Malware shipped with Firefox 2 language pack

Malware shipped with Firefox 2 language pack

Summary: Mozilla is warning that a Vietnamese language pack for Firefox 2 is carrying malware.In her blog, Mozilla security chief Window Snyder writes:The Vietnamese language pack for Firefox 2 contains inserted code to load remote content.

SHARE:
23

Mozilla is warning that a Vietnamese language pack for Firefox 2 is carrying malware.

In her blog, Mozilla security chief Window Snyder writes:

The Vietnamese language pack for Firefox 2 contains inserted code to load remote content.  This code is the result of a virus infection, but does not contain the virus itself.  This usually results in the user seeing unwanted ads, but may be used for more malicious actions.

Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy.  While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.

Also follow the bug for the issue.

Snyder also noted that Mozilla scans for viruses at upload time, but the scanner didn't catch this problem "until several months after the upload." Mozilla is adding additional virus scans to catch these issues in the future.

Topics: Malware, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • if "language pack" is open source? Why they didn't catch it? :-)

    if "language pack" is open source? Why they didn't catch it? :-)
    qmlscycrajg
    • What difference does open source make?

      If it was developed by Mozilla then they could see the code open or closed. All source is open to the company producing it. What does open source have to do with it?
      storm14k
    • They did.

      The malicious script contained in the language pack was noticed and reported in a Mozilla bug report:

      "Hello,

      Vietnamese Language Pack 2.0 at http://addons.mozilla.org/firefox/addon/5954
      has Xorer trojan. All help pages (*.xhtml) are malicious script right after
      </html>:

      <script src="http://%6A%73..."></script>"

      https://bugzilla.mozilla.org/show_bug.cgi?id=432406
      FreewheelinFrank
  • if "language pack" is open source, why they didn't catch it?

    if "language pack" is open source, why they didn't catch it?
    qmlscycrajg
    • Many eyes can != Many eyes will

      Trained eyes are also better than untrained, especially when it comes to security
      rpmyers1
  • if "language pack" is open source, why they didn't catch it?

    if "language pack" is open source, why they didn't catch it? :-)
    qmlscycrajg
    • Got stuck keys?

      or Parkinsons?
      shallow_diver
  • They're imitating Microsoft...

    Several years ago, I went to a computer show and Microsoft had a booth there. They were handing out diskettes with some demo software on them (I can't recall what software). Those diskettes were all infected with a virus. I didn't take a diskette, but I got tons of emails and phone calls saying "Don't use the Microsoft disk, it's got a virus!".

    Sometimes lessons are learned the hard way...
    Carrion
    • Refreshing your memory

      "Several" years ago?

      That was in 1996, 12 years ago. It involved two Word document files that were infected with the Wazzu macro virus. You can read the details here:

      http://www.f-secure.com/v-descs/wazzu.shtml

      I really have a hard time understanding why something that happened 12 years ago is relevant to this discussion.
      Ed Bott
      • It's relevant because...

        Companies that get lax when it comes to software distribution end up making mistakes like distributing viruses and malware. It was true in 1996 and it is still true today! Just because it was twelve years ago is irrelevant - it still happens even now with all of the so called "lessons learned" from the past. Why are you being so hostile to my post, anyway? Sheesh...go get some coffee!
        Carrion
        • Hostile? Wha?

          Um, I pointed you to a factual reference, and then I said I didn't quite understand why this was relevant to the current discussion.

          What was hostile in that?

          I've had more than enough coffee today, thanks.
          Ed Bott
          • Just seemed a bit short

            The line "I really have a hard time understanding why something that happened 12 years ago is relevant to this discussion." seemed a bit terse to me. Maybe you didn't intend it, but I can only judge your mood by the words you wrote. Sorry if my judgement was off, but my response explaining the relevance is still valid...
            Carrion
          • I still don't get it

            I apologize in advance if any nouns, verbs, adjectives, adverbs, or conjunctions in this comment are offensive. Sorry, my long-distance mind-reading skills aren't developed enough for me to able to guess what sort of interpretation you are going to take away from a simple declarative sentence.

            Meanwhile, I'm still happy to have provided the factual reference you were looking for but said you couldn't remember. (You're welcome, by the way.)

            And I still don't understand how the example you cite is relevant. A Microsoft division handed out a CD to a relative handful of people in 1996, about seven years before the development of widespread malware. It contained a harmless but annoying document virus. Not code. By contrast, Mozilla for two months has been serving up infected executable code via its website to millions of Vietnamese speaking visitors. In the year 2008, I expect an organization with a user base of hundreds of millions to have rigorous code review procedures. Most of their customers are attracted to the product precisely because they believe it will make them more secure. This is a major black eye to Mozilla.
            Ed Bott
          • I'd expect that too Ed, but...

            [i]In the year 2008, I expect an organization with a user base of hundreds of millions to have rigorous code review procedures. Most of their customers are attracted to the product precisely because they believe it will make them more secure. This is a major black eye to Mozilla.[/i]

            Sounds like it slipped under the radar, so hopefully they'll learn from this and have it corrected by now. Take their black eye and move on.

            Mozilla also relies on people to tell them about this out there. They wouldn't have anything to gain by ignoring it.
            hasta la Vista, bah-bie
          • hundreds of millions checking....

            "In the year 2008, I expect an organization with a user base of hundreds of millions to have rigorous code review procedures" Uhh... how many of those millions uses the Vietnamese language pack?. Who gives.
            judgesinel@...
          • PS: Left out the smiley face

            I should have put a smiley face after the first paragraph of my previous comment. I hope it's obvious I'm kidding.
            Ed Bott
          • I'll do it for ya :) Now all should be well. (nt)

            nt
            klumper
    • How about a more recent analogy...

      [b][i]Windows virus worms onto some Apple iPods[/i][/b]
      http://news.zdnet.com/2100-1009_22-6126804.html

      I think the socially accepted version of the phrase is "Stuff happens!" It is a bit of a black eye for Firefox/Mozilla though since Firefox was as least initially being promoted as a safer browser than IE.
      3D0G
      • Safer doesn't mean invincible (nt)

        nt
        hasta la Vista, bah-bie
  • Misleading headline

    Most of the headlines about this story are misleading:

    "Malware shipped with Firefox 2 language pack" (ZDNet)

    "Mozilla spreads malware rather than security" (ZDNet)

    "Mozilla Distributes Virus-Infected Language Pack" (Security Fix)

    The writer of this story deserves some praise for actually taking the trouble to write a headline that actually reflects the truth of the story:

    "Mozilla: Firefox Plug-In Shipped With Malicious Code" (PC World)

    http://www.pcworld.com/businesscenter/article/145617/mozilla_firefox_plugin_shipped_with_malicious_code.html

    The rest of the story clearly lays out the facts as well.

    But why let the facts get in the way of a good headline?
    FreewheelinFrank