334880 - Windows Live OneCare found a virus in my cache (was: Security Flaw allows virus to be loaded via firefox)

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[UKitdude]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2

When I visited this site, which is infected by the bloodhound virus, it offers me the opportunity to download the file.  

If I refuse, Firefox still caches the virus on the machine in temporary files.


Reproducible: Always

Steps to Reproduce:
1.visit http://www.geniusnet.com
2.refuse the download
3.make sure you have up to date virus scanner as otherwise your machine will be infected.

Blog user at this site shows results with screen grab.
http://nunchuckblog.com/index.php?/archives/16-Genius-website-distributing-Bloodhound-Virus.html


Actual Results:  
Machine is infected with virus

Expected Results:  
If I refuse a download, it should not cache the download on the computer

Comment 1

[UKitdude]

Here is the support log from my antivirus to show the place that the file was downloaded.  Please note that I REFUSED the download.(particularly since its called exploit.wmf
Could this be a hacker showing proof of concept code?

21/04/2006 01:02  	
Windows Live OneCare found a virus on your computer
FileName:	C:\Documents and Settings\Grant\Local Settings\Application Data\Mozilla\Firefox\Profiles\1f5xu7zn.default\Cache\13D3E7FBd01
VirusName:	Exploit:Win32/Wmfap
Infection was found by On Access Protection:	(ANTIVIRUS_ONACCESS_SUSPICIOUS)
Disinfection Result:	Quarantined
Success
21/04/2006 01:02 	
Windows Live OneCare found a virus on your computer
FileName:	C:\Documents and Settings\Grant\Local Settings\Application Data\Mozilla\Firefox\Profiles\1f5xu7zn.default\Cache\13D3E7FBd01
VirusName:	Exploit:Win32/Wmfap
Infection was found by On Access Protection:	(ANTIVIRUS_ONACCESS_SUSPICIOUS)
Disinfection Result:	ANTIVIRUS_ONINFECTION_RESULT_FOUND
Success

Comment 2

[Jesse Ruderman]

*** Bug 334882 has been marked as a duplicate of this bug. ***

Comment 3

[Jesse Ruderman]

*** Bug 334881 has been marked as a duplicate of this bug. ***

Comment 4

[Jesse Ruderman]

Were these virusy files actually about to be run, or is your antivirus software just being stupidly paranoid like in bug 333152?

Making this public because even if it is a security hole in Firefox (which I don't think is the case), it's something that malware people already know about.

Comment 5

[UKitdude]

I marked it as private as I don't want any malware guys to take advantage however I have looked in my quarantined files and the virus has definately downloaded onto my machine.  regarding the case of they were about to run, I can't answer that without taking a chance on my production machine!  It is possible that its a repetition of the same fault, what is concerning is that a file thats been refused is downloaded onto the machine!  replace it with an autorun type file and it could be a problem.

If someone else can try it out on the site, which is still virus infected, perhaps they could find more information. 

Internet explorer fairs far worse as it doesn't give you the option to refuse the download.  

Theoretically the problem could be windows related, I remember something about wmf files before.

Comment 6

[Daniel Veditz [:dveditz]]

The "cache" is a temporary copy of parts of the internet. In any practical sense it is not "on" your machine any more than it was when the browser found it -- nothing but the browser will read those files, and if the browser were an infection vector it would be infected from the internet copy even if caching were turned off.

If infected files show up *outside* the cache then you've gotten the virus. Otherwise consider infected cached copies to be a warning. Check up on the virus (most of the time they're IE exploits that don't even infect Firefox) and in the future stay away from the "bad neighborhood" where you got the file.