be millions of users still using an older Java version just like me. The fact that the Java download page is quite cryptic for the ‘dummy’ user doesn’t help either, even I had trouble finding the proper download package. I can't help that a number of Firefox's main ‘security’ problems are related to plugins. This, and I heard about Flash popups as well. Is there a plan to address these kind of issues? ~Grauw
(In reply to comment #7) > I can't help that a number of Firefox's main ‘security’ problems are related > to plugins. This, and I heard about Flash popups as well. Is there a plan to > address these kind of issues? Yes, we have plans to include plugins in the extension update service, blacklist (disable) extensions and plugins with known critical vulnerabilities, block plugins from opening windows, and more. Don't have all the bug numbers handy. We're also looking into whether it's possible to block Java from asking for enhanced permissions except for whitelisted sites. People could list their corporate intranet apps and then not worry about malicious Java permission dialogs popping up elsewhere. Your comment 6 suggests the Java permission dialog might be vulnerable to something like bug 162020, all the more reason to keep it from coming up. Since the spyware was installed after you gave it explicit permission to do so, albeit mistakenly, this bug ought to be closed. Rest assured that we are addressing the related issues in other bugs, though.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.