Vulnerabilities / Threats
2/5/2010
06:08 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Mozilla Removes Two Malicious Firefox Add-Ons

About 4,600 Windows users appear to have downloaded the infected software.

Mozilla on Friday said that it had removed two Firefox add-ons from its Web site because they installed malware.

"Two add-ons in the experimental section of addons.mozilla.org were found to be containing malware," Mozilla said on its security blog. "These were not originally detected with the anti-malware scanning tools that we have been using. We have since increased the number of scanning tools, and will be taking additional steps to minimize the risk of further incidents."

AMO, Mozilla's add-on management group, posted a notice about the malicious add-ons on Thursday.

The malicious add-ons have been identified as version 4.0 of Sothink Web Video Downloader and all versions of Master Filer. According to AMO's blog post, Sothink Web Video Downloader 4.0 included malware known as Win32.LdPinch.gen, while Master Filer included malware known as Win32.Bifrose.32.Bifrose Trojan.

Launching Firefox with either of these add-ons installed on a Windows computer is likely to lead to an infection. Removing the add-on does not remove the trojan software, however. Antivirus software that recognizes the malware is necessary for removal. According to Mozilla, the following antivirus apps will work: Antiy-AVL, Avast, AVG, GData, Ikarus, K7AntiVirus, McAfee, Norman, and VBA32.

Last May, security researcher Duarte Silva created a proof-of-concept malicious add-on, or "maladon," to highlight problems in Firefox's add-on security model.

Mozilla has made some security improvements since then, such as locking down Firefox's components directory. But the discovery of infected add-ons on Mozillla's AMO site suggests that additional action is necessary.

A Mozilla spokesperson wasn't immediately available for comment.

Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. AMO's blog post says that versions of Sothink greater than 4.0 are not infected. The latest version, 5.7, is not available through AMO's site, but can be found at Sothink's Web site.

In July, Mozilla launched a program to help add-on developers solicit contributions for the add-ons they post on the AMO site.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0543
Published: 2015-07-05
EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2015-0544
Published: 2015-07-05
EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 does not properly generate random values for session cookies, which makes it easier for remote attackers to hijack sessions by predicting a value.

CVE-2015-2721
Published: 2015-07-05
Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attacke...

CVE-2015-2722
Published: 2015-07-05
Use-after-free vulnerability in the CanonicalizeXPCOMParticipant function in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 and 38.x before 38.1 allows remote attackers to execute arbitrary code via vectors involving attachment of an XMLHttpRequest object to a shared worker.

CVE-2015-2724
Published: 2015-07-05
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code v...

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report