User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1 Build ID: 20120614114901 Steps to reproduce: Our Ironport appliances are blocking downloads of Firefox with the following text being displayed. This Page Cannot Be Displayed Based on your corporate access policies, this web site ( http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/Firefox%20Setup%2014.0.1.exe ) has been blocked because it has been determined by Web Reputation Filters to be a security threat to your computer or the corporate network. This web site has been associated with malware/spyware. Threat Type: othermalware Threat Reason: Domain reported and verified as serving malware. If you have questions, please contact the UT Dallas Computer Help Desk at 972-883-2911 or ( email@example.com ) and provide the codes shown below. If you believe this page has been misclassified, use the button below to report this misclassification. Notification codes: (1, MALWARE, othermalware, Domain reported and verified as serving malware., BLOCK-MALWARE, 0x029b41b8, 1342562888.252, AAAD6wAAAAAAAAAAGf8ACP8AAAD/AAAAAAAAAAAAAAE=, http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/Firefox%20Setup%2014.0.1.exe) Actual results: All downloads are blocked Expected results: Downloads should not be blocked.
It looks like a false positive. Did you report the misclassification?
Assignee: nobody → server-ops
Component: Untriaged → Server Operations
Product: Firefox → mozilla.org
QA Contact: phong
Version: 13 Branch → other
As :Loic said, the quickest way to resolve issues like this is to follow their instruction and report the false positive URL (ie. "If you believe this page has been misclassified, use the button below to report this misclassification"). If you have trouble submitting, we can try and find an alternate contact and report the misclassification.
Sure, I know that. But, since Cisco was reporting malware on your sites, we thought you should know about. I don't have a dog in this fight, but if you are serving up malware and don't know it, that would be bad, right? If you can affirm that you've checked your servers and confirmed that they are not serving malware, then we will report a misclassification. But if you're just certain that they are and haven't actually verified that, we're not going to report it. You should know Cisco has thousands of these appliances all over the world, so we're not the only network blocking Firefox downloads. I would think this would be an issue you would want to positively resolve.
Do you really think Mozilla is distributing malwares through its update servers? It's clearly a false positive, see the analysis report on VirusTotal: 0/29 https://www.virustotal.com/url/09fd0f8b57cd0af24a216645e7093a77ce45c0b5219a05af4ad1d1e3b703f849/analysis/ Cisco should fix its heuristics/malware definitions on their side, that's all. It's a frequent issue with vendors of security suite.
I left one thing out. Do I really think Mozilla is distributing malware? I have no way of knowing. That's why I rely on a third party vendor to block known, verified malicious traffic, and that's why I've asked you to verify it. Now I have a question for you. Do you really think Mozilla's servers could never be hacked? And do you really think that if that happened you would know instantly? Or is it just possible that the folks at Mozilla are just as human as the rest of us and could actually be hacked and not discover it right away?
Paul, Thank you for reporting this to us. Mozilla's Operations Security takes reports like this seriously and will investigate, per standard procedure. -- Joe Stevensen Operations Security Manager
Thanks Joe. I hope this turns out to be a false positive, and I will await the results of your investigation. If it is a false positive, we will follow up with Cisco and whitelist the site until they resolve the issue.
Assignee: server-ops → nobody
Component: Server Operations → Security Assurance: Operations
QA Contact: phong
The block has cleared in Ironport. I assume this means that Cisco either contacted Mozilla and resolved the issue or enough people complained that they investigated and determined that it was a false positive. You may want to continue your investigation to ensure that there is not a problem, but as far as I'm concerned, this bug may be closed.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.