Careful with Firefox

Status
Not open for further replies.
M

Mystic

Joined
Mar 5, 2003
Messages
8,461
Location
Colorado
It might be a good idea to be careful with Firefox extensions. A password stealing add-on was discovered recently that had been downloaded about 2000 times. This is according to 'Threatpost.'

Another add-on that had problems was 'CoolPreviews,' which according to Threatpost Mozilla admitted had a critical security vulnerability. CoolPreviews had been downloaded at a rate of about 77,000 times each week.

According to Threatpost in May, 2008, Mozilla admitted that a worm had gone unnoticed in a Firefox Vietnamese language pack for months.

According to Threatpost in February, 2010, Mozilla warned users that the Sothink Web Video Downloader 4.0 and all versions of Master Filer had a Trojan horse that potentially could spread to the user's PC.

It appears that maybe Firefox add-ons are not as secure as some people think. A lot of people use various add-ons in Firefox. It might be wise to be careful. Or, a person could keep thinking Firefox and its add-ons are still much more secure than Internet Explorer.

I twice tried to use Firefox on my computers. After all, all of these security experts say that Firefox is more secure than Internet Explorer-right? Both times security software found potential problems.

I was attacked personally here when I dared to suggest that open source software could be attacked by malware writers, or malware even deliberately be put into open source software.
 
I use Firefox exclusively and only have the GMAIL add-on. Otherwise I keep things stripped down.
cool.gif


I have to use I.E. for work stuff that doesn't play well with Firefox.
37.gif
 
Security patches will not help. The malware has been in add-ons that are developed by independent software developers.
 
After all of the security issues in Goggle GMAIL I decided to fire Google. Google had been my favorite web search engine but I decided I was not going to tolerate all of the privacy issues that seemed to keep coming up. So needless to say I don't use the Google Chrome web browser or the Google online applications.
 
After A-Squared TWICE found potential malware in Firefox (several years apart) I decided to go against the herd and not use Firefox.
 
Originally Posted By: Mystic
After all of the security issues in Goggle GMAIL I decided to fire Google. Google had been my favorite web search engine but I decided I was not going to tolerate all of the privacy issues that seemed to keep coming up. So needless to say I don't use the Google Chrome web browser or the Google online applications.


What are you searching for that you need that kind of privacy? Who cares...
21.gif
 
i only have about 5 add-ons in FF that I have been using for about 4-5 years..no problems so far
...I think reading about the ratings of various add ons (by users) help a bit... the ones I use are some of the more "established" ones, so perhaps they're a bit safer...
 
Originally Posted By: Mystic
After A-Squared TWICE found potential malware in Firefox (several years apart) I decided to go against the herd and not use Firefox.


http://www.pcmag.com/article2/0,2817,2334423,00.asp

Quote:

it takes a perfectly innocent program and states categorically that it is malware, even displaying an official-looking malware name like Trojan-Proxy.Win32.Delf.bx!IK. I tested it with a dozen PC Magazine utilities and some small programs of my own. Even in this small sample it identified three as malware.


Either your AV is "really good" or "really bad;" I suspect the latter. Millions using FF and no one is claiming the base install is ridden with malware.

Thanks for the warning regarding add ons BTW.
 
Last edited:
Yeah, Im just running a few. Im actually running Fx 4.0b1. I love it. I was running a custom optimized 3.6 before and there is no comparison. Its so much faster.
 
It is possible that A-Squared had false positive readings, of course. But after potential malware was found twice, separated by a few years, I decided not to use Firefox. The first time A-Squared found potential malware it found a backdoor in Firefox. I don't think I was using any third party add-ons at that time. The second time A-Squared found potential malware (years later) I think I was using a couple of security add-ons for Firefox-NoScript and another one.

In any case, unless Threatpost is dishonest, Mozilla (which develops and promotes Firefox) admitted to the worm, Trojan Horse program, critical security issue, and password stealing software in the various add-ons that had problems. So this has nothing to do with A-Squared. If Mozilla did in fact admit to these various problems and malware in Firefox add-ons, bringing up that A-Squared may have false positive problems is meaningless.

I am waiting for the personal attacks and the attacks on the messenger and not the message. I was attacked in the past for daring to suggest that malware could wind up in open source software or perhaps even be deliberately installed in third party open source software. Clearly, malware is getting into open source software so I have been proven correct.

I have found that a person may well be attacked personally here if any thing negative is mentioned about Linux, open source software, or the Mac. One good thing is that any problems with Microsoft software can be discussed freely because there do not seem to be any extreme Microsoft fans. I am using Microsoft software and if there are any problems with Microsoft software I want to hear about those problems. I do not want any problems swept under the rug.
 
StevieC, of course you cannot expect perfect privacy using email, unless the email is encrypted. But a certain level of privacy is expected. I don't want personal information about me, my credit card number, and so forth to wind up in the wrong hands. You do care about your personal information, correct? Or perhaps, as you say, 'Who cares...'

And no, I am not searching for something that requires some incredible level of privacy. I don't go to porn websites or the dark side of the web. But I don't want for my personal information to be at risk, either. So privacy issues in GMAIL do matter to some people.
 
Originally Posted By: Mystic
StevieC, of course you cannot expect perfect privacy using email, unless the email is encrypted. But a certain level of privacy is expected. I don't want personal information about me, my credit card number, and so forth to wind up in the wrong hands. You do care about your personal information, correct? Or perhaps, as you say, 'Who cares...'

And no, I am not searching for something that requires some incredible level of privacy. I don't go to porn websites or the dark side of the web. But I don't want for my personal information to be at risk, either. So privacy issues in GMAIL do matter to some people.


Just havin' some fun with you is all...
grin2.gif
 
If you go to the Sophos website (Sophos is a British A/V program) you can download a 'white paper' about 10 myths that people believe in. And 1 of those myths is that Firefox is the most secure web browser. In fact, Firefox (according to information from Secunia) is at least in 1 way the LEAST secure web browser.

But the bottom line is that NO web browser is really secure. You don't have to visit some dark and evil website in some dark and evil corner of the internet. Malware writers are infecting totally legit and clean websites with malware. When you visit a website that has been infected with malware it does not matter if you are using IE, Firefox, Google Chrome, Safari, or whatever. You can get a driveby download of malware.

If some people can somehow get past their beliefs that open source software is invincible it appears obvious that some malware writers are starting to attack the websites of add-on developers for Firefox. The security at many of those websites is obviously probably not as good as the main Mozilla website. Firefox has become much more popular and if the bad guys can get an add-on for Firefox infected with some kind of junk and that add-on is then downloaded to many thousands of computers then the bad guys can infect those computers.

One possible defense would be to have a secure version of Linux with a web browser running on a write protected CD and using that web browser to visit websites such as banking websites.

If somebody does decide to use Firefox perhaps it is better today to not use any add-ons at all. And to set the cache to ZERO!
 
Nothing is safe anymore...


I know a few people who can make short work of AV programs...it's really scary.


After watching some of the things they do, I don't worry like I used to. If someone wants your stuff bad enough, they are going to get it.
 
Originally Posted By: Mystic
It appears that maybe Firefox add-ons are not as secure as some people think.


Add-ons can be written by anyone to do any of a variety of things. Who thought add-ons were secure, and which add-ons were they talking about?

Originally Posted By: Mystic
I was attacked personally here when I dared to suggest that open source software could be attacked by malware writers, or malware even deliberately be put into open source software.


Again, who says this?

Injecting *any* code that is good, bad or ugly into an open source piece of software is the easiest thing in the world to do: You down the source code, you open it up and you start typing. You can even compile it and distribute it if you wish.

Who said it couldn't be done? Perhaps (the mysterious and enigmatic) "they" were talking about malicious code finding it's way into an open source project's releases, where auditing and review procedures are in place before committing the code? Then they'd have a point.

Originally Posted By: Mystic
One possible defense would be to have a secure version of Linux with a web browser running on a write protected CD and using that web browser to visit websites such as banking websites.


Now you're talkin'! And truth be told, as long as the sessions were temporary (like from a live CD) and the CD-based OS never mounted the hard drive (if the system had one), the physical system would itself be as secure as could be. Now, having your data compromised as it travels hither and thither from server to server is another matter; one that depends at least partially on the security and encryption measures taken by the parties with who you'd be exchanging data.

Also, the OS wouldn't have to be Linux-based - It could be any OS that could run from a live CD.

Originally Posted By: Mystic
If somebody does decide to use Firefox perhaps it is better today to not use any add-ons at all. And to set the cache to ZERO!


Now you're talkin! (Again.)

Additionally, (I don't know how to do this in any other OS besides those that are Linux-based), but encrypting your Firefox profile is also a nice measure to take.
 
Status
Not open for further replies.

Similar threads

OVERKILL
Fortinet gets owned... again
Replies
8
Views
736
mk378
V
Anyone familiar with ProtectIQ ???
Replies
4
Views
278
OVERKILL
OVERKILL
Ivanti VPN appliance breach hits critical mass
Replies
5
Views
590
PandaBear
OVERKILL
The Dragon who sold his Camaro: Analyzing custom router implant
2
Replies
23
Views
827
Rand
Jackson_Slugger
“The mother of all breaches”-Malwarebytes Offering Free Identity Scan
2
Replies
34
Views
2K
ka9mnx
Back
Top