Thursday, March 17, 2005

Firefox Unleashes Spyware

It looks like the Prophets have been found correct and the age of Firefox Spyware is upon us. While the current Java Scheme requires user intervention, this is how it started on IE. Users were given Pop-up window choices to install a "necessary" program, choosing "Yes" would install the Spyware. I can hear the cyber cries now, as Firefox followers commit mass suicide, their beloved browser infallible no more.

"In a flurry of remote downloads, numerous changes to the registry took place and a sizeable amount of IE specific installs began downloading. Amongst the assortment was DyFuCA, Internet Optimizer, ISTsvc, Kapabout, sais (180 Solutions), SideFind, Avenue Media and something called djtopr1150.exe lurking in the Temp folder."

Double Standard:
Is there a Double Standard for Internet Explorer? Of course there is. The Firefox community will quickly dismiss this sort of exploit. It will be considered not important because it requires user interaction. Yet these same exploits found in Internet Explorer have been fiercely criticized by the Firefox community and used as a reason to switch away from IE. This is also why recommending Firefox, as a Spyware solution is very dangerous. Installing and using Firefox does not clean or prevent your system from being infected with Spyware. The parasites can still exist in memory, robbing your system of resources, killing performance and causing application crashes.

Pop-ups:
The infallible Firefox is currently being plagued with Pop-under advertisements that are displayed when you minimize or close Firefox. These are related to the Flash Plug-in. It turns out that Firefox does have the ability to block these but it was disabled by default.

"Well, we shipped 1.0 with the capability to block these pop-ups and pop-unders but we didn't enable it because we were concerned about breaking legitimate uses"

This is an excuse for "We could not write it good enough to not break legitimate uses."

Pop-up Solution:
There are solutions but again this requires as much work as it does on IE.

"To block pop-ups from plugins, open your Firefox 1.0 or 1.0.1 browser, type about:config in the address field. Right-click in the resulting config page somewhere and select New -> Interger. Type privacy.popups.disable_from_plugins in the resulting dialog, hit OK, type 2 in the next dialog and you're all set."

This pref can actually take three values:

0: open allowed
1: the opened windows are treated as popups, but they're allowed to open

2: the window is a popup, block it

It should be noted this solution renders certain web pages useless and blocks user requested Flash Pop-ups. A better solution may be FlashBlock,

"an extension for the Mozilla and Firefox browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves a placeholder on the page that allows you to click to view the Flash content."

Flashblock currently blocks the following content types:

Macromedia Flash
Macromedia Shockwave
Macromedia Authorware


Conclusion:
Firefox having only been out less then a year is already being plagued with elementary style Spyware exploits and Pop-ups. This is only a sign of things to come. The Followers however should have taken note to Beware of false Prophets.

21 comments:

Kevin said...

Nobody said Firefox is perfect. It is just a lot better than IE, that's all.

Besides, with extensions like AdBlock, not only are the pop-up/unders gone, I never even see graphic ads anymore.

Andrew said...

More reliable? Then how come 15% of web pages do not render correctly in it?

BadgerDigger said...

"Firefox having only been out less then a year is already being plagued with elementary style Spyware exploits and Pop-ups."

Two thing about this line.
1. This wasn't the case when 1.0 first came out.
2. This has always been the case for IE.
With that said, this isn't a plague and it isn't elementary.

I can also sum it up this way.

Firefox vs. IE is like the army vs. the police. Even though both are not perfect at protecting you, one will do a much better job. When it comes to browsers, Firefox does the better job.

Andrew -
What are the 15% of sites that you are talking about? I think that is really closer to 1%, if even that. Unless you are visiting dinky sites that are developed by people who know nothing about standards.

Blogs for Firefox

Unknown said...

I had a good laugh reading this. I thought this article was a joke at first, but I guess I am wrong. What especially amuses me is this "More reliable? Then how come 15% of web pages do not render correctly in it?" This is because those 15% of web pages are coded sloppily and Firefox follows stricter W3C standards than IE does. I shouldn't even say "stricter", what I mean is that Firefox follows W3C standards, IE does not.

As for pop-ups, pop-unders, banners, ads, etc. I have not seen a single one in ages. I use FF's standard pop-up blocking options plus Ad-Block (with Filterset-G) and a custom hosts file. I scan my computer weekly with four different anti-spyware scanners and my system comes up clean every week- no spyware: EVER!

Can this be accomplished with a system that uses IE as it's default browser? I think not.

Andrew said...

"Can this be accomplished with a system that uses IE as it's default browser? I think not."

Easily. Install SP2. So long as you click on "no" at security warnings you will get no more spyware.

For those not in XP or have SP2 installed they can uninstall MSJVM, install and update SpywareBlaster and use a popup blocker like the Google Toolbar and be Spyware Free too.

If you want Tabbed browsing that works right and the ability to look at EVERY web correctly use AvantBrowser.

Amazingly I get no spyware (other then cookies) and niether do my clients all using IE or AvantBrowser. So much for Myths and Propaganda!

Andrew said...

"So why clicking "no" in IE is more valid than clicking "no" in Firefox?"
->Ah, did you read the article? No one said it was.

"Clearly you have no point."
->The point is simple Firefox is vulnerable to Spyware. When you compare SP2 IE vs Firefox, the spyware argument is mute. What is even better is IE does not need any Extensions.

Kevin said...

After I helped install Firefox on my friends' computers, NONE of them came back to me for "weird problems" (search hijacked, images not working, computer slow...etc)anymore.

I am sure many others have experienced the same.

I tried using IE since version 2 (I gave them a chance when everybody else used Netscape, IE2 did suck.) When IE4 came out, it blew NS away, I told all my friends to switch over.

time passed...

I tried out Firefox/Pheonix ever since 0.2. when 0.6 was out, I started telling people to switch over.

I am willing to give MS one more chance with IE7, but until then, I am sticking with Fx.

Andrew said...

None of my clients come back with the same problem either and they are still using IE.

Andrew said...

Ut oh http://phpnuke.org/]Pop-up! Stopped cold by IE SP2's popup blocker! Not Firefox though.

Andrew said...

"there is now an IE exploit that installs malware even when the user selects "no" in the dialog box."
-> Not with SP2 or a properly configured Internet Explorer setup.

"I don't have to install Java and Flash in Firefox if I don't want to. With IE, I have no choice."
- > If you were knowledgeable you would know this is not true. You do not have to install either with IE.

- > Unfortunately I have yet to receive any checks from Microsoft. Considering how critical I have been of them in the past I do not see any forthcoming.

Andrew said...

This exploit proves that Firefox is no more secure then IE+SP2 in regards to clueless users. Your point is mute.

Andrew said...

"Whereas, with IE, even under SP2... they don't have to do anything except go to infested websites. No need to click on anything or accept any java/flash/etc. dialogs."
-> Nope, Wrong! Post One Link to a site that autoinstalls Spyware with SP2. None exist because it can't happen.

Andrew said...

Post a link that auto-installs Spyware with SP2. I believe what I see. None of my clients or myself have been infected with auto-installing Spyware with SP2. I know people would rather believe Myths and continue making things. If you don't have a link you have no proof.

Andrew said...

I work for a Computer OEM and the only Spyware you get with IE+SP2 are user induced. Proper system management can even eliminate next to all of these user induced problems. Installing SP2 does not remove Spyware so you will find alot more SP2 machines with Spyware on them after April (SP2 mandatory rollout) initially but you will also find a lot less from that point on once they are cleaned. Since SP2 effectively blocks all known auto-install exploits.

I use IE daily and never get any Spyware.

Kevin said...

but...can you surf with style? (tabbed browsing, find as you type, ad-blocking, session-saver, greasemonkey...etc)

I got flamed for my post about ad-block and firefox extensions.

are you telling me you don't have google bar installed? and you do not even have ONE add-on (as defined by MS, under tools->internet options->programs->manage add-ons) installed?

If you do, then don't say firefox needs extensions, cuz your IE needs em, too. AND it still sucks.

Andrew said...

My comment in regards to extensions was for the Pop-up blocking problem. It was a default IE6+SP2 vs. Firefox 1.0.1. Which I proved IE6+SP2 does a better job.

IE6's basic interface is getting dated but this was never the discussion here and like Firefox extensions there are things you can add to improve on it. The simplest being AvantBrowser. I wish people would get off the Firefox Tabbed Browsing argument, I've been using tabs for years without Firefox. It is nothing new and Firefox does a poor job with Tabs.

Andrew said...

Ut oh http://phpnuke.org/ Pop-up! Stopped cold by IE SP2's popup blocker! Not Firefox though.

You apparently missed tha article and did not read it nor the comments.

Andrew said...

"I did not read the comments, but did you even read my comment?"
-> Yes and it reads as someone who skimmed the article and did not read any of the replies.

"The Firefox community will quickly dismiss this sort of exploit. It will be considered not important because it requires user interaction. Yet these same exploits found in Internet Explorer have been fiercely criticized by the Firefox community and used as a reason to switch away from IE."

Andrew said...

"Where? I don't get a pop-up when I go there, and neither does the pop-up blocker show itself. Nor do I get a pop-under. I'm using Firefox 1.0.2."
-> Compare dates.

"I very slightly agree with you there. I think though, there's a lot more serious issues with IE that many Firefox users (myself included) will use as reasons to switch away from IE."
-> Name one.

"The difference is, Mozilla can and will fix things up a lot quicker than Microsoft."
-> This is not true at all.

Andrew said...

"One more thing. Type in "drive by downloads" into google and see what you come up with. (Note, this is for IE users only). Interesting stuff, for sure. The rundown is spyware installing automatically, no EULAs or "Ok" buttons or anything. Just bam, it's there. With IE."

SP2 eliminates this problem. Spyware CANNOT automatically install on IE with SP2. If you don't have SP2 simply uninstall MSJVM, install and update Spyware Blaster and install all your Windows updates. Drive by Spyware problem solved.

Security problems in IE are solved by simply enabling automatic updates.

The purpose of this post is to demonstate that Firefox is no more secure then IE, which it does.

Mr.Yoshimoto said...

I've used Firefox for a while now and can say I only used it for tabbed browsing . Opera is working quite well for me now, Firefox is a piece of crap that makes all of my bookmarks disappear and slows down my computer using an insane amount of memory. I'm not some loser that holds on to a brand when it quits working.