Closed Bug 530747 Opened 10 years ago Closed 10 years ago

Ask Toolbar (Zone Alarm Toolbar) breaks other extensions and the browser

Categories

(addons.mozilla.org :: Security, defect, P3)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ecfbugzilla, Assigned: jorgev)

References

Details

Attachments

(2 files, 2 obsolete files)

Sorry about knowingly filing this in the wrong component, this isn't a security issue and the extension isn't even hosted on AMO. Feel free to move this to a more appropriate component if one exists.

I had a number of bug reports lately that turned out to be issues caused by the Ask Toolbar extension (which also goes by the names Zone Alarm Toolbar and Foxit Toolbar). Example bug reports are bug 526969 and bug 530446. It seems that the reports are increasing because several popular applications come bundled with this extension and pre-check the option to install it (in particular Zone Alarm firewall and Foxit Reader). From what I can tell, nobody is installing it because of additional value - it is always unintentional installations. The installation works by copying the extension directory into all profiles found on the machine.

Problems revealed by a quick glance at the source code:

* Namespace pollution (http://blog.mozilla.com/addons/2009/01/16/firefox-extensions-global-namespace-pollution/). It has tons of global variables with names that are everything but unique, for example prefs, gClipboard, DNS, zoomFactor. I'm certain that these even conflict with variables defined by the browser on some occasions.
* Manipulation of prototypes of some built-in objects - String, Document, Node (snipit_commons.js and lib/util.js). Since this is being done in chrome context it affects all extensions and the browser itself.
* Synchronous HTTP requests in various listeners - particularly on tab addition/removal and in onStateChange (browser progress listener). I can imagine that particularly the latter confuses the browser a lot. However, it looks like onStateChange processing might be limited to the Zone Alarm variation of the toolbar.
* The synchronous request in onStateChange: The toolbar will send each URL loaded by the browser to a port on localhost, from there it probably goes out to ZoneAlarm servers - I couldn't find a privacy policy however, the links in http://sp.ask.com/en/toolbar/eula/zonealarm/index.html are dead (not to mention that the user isn't given a chance to view the privacy policy before installing).
* Manipulation of user's proxy settings - the following code pattern can be found in several places:

	var type;
    	if( (type = prefs.getIntPref("network.proxy.type")) > 0 ) {	    	
    		prefs.setIntPref("extensions.snipit.ntproxy", type);
		prefs.setIntPref("network.proxy.type", 0);
	}    		

	...

	prefs.setIntPref("network.proxy.type", prefs.getIntPref("extensions.snipit.ntproxy"));

There are several issues with that: for one, the user might not want to download anything without a proxy. Then, if an exception is thrown before network.proxy.type preference is reset it will stay changed forever. And finally, if the user had a proxy set at some point (Ask Toolbar saved that setting in extensions.snipit.ntproxy) but switched it off later - Ask Toolbar will keep re-enabling the proxy.
* Changing of extensions.update.notifyUser preference - this is not something an extension should ever touch but probably doesn't have side effects apart from a briefly flashing extension update window on next browser start.
* Of course, the extension will manipulate preferences to make Ask the default search engine for everything (keyword.URL, browser.search.defaultenginename etc) - and it will never set them back.

There are probably a more (a lot more). Given the overall very low code quality (fixing it up requires significant effort) I don't expect a useful answer from Ask.com and didn't contact them yet. Is there anything Mozilla could do about it?

On the bright side, the extension hasn't been updated in a while and still lists Firefox 3.0 as maxVersion. With some luck the problem might go away by itself after some time. Or it might not.
It's not clear what the license of this add-on is - different files make different statements, apparently there was lots of copy&paste programming. If you don't want to install Zone Alarm the extension can be seen here: http://office.syntaxservers.net/rhett/temporary/pauls-comp/Pauk/AppData/Roaming/Mozilla/Firefox/Profiles/4pto4f95.default/extensions/%7BE9A1DEE0-C623-4439-8932-001E7D17607D%7D/ (no, I have no idea why somebody would put his entire disk drive on the web).
If you go to http://toolbar.ask.com, you can download the latest version of the toolbar add-on. This one has a maxVersion of 5.* (?!), so this is the one we should be concerned about. The id is different, though (it's toolbar@ask.com in the new version, and an UUID in the old one).

I did a quick code check in the new version, and the namespacing seems reasonable, so at least that problem is solved. The code validator spotted a few incorrect uses of eval, an iframe without a type attribute, and an instance of nsIProcess. The files in the chrome folders are randomly distributed between content and skin, which I found very disconcerting.

The quality is not good, but not as bad as of the old version. It doesn't look like it causes much harm now. I recommend you test against this newer version to see if it is causing any problems. If it isn't, I think this is a WONTFIX.
That's weird. Zone Alarm comes bundled with version 2.1.0.5 and its update URL isn't returning anything. Foxit Reader installs the same version but with extensions.snipit.build preference being 7 instead of 6. A bunch of other differences but nothing substantial. And then there is Vuze Toolbar - again version 2.1.0.5, build 11 this time. It is compatible with Firefox 3.* - meaning that it will install in 3.5 as well. A bunch of changes there but again nothing substantial.

Jorge, could you send me the extension files for the new version? The installer doesn't work for me. I suspect that this is an entirely different extension indeed.
Here's an XPI I built out the installation in my profile. Some of the source files mention an author named Tanmay Shrivastava, with a 2008 date. I found some contact info on him using Google (and filtering out 'cricket' :P). There's LinkedIn and possibly Facebook, but no visible e-mail address.

It's very likely that distributors of the toolbar just use whatever version was the latest and then forget about it.

We could try to contact the author and see if he can gives us some more info to follow up on.
The version 3.6.1.115 you attached is an entirely different extension. From what I can tell, it has no similarities to version 2.1.0.5 whatsoever - and the code quality is decent indeed, none of my points above apply (except the one where it never resets the search engine prefs it changed, not even when uninstalled). The question is whether they are maintaining two extensions in parallel (one for "own" use and another for bundling) or simply failed to push the new version to the applications bundling it. From the dates this is not clear, version 2.1.0.5 build 11 has a file dated March 2009 whereas the earliest file date for version 3.6.1.115 is July 2009 - but the copyrights say 2008. Also, Zone Alarm will certainly not be interested in distributing version 3.6.1.115 because it doesn't have their "send all URLs the user visits to our server" feature.

(In reply to comment #4)
> Some of the source
> files mention an author named Tanmay Shrivastava, with a 2008 date. I found
> some contact info on him using Google (and filtering out 'cricket' :P). There's
> LinkedIn and possibly Facebook, but no visible e-mail address.

Well, there is also Vishal V. Shah - http://www.linkedin.com/in/goldenv, Chief Architect at Ask.com. He has an email address both on his homepage and in LinkedIn. I will send him a mail and ask to clarify.
Got a response from Vishal Shah:

> 3.6.* represents toolbars of our "new platform". 2.* are the older
> platform - they are still active, but we build newer toolbars on the
> 3.6.* platform.
>
> I have escalated this issue internally and we are looking into this
> immediately. We will update you once we have more info.
-> jorge so it gets tracked
Assignee: nobody → jorge
Priority: -- → P3
Target Milestone: --- → 5.5
Moving this to 5.6. Any news, Wladimir?
Target Milestone: 5.5 → 5.6
No, only increasing numbers of "bug reports" :-(
Any news from Vishal?  What do we want to do here?
I requested an update from Vishal.
Got an answer from Chris Zimdars, product manager in Ask's extension team:

> The toolbar that you have described (v2.x) is a very old toolbar build.  We
> haven’t built any toolbars on that platform since 2008 although we still have
> a couple of partners distributing that older build.  Partners with custom
> functionality tend to be the ‘long pole’ for moving off this older build.  I
> will work with our Account Management team on migrating the remaining partners
> off that old build.
I think this is gonna take a while. I'll revisit this on 5.8.
Target Milestone: 5.6 → 5.8
The problem is that I don't see the add-on shortcuts in the toolbar.  

This was a clean install after years of having a bad build of Firefox that perpetuated its bugs until I uninstalled and then clean installed.
Target Milestone: 5.8 → 5.9
Bumping to 5.10.
Target Milestone: 5.9 → 5.10
Wladimir, any updates on this issue?
Do you know if Ask has done anything about this?
Are the bug reports more frequent, or less?
I honestly don't know whether they've done anything, I didn't get any notification from them. However, now that you ask - I don't remember any recent reports. I listed that problem under "Known issues" but people rarely read that so maybe the problem is gone. Want to install Zone Alarm to check?
Actually, I downloaded the free firewall and it looks like they no longer distribute the toolbar (at least I cannot find it in the archive). I downloaded the toolbar directly from http://www.zonealarm.com/security/en-us/spyblocker-download.htm - from what I can tell it only installed the toolbar for Internet Explorer, not Firefox. That would explain the decrease in the number of issue reports. Foxit still installs the Ask Toolbar however, I'll check it.
Sorry, the above is wrong - installing the toolbar from http://www.zonealarm.com/security/en-us/spyblocker-download.htm installs it for Firefox as well. It is still version 2.1.0.5 build 6, unchanged. maxVersion is also still Firefox 3.0.*. I didn't run the firewall installer (don't have a VM to run it in) so maybe it still installs that toolbar.
I've contacted Zone Alarm support for this. I was told the information would be forwarded to the developers, so let's wait a couple of cycles and see what happens. Foxit seems to have moved to a different platform (Conduit).
Target Milestone: 5.10 → 5.12
According to the developers of the ZoneAlarm toolbar, a new version will be released sometime in about 2 months. They will not rely on the Ask framework anymore, so it will hopefully be better quality. For now, we'll have to wait...
Duplicate of this bug: 564636
The Zone Alarm installer now includes a completely different add-on. It's now based on Conduit :/, but at least it's not the old Ask code.

Anything missing to close this bug?
I didn't have any reports concerning this issue recently, I guess all copies of this old Ask Toolbar extension "expired" (maxVersion too old). Yes, can be resolved.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Attached file ●●●●●●●●●●● (obsolete) —
maxmyd164: I have no clue why you just uploaded a couple Adblock Plus files. Some comments to go with that would've been helpful. In any case, the reporter of this bug is in fact the Adblock Plus developer, so he clearly doesn't need them.
Attachment #478522 - Attachment is obsolete: true
Attachment #478523 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.