Closed Bug 730130 Opened 12 years ago Closed 12 years ago

Allows HOSTS file to be modified!

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
10 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: JohnathanStein, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Build ID: 20120215223356

Steps to reproduce:

I did a search the other day for answers to my kids SKYLANDERS game question; one of the links I clicked on behaved funny -- it popped up a dialog that said "Thank You".  It seemed odd, so it stuck in my mind.



Actual results:

After that, ALL the search links I click on get re-directed.



Expected results:

I ran an MSE scan, which found one item, and cleaned it, but did not fix the problem.

I also ran "SuperAntiSpyware", which found one or two things, but did not fix the problem.

So, I had a look at the HOSTS file, which had the HIDDEN and READ-ONLY attributes set, and found one item:

87.229.126.51    www.bing.com

Which may be in Hungary, according to http://ip-reports.org/87.229.126.0/

This seems to be a MASSIVE failure, if the HOSTS is not protected!

Hope someone can either shed some light on this, or pass it on to the right party.

WinXP Media Center Edition, SP3 & FireFox 10.0.2, Windows Firewall, MSE, all up-to-date.
The HOSTS file is part of your operating system, not Firefox.

Not a security bug and invalid.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
It should be noted that Malware that is already on your computer might be the reason for your hosts manipulation, especially if your spyware detection tool found something. It's unlikely to correct your HOSTS file.
(In reply to Al Billings [:abillings] from comment #1)
> The HOSTS file is part of your operating system, not Firefox.
> 
> Not a security bug and invalid.


This happened RIGHT AFTER the 10.0.2 upgrade.

Why did Firefox let this through?  Would this have happened with IE or Chrome?


--Johnathan
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
It sounds like you were infected when you visited the site where the "Thank you" occurred. Do you remember which site it was? Do you remember what kind of question you were researching about Skylanders?

The hosts file is part of the Windows operating system. Once you are infected, there is very little the malware can't do. The trick is not to become infected in the first place.

You are running Windows XP. Have you been updating Windows regularly? Click Start then Windows Update and apply all important updates.

You should check http://www.mozilla.org/en-US/plugincheck/ to make sure all of your plugins are up to date.
Blocks: malware-attacks
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → INVALID
(In reply to Christian Holler (:decoder) from comment #2)
> It should be noted that Malware that is already on your computer might be
> the reason for your hosts manipulation, especially if your spyware detection
> tool found something. It's unlikely to correct your HOSTS file.

The date & time stamp on HOSTS confirms when it was modified, which was when I did that SKYLANDERS search.

Since it happened the same day I updated Firefox to 10.0.2, it sure looks like Firefox let something slip through.

Failing to protect HOSTS looks like a serious failure on the part of Microsoft's Security Essentials.  I'll try to report it there, somehow...


--Johnathan
(In reply to Johnathan Stein from comment #5)

> The date & time stamp on HOSTS confirms when it was modified, which was when
> I did that SKYLANDERS search.

It is certainly possible that you got infected while doing that search (most likely due to an outdated plugin). Try the plugin check that Bob Clary mentioned above and see if that shows something being outdated.

> Since it happened the same day I updated Firefox to 10.0.2, it sure looks
> like Firefox let something slip through.

I am pretty sure this is coincidence. There is nothing special about this update that would cause such behavior :)
(In reply to Bob Clary [:bc:] from comment #4)
> It sounds like you were infected when you visited the site where the "Thank
> you" occurred. Do you remember which site it was? Do you remember what kind
> of question you were researching about Skylanders?

It just so happens that Firefox has a better memory than I do:

GOOGLE SEARCH:  wii skylanders skyschooner docks open the gate

I did the first one that turned up:

http://www.google.com/url?sa=t&rct=j&q=wii%20skylanders%20skyschooner%20docks%20open%20the%20gate&source=web&cd=1&ved=0CCMQFjAA&url=http%3A%2F%2Fwww.darkspyro.net%2Fskylanders%2Fschooner%2F&ei=WNNGT7eFFMO1gweF-sH0DQ&usg=AFQjCNEdsmC-QjH7nLTtmF9mbTYWCcMP5w&cad=rja


Do let me know the results, if you decide to try it :()


> You are running Windows XP. Have you been updating Windows regularly? Click
> Start then Windows Update and apply all important updates.

On automatic, weekly.


> You should check http://www.mozilla.org/en-US/plugincheck/ to make sure all
> of your plugins are up to date.

Very useful, thanks!  Did all the ones it suggested, though there were an awful lot that said "? Research"


--Johnathan
(In reply to Johnathan Stein from comment #7)
> 
> GOOGLE SEARCH:  wii skylanders skyschooner docks open the gate
> Do let me know the results, if you decide to try it :()

I didn't see anything on my initial look. I'll investigate more later.

> 
> Very useful, thanks!  Did all the ones it suggested, though there were an
> awful lot that said "? Research"

Good. Which ones did you have to update? 

The ones with Research are ones we do not know anything about. You should go back to where you installed them from and make sure you have the most up to date versions. If you don't need them at all you should remove them. Go to Tools->Addons->Plugins and uninstall any you don't need.

Keeping Firefox as well as your OS and Plugins up to date is the most important thing you can do to keep safe.
>.Good. Which ones did you have to update? 

I believe it was SilverLight, Java, Shockwave and Acrobat.  Though the plugin check says "Outdated version", I did NOT update Acrobat, as Adobe keeps updating it; there are problems with Firefox 10.x, and I had to downgrade to the 9.x version.

Some of the "? Research" ones surprised me -- LogMeIn, Microsoft, Google, iTunes, etc.
(In reply to Johnathan Stein from comment #9)

> I believe it was SilverLight, Java, Shockwave and Acrobat.

Especially Java, Shockwave and Acrobat are good candidates for being the cause of your infection depending what the old version of these was.

> Though the plugin check says "Outdated version", I did NOT update Acrobat, as Adobe
> keeps updating it; 

If you run the Adobe updater, restart Firefox, revisit the plugincheck site and it still says "Outdated version", then the updater is not working properly and you should either update it using the provided method there or disable the addon.

> there are problems with Firefox 10.x, and I had to downgrade to the 9.x version.

What were your problems? We always do recommend to run the latest version for security and stability reasons.
>If you run the Adobe updater, restart Firefox, revisit the plugincheck site and it still says "Outdated version", then the updater is not working properly and you should either update it using the provided method there or disable the addon.

It checks itself; there are updates every-so-often.

> What were your problems? We always do recommend to run the latest version for security and stability reasons.

It got "stuck" trying open PDFs in a link.  Would crash Firefox, too I think.

I suppose I could try the 10.x again.  Hate to mess with something that's working...big waste of time to downgrade, as I recall.  At least I saved the install package to disk.
Johnathan, I'll close this out with these comments.

Your infection was most likely due to out of date plugins. Java is the primary vector for malware installs and running an out of date version is just asking to be infected. Acrobat is a close second. Any out of date plugin is a cause for concern. Leaving it out of date is a security problem for you and could even be the cause of your crashes attempting to open PDFs.

When we release a new version of Firefox we fix a number of security vulnerabilities which are announced after people have had a chance to update. If you continue to run Firefox 9, then you will be vulnerable to the security vulnerabilities that were fixed in Firefox 10.

Good luck. You may want to consider upgrading your computer to Windows 7 or 8 or a recent Mac OS X later this year after disk prices drop again. Windows XP is just too vulnerable and is reaching its end of life.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.