Vietnamese Language Pack FAQ
May 8th, 2008 by Asa
Yesterday, Mozilla announced that one of the community built add-ons hosted by Mozilla contained remnants from a virus called W32/Xorer.A, also known as W32/Fujacks!htm.
After reading several dozen articles and blog posts covering that announcement, I thought I’d post a short a follow-up here in response to a few of the misunderstandings that I came across in some of those articles and blogs.
- The Vietnamese language pack add-on contained a worm or virus
Headlines, by necessity, need to be short and to the point, but with security reporting, over-simplification can actually mis-inform readers.
Despite what many of the headlines suggested, the compromised add-on did not contain a worm or virus. There was a virus on the developer’s computer. That virus inserted a small website-fetching script into the add-on. That script was not capable of replicating or spreading itself like a virus or a worm. It was simply telling Firefox to load unrequested advertisements. Disabling the add-on is an effective remedy for the problem script precisely because it is not a worm or virus.
- All or most Firefox users are affected because Firefox ships with support for all languages built in
This is not correct. Some computer programs that work in multiple languages contain all of the translations in a single version. That isn’t the case for Firefox. Mozilla ships a distinct Firefox version for each of the 45 supported languages. Vietnamese is not one of those supported languages yet so Firefox users who want a Vietnamese translation must seek out and install this Vietnamese language pack add-on. Only users who installed that compromised Vietnamese language pack were exposed.
- 16,667 Vietnamese language pack users were affected
While we don’t know what the exact number of affected users is, it is certainly less than that. The announcement mentioned that there have been 16,667 downloads of this add-on since November of 2007. That’s correct, but not all of those downloads were of the compromised version. The add-on was updated on February 18, 2008 and only those users who downloaded the February update of the add-on on were exposed.
- Firefox users should uninstall Firefox and run their AV software to clean up the problem.
Because this isn’t a virus or a trojan, and it’s isolated to the Vietnamese language pack add-on, users do not need to uninstall Firefox or use third-party software to stop it. All they need to do is open the Add-ons Manager from the Tools menu and then select and disable the Vietnamese language pack.
- Mozilla systems had a virus or worm on them
The virus was on the machine belonging to the add-on developer. The computers that produce and distribute Firefox were not exposed and were not responsible for the compromised add-on.
- Mozilla suspected the add-on author of malice
Absolutely not. At no time did Mozilla suspect this and there is no reason to suspect or believe this.
- Add-ons cannot be trusted
We scan all add-ons for viruses when they are uploaded to the Mozilla Add-ons website. This particular add-on contained the remnants of a virus that was still unknown to the anti-virus software performing that scan. As a result of this incident, we’re implementing additional vulnerability scans at regular intervals after an add-on has been uploaded to help mitigate similar problems going forward.
Add-ons provide a lot of value to a lot of Firefox users. We believe in that flexibility and power so we’ve invested heavily in infrastructure to host and support them and the amazing community that’s built them. Security is a key component of that investment and we take it very seriously when security issues come up with add-ons. Fortunately, this issue only affected a relatively small number of users, the impact to those users was not catastrophic, and the remedy was a simple three-click operation.
Going forward, we’ve got a better virus scanning solution in place and we’re looking into other ways to further insure the integrity and safety of all add-ons, not just those hosted by Mozilla.
More Reading:
Mozilla Security Blog » Compromised file in Vietnamese Language Pack for Firefox 2 by Window Snyder
Around the Web:
PC World » Firefox Plug-In Shipped With Malicious Code by Robert McMillan, InternetNews: The Blog » Don’t Run Mozilla Firefox in Hanoi by Sean Michael Kerner, Security Focus » Vietnamese pack infects Firefox users by Robert Lemos, SC Magazine US » Compromised file found in language pack for Firefox by Chuck Miller, Computerworld » Mozilla shipped worm with Firefox add-on by Gregg Keizer, heise Security UK » Firefox add-on contains malware by Mike Barwise, The Register » Firefox language pack provides adware back-door by John Leyden, PCMag - Security Watch » Vietnamese Firefox Distribution Carried Malware by Larry Seltzer, Wired.com - Threat Level » Firefox Infects Vietnamese Users With Trojan Code by Ryan Singel, ZDNet.com - Hardware 2.0 » Mozilla spreads malware rather than security by Adrian Kingsley-Hughes, Mozilla Links » Firefox Vietnamese language pack compromised by Percy Cabello, CyberNet News » Big Oops: Mozilla Releases Compromised Vietnamese Language Pack by Ryan Wagner, BetaNews » Vietnamese Firefox 2 users were given malicious content by Scott M. Fulton, III, Mashable » Mozilla: Would You Like a Virus With That Add-on? by Stan Schroeder, The Inquisitr » Viruses Hit Mozilla, MP3s by JR Raphael, FavBrowser » Firefox Security? Here We Go Again by Vygantas Lipskas, Donna’s SecurityFlash » Compromised file in Vietnamese Language Pack for Firefox 2 by Donna Buenaventura, On Computers Tips » Firefox Infects Vietnamese Users With Trojan Code by Jack Imsdahl , Infosecurity.US » Firefox’s Vietnamese Language Pack Reportedley Infected with Trojan by Marc Handelman, SANS Internet Storm Center » Compromised File In Vietnamese Language Pack For Firefox 2 by Joel Esler, CyberInsecure.com » Adware Back-door In Firefox Language Pack, Dantravels » Annoying Journalism from Robert McMillan, IDG News Service by Daniel Butler, The Good Soldier LMeyerov » Social Software by Leo Meyerovich, Tech-Ex » Firefox Language Pack Ships with Malware by Michael Santo, Spyware Sucks » Alert: Firefox 2 Vietnamese Language Pack infected by malware by Sandi Hardmeier, PortalIT News » Mozilla Warns: Firefox 2 Vietnamese Pack Features Trojan, IT Business Edge - Headline Watch » Mozilla’s Vietnamese Plug-In Infected with Malware by Susan Hall, McAfee Avert Labs Blog » Computer Security Research by Vinoo Thomas, ReadersZone » Firefox Vietnamese Language Pack infected with Trojan horse by Ajay Pathak, OpTempo » Firefox Vietnamese Language Pack Malware Warning by J. Frank Carr, Byzone » Firefox AddOn Comes with Adware by FyreVortex, Steve: Developing on the Edge » Virus in a firefox language plugin: the perils of the community by Steve Loughran
thanks for adding my website url in u r list
Looks like this is going to hurt “sales”…
Not that it’s of any importance, really. Market share is not and should NOT be a priority for Mozilla. They’ve got their hands full as it is.
Still, good read.
it’s not a virus, but it’s a trojan because it loads contents from remote without user’s consent: “This usually results in the user seeing unwanted ads, but may be used for more malicious actions.”
http://blog.mozilla.com/security/2008/05/07/compromised-file-in-vietnamese-language-pack-for-firefox-2/
Thanks for Fav as well.
Why can the malicious code pass your security tests?
http://firefoxcat.blogspot.com/2008/05/el-firefox-en-vietnamita-contenia-codi.html
@ajay and @Fav Browser, no problem. I figure people deserve to see the coverage I saw if I’m going to call out press and blog coverage broadly.
@Morbus, market share is a priority for Mozilla. It’s not _the priority_ for Mozilla but it absolutely is a priority. I don’t think this incident hurts Firefox growth though. A very small number of people were impacted and the impact wasn’t terrible.
@tend, I think that’s a more accurate description, but for most people, I don’t think it works very well because the overwhelming majority of users don’t understand the differences between viruses, worms, and trojans and many assume that trojan is just another word for virus when it’s not.
@Aljullu, if you read the original article and you read this post a bit more carefully, I think you’ll be able to answer that question for yourself.
Thanks for discussing issues in your code base openly, no matter how crufty it may be…… Always a welcome, though, compared to closed source…on the other hand, there was no misunderstanding, regarding the issue at hand, or what was published on our site: infosecurity.us, or the source site: Ryan Singels’ wired.com blog 27bstroke6/. We suggested, in a very thoughtful manner, which you obviously missed, that everyone check their machines thoroughly. Always wise advise. Don’t you agree?
@Marc Handelman, this post was “in response to a few of the misunderstandings that I came across in some of those articles and blogs.”
I don’t think I accused you specifically of misunderstanding, though I’d personally dispute your characterization of the Wired blog post as “an exposé” :-)
As for users checking their machines thoroughly, of course they should; but that’s really irrespective of this issue and should apply to every single internet connected computer and not just the tiny subset that you called out. Wouldn’t you agree?
@Asa, it can pass your tests because it isn’t a virus for himself, it’s only a website-fetching script. True?
And, what are you doing to solve it and this attack can’t be repeated?
You say: “As a result of this incident, we’re implementing additional vulnerability scans at regular intervals after an add-on has been uploaded to help mitigate similar problems going forward.” but, you didn’t explain how it works.
Thank’s for your time ;-)
@Aljullu: Virus scanners now detect the obfuscated web address of the ad site left in the help files, that’s how the infection was found. It’s like human doctors inferring the presence of a virus from antibodies.
Not only are we doing additional scans, we’ve identified that the help content viewer didn’t need to render remote script in the first place and we’ll be turning that off in the next update of Firefox 2 (bug 432919).
Asa, in reality, the Wired post was an expose, in our opinion….It was not scathing, given the usual Wired view (as well as ours) given the source of the problem.
In our opinion, the verbiage utilized in the Wired blog Was expose like in nature, whilst our reporting linked not only to their post, but also to the Bugzilla link. Granted, Ryan also linked to Bugzilla in the blog. Our report was short and sweet.
If this is the only so-called fault you can scavenge from our post, I think we can live with that.
Furthermore, as far as the rest of the argument, it begs the question. The real issue is all of this sorted out Quickly, Easily (Not Always, But Hopefully) and in the Open: clearly because of the lack of cruft in the code, and the openness of the work. Further proof in our eyes that Open Source is more secure, simply because of the People.
In fact, everyone, should be checking their system regularly, through a variety of methods, both automated and otherwise. The most important of all is what we promote daily. The simple utilization of Common Sense.