370023 - Mozilla is suceptible to a malformed string from the spy virus Loverspy

Status: RESOLVED INCOMPLETE

(Firefox :: Security, defect)

Description

[Neil Schubert]

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) Opera 7.20  [en]
Build Identifier: All

When a mozilla-based browser, such as firefox, is used to access web-based html e-mail under windows XP, it is suceptible to infection from the Loverspy virus. The loverspy virus is a trojan that a user sends via e-mail to a targeted computer user.  The user is enticed by a greeting card, and opens it. Microsoft Internet exploder and virus...I mean outlook express, are susceptible when they are used as direct mail clients. This is typical! 

However, with the latest, and all other updates of mozilla firefox, I found by accident, that the virus, which I think is sent as a cab file, auto installs on any machine at the click of a mouse, just like an active-x virus.  On html-based webmail, such as that from a web hosting company, clicking the link to the "attachment" automatically downloads and opens the virus, which self-executes, and utlizes ntvdm.exe to send out e-mail. 

Mozilla needs to ask to save the file (or whatever it is), and or, scan it. It appears to be a malformed string issue, a bug in windows, but it passes through mozilla flawlessly.  Yes, loverspy is an old virus, from around 2003, but sometimes when a voyeristic employer gets stupid, it resurfaces!

Please be careful, the feds are after the guys that use and create it. 

Neil H. Schubert

Reproducible: Didn't try

Steps to Reproduce:
1.
2.
3.
Actual Results:  
Use a non-virus scanned online e-mail client with an active e-mail account.  Using another or e-mail program or a bogus sender, send that e-mail the loverspy virus file.  Using that online client under firefox, open the e-mail and click the attachment.  The screen should flicker three times, and boom, the virus is installed. 

Expected Results:  
NTVDM.exe was run, and an additional csrss.exe ran, but not as a system process. 

Ask the user to Save As, or reject the file.

Comment 1

[Dave Miller [:justdave]]

restoring security flag until I hear from someone on the Firefox team that this actually isn't.

Comment 2

[Reed Loden [:reed]]

Reporter:

Do you have actual steps to reproduce this issue? It would also be helpful if you could attach the e-mail in question to this bug. Also, what webmail provider are you referring to? The more information we have, the better we can go about researching and possibly fixing this issue.

Comment 3

[Daniel Veditz [:dveditz]]

Clicking a link to an executable (a web-based email attachment) should *not* run that attachment, ever. The particular payload ("loverspy" in this case) is irrelevant.

It's possible the server sent a MIME type of some other media player, but then that player detected an alternate file format (the .cab) and "did the right thing". We still would have at some point prompted for that file type, but with media players users often set them up to play without asking, thinking they're supposed to be "safe". I'd consider this a serious bug in the media player if that's the case.

It's impossible to say more unless you have an example of how this slipped through.

What webmail program were you using at the time?

Do you still have your copy of the malicious mail? Could you forward it to one of us? (if so warn us first). It might be best to send it to an account on the same webmail system you were using so let us know which one that was and we'll see who has an account there. (You could send it to me--please put "WARNING!" in the subject if you do--but I use POP mail and Thunderbird handles attachments totally differently than webmail programs. Plus my ISP would probably filter it out before it got to me, something as old as loverspy would be in their filters.)

Comment 4

[Samuel Sidler (old account; do not CC)]

Neil, can you please answer the questions in comment 3? We need more information to figure out what the issue is.