326860 - (winalinmacpop) simply selecting text on page popup and install winfixer spyware - sessionsaver extension will be patch the problem by always open new windows when starting browser

Status: RESOLVED DUPLICATE of bug 313337

(Firefox :: Security, defect)

Description

[Mike Silva]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1

I think this site exploit a a security problem in Firefox 1.5.0.1 as well as latest Firefox nightly build "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1)
 Gecko/20060211 Firefox/1.6a1"
I tested this on Slackware 10.2, and also created a new system user with a clean profile (empty home dir) for testing the nightly build of FF.
The following URL:
http://macdailynews.com/index.php/weblog/comments/8561/
First time page loads looks fine, but when I simply select some text a popup "Winfixer" apears (URL= http://media.fastclick.net/w/... and the new window URL=http://bfc.myway.com/smileypromos/screensavers/ss_opt_pop3.html?partner=ZRxdm080 ). (it shouldn't)
and if sessionsaver extension is instaled everytime Firefox starts it also open windows from winfixer.
Never seen anything like this in my Linux Firefox.


Reproducible: Always

Steps to Reproduce:
1. Open URL http://macdailynews.com/index.php/weblog/comments/8561/
2. With the mouse, just select some normal text on page
3. Popup apears

Actual Results:  
Unwanted popup and maybe instaled spyware.
If used with the sessionsaver extension problem gets biger.

Expected Results:  
Shouldn't popup that window, and even when closing it reopens another one.

I think the poped-up window uses flash to make other things, because when I used a clean new user profile the poped-up window shoed I needed an adition plugin and when I said to search for that plugin it said it was flash.

I found the problematic URL because it was in first place when searching for "linux" in news.google.com

Comment 1

[Mike Silva]

Just made another test using a clean user account:
rm -fr .mozila/
(this should have cleand the profile settings)
cd firefox
(location of decompresed FF binary nighly build 20060211)
from the comand line opened FF, it opens the normal start-page and close FF
cp -rv .mozilla .mozilo
(backup profile)
open again FF and then I enter the trouble page URL and it loads ok
select some text
the bad Popup window apears
back to comand line and kill FF (using Ctrl+C)
Using kdiff3 I found the following changed files:
some files in Cache/ (normal grow I guess)
XUL.mfasl (from 734501bytes to 802055bytes)
hystory.dat (from 943bytes to 3328bytes)
localstore.rdf (from 1026bytes to 3964bytes)

I think you'll have no problems geting this same result, but if you need I have these files.

PS: thinking of a name of this bug: Funny a Linux user reading a Mac site and gets a winfixer popup :) maybe winalinmacpop

Comment 2

[Daniel Veditz [:dveditz]]

(In reply to comment #1)
> Using kdiff3 I found the following changed files:
> some files in Cache/ (normal grow I guess)
> XUL.mfasl (from 734501bytes to 802055bytes)
> hystory.dat (from 943bytes to 3328bytes)
> localstore.rdf (from 1026bytes to 3964bytes)

Those are normal browsing files. XUL.mfasl is the XUL cache, and localstore.rdf holds browser state like window positions. They probably wouldn't have changed in a well-used profile, but because you started fresh they're just getting set. History is your browsing history, of course -- that always changes as you surf.

Comment 3

[Daniel Veditz [:dveditz]]

Attachment: The chunk from fastclick

This is the content of one of the files loaded from fastclick, slightly reformatted for readability (their version was a 5500 character-long single line). I've decoded the scrambled strings and they're mostly IE object things. If you look at function fV7 you'll see it set a body.onclick handler, which is the one that gets us.

Comment 4

[Daniel Veditz [:dveditz]]

*** This bug has been marked as a duplicate of 313337 ***