290410 - Virus Page That Auto Infects w32.kelvir into client FIX THIS before they move the webpage!!!

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[aliasNIGMA]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

I got a now common link in msn... one of those propagating msn viruses.  I
clicked it and it opened up the supplied link.

A virus was automatically downloaded to:
C:\DOCUMENTS AND SETTINGS\ALIASNIGMA\LOCAL SETTINGS\TEMP

The browser immediately opens and propts me as to whether I want to same some
.com file.  Before I even made a choice Norton Antivirus had caught the virus
already downloaded in a temp folder.

In later trials Norton Antivirus did not catch the virus until I pressed the
cancel button in the download dialog.

At no time did I choose to download the file.


Reproducible: Always

Steps to Reproduce:
1.Open the supplied link. !!Caution!!
2.The virus automatically downloads and firefox asks save the file.
Antivirus dialog appears informing a virus has been found.
3.Infected Client... or quarantined .com file

Actual Results:  
Virus auto-downloaded.
As stated If not for Norton Antivirus i would have been infected... with the
autodownloading virus.

Expected Results:  
I was expecting Firefox not to download a .com file automatically... rather ask
to download it as usual.
Expected results are identical.  This is a working security hole.



A bug like this enables pretty much anything to get through.

The server hosting the virus and infection page will IP ban or email ban you if
you enter the link more then about 3 times.

Comment 1

[aliasNIGMA]

Attachment: Screenshot 1 - Mozilla Firefox Immediately after url is launched or user inputed

This might be helpful... 
Theres no real page that opens... just some "pictures.php?" url...

This screenshot is one of the repeated test cases.

Comment 2

[aliasNIGMA]

Attachment: Norton Antivirus - Detection Dialog

This dialog window appeared at the same time as the firefox save dialog in the
first screenshot.

The file downloaded and virus was detected before the user chose whether to
save or not save the file.

Comment 3

[Daniel Veditz [:dveditz]]

The file at that link is already gone but this is not a problem. To give better
performance Firefox starts downloading into a temporary file when the download
is initiated. A small file will already be downloaded before the user clicks OK
or Cancel, and response will be instantaneous on an OK. On a cancel the
temporary file is simply deleted and there is no harm.

As you've found this also gives your Anti Virus a chance to scan the file, or
part of the file, before you make your choice and give you a warning before you
make a mistake and download the file. If the forced download didn't give you
cause to suspect the site, the virus warning should be all you need to know to
avoid that site.

Comment 4

[aliasNIGMA]

(In reply to comment #3)

However if the infected .com file is infected with a new virus... hypothetically
anything that the anti-virus wont detect will that not leave the client open to
infection? Even if it is obvious the file is a virus and the user clicks no...?

And thanks for your time :)

Comment 5

[Daniel Veditz [:dveditz]]

(In reply to comment #4)
> 
> However if the infected .com file is infected with a new virus... hypothetically
> anything that the anti-virus wont detect will that not leave the client open to
> infection? Even if it is obvious the file is a virus and the user clicks no...?

Then you don't get an AV warning, and when you click no the temporary file is
deleted. The end result is the same. An inert datafile on your system is not
going to infect you, you would have to launch it to get infected.