Korean Mozilla Binaries Infected 592
Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."
First time real-world linux virus spread? (Score:2, Interesting)
Antivirus? (Score:1, Interesting)
Really? I wonder if this website really knows much about Linux at all. That's fine advice for a platform that has antivirus products.
This certainly doesn't bode well for these new 'IE is more secure than Firefox' claims.
Even so, as long as the user you run doesn't have write acccess to any executables (tis a good idea), you're fine.
Errr... Outdated? (Score:1, Interesting)
Old news? Crap that doesn't matter (any more)?
OK, if you know *anything* about Linux (Score:3, Interesting)
You'll also know that the virus isn't infecting *anything* unless you're running as root or you're using a version of kernel and glibc that have specific flaws to allow the virus to do something as a regular user. Are they using a kernel and software from 2001? Maybe, for all I know, but that's pretty irresponsable if they are.
This is such a non-issue for anyone except the stunned distributor that sent around the CDs. Not the first time it happened to the Windows world, either.
Re:Um... (Score:1, Interesting)
...that Firefox needs to be fixed? (Score:2, Interesting)
As I recall, Firefox (which is not the same as Mozilla, yes, I know) won't work quite right unless it is run as root once. Isn't that a security hole waiting to be exploited by something like this? Even a user who normally doesn't normally run as root can be hit with this situation.
Smart enough doesn't matter... (Score:3, Interesting)
Re:6 stories down on the front page (Score:3, Interesting)
Re:So let me get this straight... (Score:4, Interesting)
Compare to Linux in which most exploits are a result of actual security problems in either the kernel or the supporting applications, and you have less widespread attacks that affect fewer systems.
Difference in market shares, my friend. If you want to exploit a Linux system you're probably an attacker targetting a specific network and installation for a very specific purpose (making this attack something of an oddball). If you're looking to exploit a Windows system, however, you're more likely just a general Internet thug trying to install spam bots and backdoors on home machines. The latter causes more problem since the target is a much, much larger pool of users, so the latter gets more heavily reported even though the targetted attacks usually cause more on-average damage.
Re:Virus data - It's old! RTFM (Score:5, Interesting)
mmm... So do you not think the phrase "Mozilla.org is the latest example" is a just the teeniest bit misleading in this context? You know, what with most people taking "latest" to mean "happened very recently" as opposed to "even so, there hasn't been one for simply ages so I wouldn't get too worried".
Not that anyone would do such a thing deliberately, of course... Except I can't help wondering how many people pondering a change away from Windows/IE will read that and form a false impression of Mozilla and Linux.
Now who could that benefit, I wonder...
Mozilla.co.kr (Score:5, Interesting)
Re:Virus data (Score:3, Interesting)
What always amuses me is that most mirror sites also mirror the checksum files as well.
So what is the solution? (Score:2, Interesting)
Some solutions come to mind for things that you should be doing anyway (firewall traffic on ports not being officially served by a system; make
Is there any sort of system-wide watchdog that can be put in place to monitor programs and catch actions that are outside the scope of its auspice? I think chroot can be used in a manner somewhat consistent with this idea, but not without resulting in some serious systemwide design complexity if you want to do it right. Any other thoughts?
And might this be an arguement for a Security Levels sort of system whereby things like "remove the immutable flag from
Re:Virus data (Score:3, Interesting)
Good point. I don't care about the checksum on the mirror so much as I care about the checksum on the master.
I can see something like the yum xml files where a downloader could automatically determine the source and verify the checksum.
Mozilla should at least block the mirrors from downloading the checksum files, force the mirrors to checksum their own files, and then have the master server crawl the mirrors and compare checksums files.
This was not an official site! (Score:3, Interesting)
www.internetnews.com/security/article.php/3512081
Come on! Don't blame Mozilla.org for something that's not under their control. This goes double for the Windows idiots that point and say that "oo! FF is just as vulnerable!" and forgetting all about that this is just like going to "Shady Joe's Windows Upgrades" instead of microsoft.com for SP2.
--
BMO
Re:6 stories down on the front page (Score:4, Interesting)
If you want to include all or part of a Mozilla trademark in a domain name, you have to receive written permission from Mozilla. People naturally associate domain names with organizations whose names sound similar. Almost any use of a Mozilla trademark in a domain name is likely to confuse consumers, thus running afoul of the overarching requirement that any use of a Mozilla trademark be non-confusing. If you would like to build a Mozilla, Firefox Internet browser or Thunderbird e-mail client promotional site for your region, we encourage you to join an existing official localization project.
source [mozilla.org]
So Mozilla does state a policy regarding exactly what has occurred here. The problem is, U.S. trademark laws don't have any teeth in Korea. In fact, there is a U.S. government-run site that goes into great detail about how companies that have registered trademarks in the U.S. should not try to do business in Korea (or enforce their trademarks, of course) until they have registered their trademark in Korea, as well:
Basic intellectual property laws exist in Korea. However, protection of intellectual property and the laws governing enforcement of these protections are not necessarily extra-territorial. What is understood and practiced in the United States is not always practiced in Korea. U.S. companies wishing to sell their products or services in Korea should first and foremost find out if they have to register their intellectual property rights (copyright, trademark or patents) in Korea...One of the most frequent IPR problems facing U.S. businesses in Korea is trademark protection.
source [buyusa.gov]
Now, the last piece relates to trademark use by localization teams. The site distributing the binaries was in fact run by a Korean Firefox localization team, however, Mozilla has yet to refuse their right to use the trademarks, as per Mozilla Foundation policy, which allows use by localization teams in general, and rejects only in specific instances:
It is very important that Community Releases of Firefox and Thunderbird maintain (or even exceed!) the quality level people have come to associate with Mozilla Firefox and Mozilla Thunderbird. We need to ensure this, but we don't want to get in people's way. So, we are taking an optimistic approach. Official L10n teams can start using the "Firefox Community Edition" and "Thunderbird Community Edition" trademarks from day one, but the Mozilla Foundation may require teams to stop doing so in the future if they are redistributing software with low quality and efforts to remedy the situation have not succeeded. Doing things this way allows us to give as much freedom to people as possible, while maintaining our trademarks as a mark of quality (which we are required to do in order to keep them).
source [mozilla.org]
I'll readily admit that I have no idea whether Mozilla has attempted to reject their right to use the Mozilla trademark, but given the warning found on U.S. government sites regarding trademark enforcement, I'd say it would be prodigal use of the foundation's limited resources. Further, there is nothing to indicate that there is in fact any "affiliation" whatsoever, as nowhere does Mozilla Foundation acknowledge the presence of the Korean site (although its URL does appear on a Mozilla-run wiki - who knows who put it there).
In any case, this reflects poorly only on the part of the Korean Localization Team, as Mozilla Foundation likely lacks the resources to succesfully pursue a trademark infringement case abroad in Korea, and we have already established that the site is not an official Mozilla site (unlike, for example, http://www.mozilla-europe.org/ [mozilla-europe.org] or
Mozilla not showing originating URL of download (Score:3, Interesting)
Notice that when you use MSIE on Windows, it shows you the true URL of the site you are downloading from. In the download box, it will show you the URL it's downloading from, and you can see Mozilla's choice of mirrors around the world.
With Firefox, however, you don't get to see this by default. It just shows the basename of the file you are downloading, not the full URL containing the hostname and directory path. By right-clicking on the progress bar in the Downloads popup window, and choosing Properties, you can then view the true URL, but many users don't know about this.
If the user has turned on the "Ask me where to save every file" option, the popup file-chooser window also unfortunately does not show the true URL. It would be an ideal place to show it in this window, as there seems to be plenty of room there.
Right now, I have to download the file multiple times, open the Properties to make sure I'm getting a different mirror, and then diff the files to make sure they're the same, before I can consider them trustworthy enough to install.
By itself, this is just a nitpick, but it turns into a nasty bug when combined with other things:
1) The user not being able to easily see the true originating URL of a file, before making the download decision
2) Mozilla's decision to use a huge variety of seemingly random sites as mirrors, some more questionable than others
3) Mozilla's decision to not have any way whatsoever of verifying the integrity of the download, such as a cryptographic signature
Put all three together, and it's virus time!
Microsoft: Smug Mode.
With the large numbers of mirrors Mozilla uses, spread throughout the world, the odds of someone sneaking malware in there (either by ignorance, hacking, or a good old-fashioned bribe) is quite high.
The solution probably lies in a plugin. If there's not already a plugin to let the user plainly see the true URL and verify where files are coming from, it should be made (I wish I knew how). The plugin should also have some cryptographic method of verifying a downloaded file, and Mozilla should sign all releases with a strong key. It's just basic common sense, and I'm shocked Mozilla hasn't done this already.
Re:No, no, no... Windows is as secure. (Score:3, Interesting)
-su:
Same thing here. As soon as I quit the cat process still running from that binary, I can alter the binary.
Although unlinking and then replacing the binary would work.