Comments on: Update on the AMO Security Issue

By: Ram

Ram — Sun, 04 Apr 2010 08:15:38 +0000

I do agree that an anti virus need to be up-to-date and shield your computer, so if the file contain a virus it know it will tell you, or stop the virus.

To ‘let people read the source code’ is not the best way, after all not all the user know how to read code…

a file signature is a good method it can work but not all the time.

I just think users need to be alerted that virus live among us, and to double check any thing that is downloading form the web…

Ram.

By: Té

Té — Sun, 14 Feb 2010 19:41:37 +0000

@tricks

He’s probably talking about the drama with Ad-block Plus.
http://www.schillmania.com/content/entries/2009/adblock-vs-noscript/

@Doelf

I haven’t checked, so I’m not sure about exact numbers, but I do remember that Sothink Video Downloader where pointed to as the major infector with Master Filer only contributing a minor amount of downloads.

Now that Sothink Video Downloader has been shown to have been a false positive the only infector is Master Filer, which only made out a minor part of the downloads.

That is, at first it were Sothink Video Downloader downloads (~5000) + Master Filer downloads (~700) = total downloads (~6000) and now, after more thorough checks, it’s Master Filer downloads (~700) = total downloads (~700).

Also, it’s important to remember that Mozilla isn’t the only one hosting add-ons.

By: Bee

Bee — Sun, 14 Feb 2010 17:23:33 +0000

Hi tricks!!!!!!!

I don’t want to write it again!!!!!!!!!!!It’s so boring!!!!!!! but I wrote something about NoScript’s history one week ago, here http://forums.lanik.us/viewtopic.php?f=86&t=5809 you could read it there!!!!!!!!!! follow the links!!!!!!!

bye!!!!!!!!!!!!!!!!!!!
~bee!!!!!!!!!!
http://honeybeenet.altervista.org/beefree/

By: tricks

tricks — Fri, 12 Feb 2010 21:10:51 +0000

What is this about NO SCRIPTS history? I thought NO SCRIPTS was a good security program. I run it now, is there a reason I should remove it?

By: Doelf

Doelf — Fri, 12 Feb 2010 14:34:01 +0000

Last time you said Master Filer was downloaded 600 times, now the number is reduced from 6,000 to 700 times. So: How many?

By: annoyed

annoyed — Thu, 11 Feb 2010 23:59:25 +0000

t the very least, those non-Mozilla-approved plugins should be with displayed a STERN warning – “Mozilla has not tested this plugin for vulnerabilities – Use at your own RISK”.
You mean with something like the big fat “Install add-ons only from authors you trust” warning dialog that already appears when installing *any* add-on and also says “Malicious software can damage your computer or violate your privacy”? How much more hand-holding do you need?

By: David Gerard

David Gerard — Thu, 11 Feb 2010 20:23:48 +0000

“Would be nice if add-ons with files that aren’t open-source were marked in some way.”

Big red warnings for:

* binaries
* closed source

By: Té

Té — Wed, 10 Feb 2010 19:47:43 +0000

Would be nice if add-ons with files that aren’t open-source were marked in some way.

@anon
They are tested. But the anti-virus used just didn’t know about that trojan. Any usable anti-virus and anti-malware program work using blacklists. But they use three programs now instead of just one, if I remember correctly, which is what caught this particular bug.
You’re an ignorant fool if you think you’re 100% safe just because a program tells you so.

There’s also no reason to not allow non-approved to be listed on the “untested” page. The same users who installed this extension might as well have downloaded some random “increase your internet speed by 150%” application from some other place.

The correct way to create a secure environment are through education and not censorship.

By: Daniel Veditz

Daniel Veditz — Wed, 10 Feb 2010 19:37:01 +0000

This incident says nothing about reviewed addons on AMO (other than don’t put all your anti-virus eggs in one basket). Average users should not be installing untrusted, unreviewed, “experimental” addons and this incident does point out that the site is not at all clear that the intended audience for unreviewed addons (hard-core testers and experimenters) is very very different than the general Add-ons user.

By: Matti

Matti — Wed, 10 Feb 2010 18:48:10 +0000

@Bee: Your “!” key is broken, you should get a new keyboard.

2 things :
This 2 experimental addons and you need an AMO Account if you want to download such addons

>Download only extensions that YOU trust
That is true, always install Software (not only Addons) that you thrust.
There is no difference between “normal” applications, plugins and addons.