Thursday, March 17, 2005

Firefox Unleashes Spyware

It looks like the Prophets have been found correct and the age of Firefox Spyware is upon us. While the current Java Scheme requires user intervention, this is how it started on IE. Users were given Pop-up window choices to install a "necessary" program, choosing "Yes" would install the Spyware. I can hear the cyber cries now, as Firefox followers commit mass suicide, their beloved browser infallible no more.

"In a flurry of remote downloads, numerous changes to the registry took place and a sizeable amount of IE specific installs began downloading. Amongst the assortment was DyFuCA, Internet Optimizer, ISTsvc, Kapabout, sais (180 Solutions), SideFind, Avenue Media and something called djtopr1150.exe lurking in the Temp folder."

Double Standard:
Is there a Double Standard for Internet Explorer? Of course there is. The Firefox community will quickly dismiss this sort of exploit. It will be considered not important because it requires user interaction. Yet these same exploits found in Internet Explorer have been fiercely criticized by the Firefox community and used as a reason to switch away from IE. This is also why recommending Firefox, as a Spyware solution is very dangerous. Installing and using Firefox does not clean or prevent your system from being infected with Spyware. The parasites can still exist in memory, robbing your system of resources, killing performance and causing application crashes.

Pop-ups:
The infallible Firefox is currently being plagued with Pop-under advertisements that are displayed when you minimize or close Firefox. These are related to the Flash Plug-in. It turns out that Firefox does have the ability to block these but it was disabled by default.

"Well, we shipped 1.0 with the capability to block these pop-ups and pop-unders but we didn't enable it because we were concerned about breaking legitimate uses"

This is an excuse for "We could not write it good enough to not break legitimate uses."

Pop-up Solution:
There are solutions but again this requires as much work as it does on IE.

"To block pop-ups from plugins, open your Firefox 1.0 or 1.0.1 browser, type about:config in the address field. Right-click in the resulting config page somewhere and select New -> Interger. Type privacy.popups.disable_from_plugins in the resulting dialog, hit OK, type 2 in the next dialog and you're all set."

This pref can actually take three values:

0: open allowed
1: the opened windows are treated as popups, but they're allowed to open

2: the window is a popup, block it

It should be noted this solution renders certain web pages useless and blocks user requested Flash Pop-ups. A better solution may be FlashBlock,

"an extension for the Mozilla and Firefox browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves a placeholder on the page that allows you to click to view the Flash content."

Flashblock currently blocks the following content types:

Macromedia Flash
Macromedia Shockwave
Macromedia Authorware


Conclusion:
Firefox having only been out less then a year is already being plagued with elementary style Spyware exploits and Pop-ups. This is only a sign of things to come. The Followers however should have taken note to Beware of false Prophets.

35 comments:

Kevin said...

Nobody said Firefox is perfect. It is just a lot better than IE, that's all.

Besides, with extensions like AdBlock, not only are the pop-up/unders gone, I never even see graphic ads anymore.

mv * > /dev/null said...

As 'AJCrowley' wrote on another site about this so called article...and I agree with him/her totally; here is what he/she said:

"This article could have been written by Bill himself. I don't know of what users the Microsoft Fan Club speaks, but if you allow something to install when given the option to not install it, it's your own fault. I personally never (and don't recall seeing anyone else) gave IE flak for situations that require user consent, it's the parasiteware that installs without user consent that bothers me.

As for the so called "vulnerability", it's a feature of Flash, not of Firefox, and they provided the option to disable it (which is more than any other popular Windows browser that I can think of). Apparently not psychically knowing the intent of the content author is "bad programming", and "no programming" is a much better option.

Obvious bias, and the chip on the author's shoulder aside, the best thing about Firefox in my eyes is not that fact that it's "not IE", as the author would likely have you believe is the sole reason most Firefox users love it, but because it's a good browser with a solid framework that exceeds that of IE, and on top of that, it has probably the best extensions interface of any browser, allowing third parties to create such must have things as AdBlock, All-in-one Gestures, Tab Mix etc etc etc. The browser feels a little naked on a clean install, but taking 5 minutes to install some extensions and a skin or two shows that Firefox is the clear leader in the field.

On a closing note, why is it that the vocal IE users that "hate" Firefox (not that they've likely given it a chance, or even installed it in many cases) accuse Firefox users of constantly bashing their beloved IE? It's my experience that Firefox users are secure and content in the knowledge that they have made the right choice, and it's that vocal minority of the IE lovers that seem to have a need to put other browsers, and their users down, obviously to reinforce their faltering faith in the all knowing and benevolent Microsoft."

Dudeous Maximus said...

With all the holes I.E. has and the new holes that keep getting unearthed on a near daily basis that one of it's supporters would even think to publish something like this is laughable at best.

Firefox might not be the best game in town but it is a damn site more reliable than I.E. has ever thought of being.

Personally I applaud the people that took the time to write this software not out of any kind of greed but just out of a desire to offer an alternative, kudos to them.

Andrew said...

More reliable? Then how come 15% of web pages do not render correctly in it?

Bill said...

Nothing is perfect. I don't recall ever reading anything that says Firefox was or is. You have the right to choose what browser to use. If you want to stick with a browser that is known to have issues and security flaws, not to mention it's well over 3 years old, go right ahead. No one is going to stop you. But the ability to have extensions, and tabbed browsing are two features I can't live without. I'm just smart enough to click NO on popups.

BadgerDigger said...

"Firefox having only been out less then a year is already being plagued with elementary style Spyware exploits and Pop-ups."

Two thing about this line.
1. This wasn't the case when 1.0 first came out.
2. This has always been the case for IE.
With that said, this isn't a plague and it isn't elementary.

I can also sum it up this way.

Firefox vs. IE is like the army vs. the police. Even though both are not perfect at protecting you, one will do a much better job. When it comes to browsers, Firefox does the better job.

Andrew -
What are the 15% of sites that you are talking about? I think that is really closer to 1%, if even that. Unless you are visiting dinky sites that are developed by people who know nothing about standards.

Blogs for Firefox

Unknown said...

I had a good laugh reading this. I thought this article was a joke at first, but I guess I am wrong. What especially amuses me is this "More reliable? Then how come 15% of web pages do not render correctly in it?" This is because those 15% of web pages are coded sloppily and Firefox follows stricter W3C standards than IE does. I shouldn't even say "stricter", what I mean is that Firefox follows W3C standards, IE does not.

As for pop-ups, pop-unders, banners, ads, etc. I have not seen a single one in ages. I use FF's standard pop-up blocking options plus Ad-Block (with Filterset-G) and a custom hosts file. I scan my computer weekly with four different anti-spyware scanners and my system comes up clean every week- no spyware: EVER!

Can this be accomplished with a system that uses IE as it's default browser? I think not.

Andrew said...

"Can this be accomplished with a system that uses IE as it's default browser? I think not."

Easily. Install SP2. So long as you click on "no" at security warnings you will get no more spyware.

For those not in XP or have SP2 installed they can uninstall MSJVM, install and update SpywareBlaster and use a popup blocker like the Google Toolbar and be Spyware Free too.

If you want Tabbed browsing that works right and the ability to look at EVERY web correctly use AvantBrowser.

Amazingly I get no spyware (other then cookies) and niether do my clients all using IE or AvantBrowser. So much for Myths and Propaganda!

mak said...

Psssss

So why clicking "no" in IE is more valid than clicking "no" in Firefox?

Great that you found a safe IE configuration but stop bashing people that found a safe Firefox configuration.

Clearly you have no point.

Andrew said...

"So why clicking "no" in IE is more valid than clicking "no" in Firefox?"
->Ah, did you read the article? No one said it was.

"Clearly you have no point."
->The point is simple Firefox is vulnerable to Spyware. When you compare SP2 IE vs Firefox, the spyware argument is mute. What is even better is IE does not need any Extensions.

Kevin said...

After I helped install Firefox on my friends' computers, NONE of them came back to me for "weird problems" (search hijacked, images not working, computer slow...etc)anymore.

I am sure many others have experienced the same.

I tried using IE since version 2 (I gave them a chance when everybody else used Netscape, IE2 did suck.) When IE4 came out, it blew NS away, I told all my friends to switch over.

time passed...

I tried out Firefox/Pheonix ever since 0.2. when 0.6 was out, I started telling people to switch over.

I am willing to give MS one more chance with IE7, but until then, I am sticking with Fx.

Andrew said...

None of my clients come back with the same problem either and they are still using IE.

Andrew said...

Ut oh http://phpnuke.org/]Pop-up! Stopped cold by IE SP2's popup blocker! Not Firefox though.

scroob said...

What a ridiculous premise. Was it really necessary to write this? Any moron knows that clicking "yes" in a dialog box creates an action.

Put this in your pipe and smoke it - there is now an IE exploit that installs malware even when the user selects "no" in the dialog box.

I never fail to marvel at what IE and Microsoft shills will stoop to. Is the writer of this article getting a check from Bill Gates? It sure sounds like it.

Face the music - enlightened users have found an alternative to IE that is not only far better, but far more secure. I don't have to install Java and Flash in Firefox if I don't want to. With IE, I have no choice.

I wonder if the author has looked at the responses to this ridiculous article. He has been made to look pretty petty, as well as unknowledgeable.

Andrew said...

"there is now an IE exploit that installs malware even when the user selects "no" in the dialog box."
-> Not with SP2 or a properly configured Internet Explorer setup.

"I don't have to install Java and Flash in Firefox if I don't want to. With IE, I have no choice."
- > If you were knowledgeable you would know this is not true. You do not have to install either with IE.

- > Unfortunately I have yet to receive any checks from Microsoft. Considering how critical I have been of them in the past I do not see any forthcoming.

I/O Error said...

Has it occured to you that a much better option is to simply use Firefox and SP2, which many users do?

Ah, no of course not. Because clearly you feel that IE and SP2 are inseparable, and to have one is to be joined at the hip with the other. Patently not so. You're talking about a browser on one hand and an OS service pack on the other, and you're trying to treat them as being one and the same. Ridiculous!

Install SP2. Use Firefox. Result? Quite simply, fewer spyware/malware problems. What... you think SP2 alone cuts the mustard, if a user continues to use IE?

My very job confirms that sadly, IE just doesn't do it. In fact my company has swapped wholesale over to Firefox. We have no regrets whatsoever, and our annoying spyware problems have been effectively eliminated. All of our workstations have SP2, and the company relies on a hardware firewall. But even then IE was still enabling people to get "bad things" via carelessness or cluelessness.

Don't be a mouthpiece.

Andrew said...

This exploit proves that Firefox is no more secure then IE+SP2 in regards to clueless users. Your point is mute.

I/O Error said...

Even our most clueless individuals never clicked yes to blatant spyware, genius, heh heh.

Whereas, with IE, even under SP2... they don't have to do anything except go to infested websites. No need to click on anything or accept any java/flash/etc. dialogs.

Your point is not only moot, it's flat out wrong.

Andrew said...

"Whereas, with IE, even under SP2... they don't have to do anything except go to infested websites. No need to click on anything or accept any java/flash/etc. dialogs."
-> Nope, Wrong! Post One Link to a site that autoinstalls Spyware with SP2. None exist because it can't happen.

I/O Error said...

...really believe that, do you? :-D

I make a fairly profitable offshoot of my career by disproving that notion for people, heh heh.

And if we assumed you were correct... then the fault of the spyware is in the OPERATING SYSTEM, and not the browser. Thus it wouldn't matter if people picked Firefox or IE, would it? ;)

A patently false statement, of course. But you're edging towards it, and it's not pretty.

Andrew said...

Post a link that auto-installs Spyware with SP2. I believe what I see. None of my clients or myself have been infected with auto-installing Spyware with SP2. I know people would rather believe Myths and continue making things. If you don't have a link you have no proof.

Continuous Life said...

I am a technician at a local computer repair shop. This issue i have wondered over for quite some time. I spend most of my time at work cleaning annoying spyware and malware from customer's systems. Really there is no cut and dry "Best" browser...its just not ever that simple.

Internet Explorer i find tends to be a little too "tied in" to the operating system itself...almost inviting vulnerabilities. In windows XP, you cannot even Uninstall Internet Explorer...because it is vital for the operating system's functionality. Service Pack 2 has done a very good job of covering some holes, but SP2 is deffinatly not the "elixer" for IE OR Windows XP. I deal with XP SP2 systems with loads and load of spyware on a daily basis.

The main thing that has drawn me to firefox is not that its better...but its an alternative. It is a complete third party application with minimal ties to any vital functions of the operating system. I also have noticed an increase in browsing performance while using Firefox. I very rarely get any pop-ups in any form while using firefox. My only problem with firefox is it tends to be a bit of a memory hog (but a lot of things must be considered to even take this in to account)

The truth is that as long as there are people writing new software, there will be 10 times as many people there to find holes, and bugs, and ways to exploit it. Its only a matter of time. Luckily, spyware rarely comes from legitimate sites, so if you have some common sense, you'll be fine...and if you do get spyware, 99% of the time you allowed it...whether you realized it or not. The web browser can only be as good as the user allows it to be.

IE VS Firefox?...try em' both and decide for yourself...dont believe everything you read.

Andrew said...

I work for a Computer OEM and the only Spyware you get with IE+SP2 are user induced. Proper system management can even eliminate next to all of these user induced problems. Installing SP2 does not remove Spyware so you will find alot more SP2 machines with Spyware on them after April (SP2 mandatory rollout) initially but you will also find a lot less from that point on once they are cleaned. Since SP2 effectively blocks all known auto-install exploits.

I use IE daily and never get any Spyware.

Kevin said...

but...can you surf with style? (tabbed browsing, find as you type, ad-blocking, session-saver, greasemonkey...etc)

I got flamed for my post about ad-block and firefox extensions.

are you telling me you don't have google bar installed? and you do not even have ONE add-on (as defined by MS, under tools->internet options->programs->manage add-ons) installed?

If you do, then don't say firefox needs extensions, cuz your IE needs em, too. AND it still sucks.

Andrew said...

My comment in regards to extensions was for the Pop-up blocking problem. It was a default IE6+SP2 vs. Firefox 1.0.1. Which I proved IE6+SP2 does a better job.

IE6's basic interface is getting dated but this was never the discussion here and like Firefox extensions there are things you can add to improve on it. The simplest being AvantBrowser. I wish people would get off the Firefox Tabbed Browsing argument, I've been using tabs for years without Firefox. It is nothing new and Firefox does a poor job with Tabs.

rmaharaj said...

It looks like the Prophets have been found correct and the age of Firefox Spyware is upon us.Er... sure. ONE spyware incident with Firefox and it's an "age." Somehow, I'm not grasping the logic there. Personally, I do not consider ANY spyware that is only installed due to the user's accepting a prompt which clearly states the risk to be a vulnerability in the browser. The browser has done all that it should be alerting the user to the risk of accepting the prompt. If they make an informed decision to install the spyware, it's not the browser that's failing to protect them. They're failing to protect themselves.

While the current Java Scheme requires user intervention, this is how it started on IE.Guess what: Firefox isn't IE. Just because 'it started this way on IE' doesn't mean that Firefox will follow suit. You cannot dismiss Firefox based on events that have not occurred yet.I can hear the cyber cries now, as Firefox followers commit mass suicide, their beloved browser infallible no more.And the point of that was what? Firefox isn't infallible, it never has been, and it never will be. No one with their head screwed on properly will claim that it is.

Yet these same exploits found in Internet Explorer have been fiercely criticized by the Firefox community and used as a reason to switch away from IE.As I said above, I will not call anything requiring obvious user intervention a vulnerability in the browser.

The infallible Firefox is currently being plagued with Pop-under advertisements that are displayed when you minimize or close Firefox. These are related to the Flash Plug-in.Hmm... I haven't seen even one of these. Perhaps you could post a link that would substantiate this claim?

It turns out that Firefox does have the ability to block these but it was disabled by default.No software can ship with default settings that are ideal for everyone. A good addition to Firefox for non-tech savvy users would be a configuration wizard that runs after installation (like the one included with ZoneAlarm Security Suite) that would allow users to quickly and easily configure their browser.

Firefox having only been out less then a year is already being plagued with elementary style Spyware exploits and Pop-ups.Again I question your use of 'plagued.' Not only are spyware and pop-up/pop-under issues on Firefox minimal, IE went through 5 releases and God knows how many years before it had a pop-up blocker. Furthermore, IE users not running XP SP2 still don't have an built-in pop-up blocker. At least when a problem with Firefox crops up Mozilla is willing to patch it within a reasonable timeline. While IE users had 7 days in 2004 when they were safe, Firefox users had 85% of the year.

Andrew said...

Ut oh http://phpnuke.org/ Pop-up! Stopped cold by IE SP2's popup blocker! Not Firefox though.

You apparently missed tha article and did not read it nor the comments.

rmaharaj said...

I did not read the comments, but did you even read my comment?

Andrew said...

"I did not read the comments, but did you even read my comment?"
-> Yes and it reads as someone who skimmed the article and did not read any of the replies.

"The Firefox community will quickly dismiss this sort of exploit. It will be considered not important because it requires user interaction. Yet these same exploits found in Internet Explorer have been fiercely criticized by the Firefox community and used as a reason to switch away from IE."

SmokieUK said...

Ut oh http://phpnuke.org/ Pop-up! Stopped cold by IE SP2's popup blocker! Not Firefox though.

Where? I don't get a pop-up when I go there, and neither does the pop-up blocker show itself. Nor do I get a pop-under. I'm using Firefox 1.0.2.

The Firefox community will quickly dismiss this sort of exploit. It will be considered not important because it requires user interaction. Yet these same exploits found in Internet Explorer have been fiercely criticized by the Firefox community and used as a reason to switch away from IE.

I very slightly agree with you there. I think though, there's a lot more serious issues with IE that many Firefox users (myself included) will use as reasons to switch away from IE.

Microsoft have used the exact same reasons of user interaction to dismiss a vulnerability (drag and drop functionality in IE is one example) before.

Of course people will target Firefox just like they do IE. The difference is, Mozilla can and will fix things up a lot quicker than Microsoft.

Andrew said...

"Where? I don't get a pop-up when I go there, and neither does the pop-up blocker show itself. Nor do I get a pop-under. I'm using Firefox 1.0.2."
-> Compare dates.

"I very slightly agree with you there. I think though, there's a lot more serious issues with IE that many Firefox users (myself included) will use as reasons to switch away from IE."
-> Name one.

"The difference is, Mozilla can and will fix things up a lot quicker than Microsoft."
-> This is not true at all.

Quining said...

As for the so called "vulnerability", it's a feature of Flash, not of Firefox, and they provided the option to disable it (which is more than any other popular Windows browser that I can think of).

Allowing windows to open is ultimately a feature of the browser. If the browser cannot open windows (such as in some PDAs and certain embedded devices with no sense of window switching), then no Flash plugin can force the browser to open a window. That privilege is extended to the Flash plugin by Firefox and as such, Firefox should manage control of those extended permissions.

In IE, Flash can also open popups, but IE is able to treat those popups as unrequested popups and therefore block them as they do with normal javascript popups. Firefox cannot do this and only allows either blocking all or blocking none. If you ask me, Firefox's technique is far inferior than IE's technique.

FragKing said...

This column is pretty old, in fact it is months old. But I gotta say, those who defend MSIE are... not smart. All you need is the latest version of Firefox with a few extensions and you're good to go. Adblock, NoScript, and CookieCuller are it, if you're into security and nothing else.

NoScript is especially notable due to it's Javascript blocking capabilites. You can choose which javascripts to load on each site you visit (and it doesn't take long to customize either). You know what that means? No harmful code unless you allow it. No popups, no backdoor trojans trying to install, nadda thing.

Adblock obviously blocks ads. Self explanitory, and it's extremely effective. In fact I haven't been bugged by flashing ads for a very long while now.

CookieCuller is just the cookie editor I use, I know there are others out there for Firefox. This particular one remembers and protects the cookies I want, and deletes the rest every time I close the browser. So guess what? No more exploring my cookie directory and emptying it everytime I surf! Dun dun dun!

But back to MSIE. Have any of you ever noticed the freaky security holes that appear all too often? It's basically normal for IE. Every month "New security patch!". Good god. Firefox has had a few, yes, but not nearly as many as IE.

Quite frankly, I have had no problems whatsoever with Firefox. I'm not saying it's perfect. I'm not saying it's unhackable. But I'm saying it's a hell of a lot more secure than IE.

Yeah sure, if you're irresponsible online (visiting bad sites/installing questionable software etc etc) then yes, you will run into problems. Obviously. But if you go online to do research, check email, and surf responsibly, you've got it made. With Firefox. I personally recommend it.

One more thing. Type in "drive by downloads" into google and see what you come up with. (Note, this is for IE users only). Interesting stuff, for sure. The rundown is spyware installing automatically, no EULAs or "Ok" buttons or anything. Just bam, it's there. With IE.

Be smart. Use protection.

Andrew said...

"One more thing. Type in "drive by downloads" into google and see what you come up with. (Note, this is for IE users only). Interesting stuff, for sure. The rundown is spyware installing automatically, no EULAs or "Ok" buttons or anything. Just bam, it's there. With IE."

SP2 eliminates this problem. Spyware CANNOT automatically install on IE with SP2. If you don't have SP2 simply uninstall MSJVM, install and update Spyware Blaster and install all your Windows updates. Drive by Spyware problem solved.

Security problems in IE are solved by simply enabling automatic updates.

The purpose of this post is to demonstate that Firefox is no more secure then IE, which it does.

Mr.Yoshimoto said...

I've used Firefox for a while now and can say I only used it for tabbed browsing . Opera is working quite well for me now, Firefox is a piece of crap that makes all of my bookmarks disappear and slows down my computer using an insane amount of memory. I'm not some loser that holds on to a brand when it quits working.