Forgot your password?
typodupeerror
Mozilla The Internet Security News

Firefox Vietnamese Language Pack Infected With Trojan 200

Posted by timothy
from the when-childhood-goes-wrong dept.
An anonymous reader writes "Wired.com is reporting that the Firefox browser has been unknowingly distributing a trojan with the Firefox Vietnamese language pack. Over 16,000 downloads of the pack occurred since being infected. This highlights a risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."
This discussion has been archived. No new comments can be posted.

Firefox Vietnamese Language Pack Infected With Trojan

Comments Filter:
  • by gEvil (beta) (945888) on Thursday May 08, 2008 @09:21AM (#23336400)
    So wait...It installs the Greek language pack?
  • Downside of OSS (Score:4, Interesting)

    by elrous0 (869638) * on Thursday May 08, 2008 @09:22AM (#23336412)
    I know this isn't going to be a popular opinion here, but two of the big downsides of open source software to me are the lack of documentation and the lack of quality control. Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?

    I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.

    • Re: (Score:3, Insightful)

      by Uncle Focker (1277658)

      The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.
      Monster fucking fail.
    • Re: (Score:2, Interesting)

      by ttapper04 (955370)
      You are right. It may have something to do with the responsibility a software company has when selling you code. There are flaws in this statement, but what I mean is this:
      Joe Six-pack is not going to be as upset when he gets infected by the free thing vs. the thing he had to pay for.
      Is this fair to say? Can anyone say that better then me?
      • Re: (Score:3, Insightful)

        by Henry V .009 (518000)
        Yeah. When the hackers steal his identity and ruin his credit, he'll just be cool about it and say "Well, I still love Firefox; I got hacked, but it's not like I had to pay money for this software!."
    • Re: (Score:3, Insightful)

      by kilgortrout (674919)

      If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?
      Less than three months according to the article.
    • Re: (Score:2, Insightful)

      by Uncle Focker (1277658)

      but at least there is generally some level of quality control there
      Hahahahahahaha. You must not deal with much proprietary software to make such hilarious statements. In fact it my experience the statement is just the opposite.
      • Re: (Score:2, Interesting)

        by dave420 (699308)
        No, the "hahaha" is on you, if you think proprietary software has no quality control. It has plenty. So does Open Source software. When you spend money on a closed-source package, chances are that software house has a QA department. I don't mean to be rude to anyone or piss anyone off, but the same can't be said for most OSS projects, apart from those released through the few large OSS houses that have their own QA departments. Just because you've found bugs in closed-source software doesn't mean they
        • Re: (Score:2, Insightful)

          by Uncle Focker (1277658)

          No, the "hahaha" is on you, if you think proprietary software has no quality control.

          Good thing I never made such a proclamation. If you think I did please quote the relevant section.

          It has plenty.

          By plenty, you mean the bare minimum? Cause that's what happens in almost every case.

          When you spend money on a closed-source package, chances are that software house has a QA department.

          So? If someone slips in a trojan into their software that is undetectable to their virus scanners, as was the case here, how exactly is that big bad QA department going to prevent it from being released? Oh, you mean it won't?

          I don't mean to be rude to anyone or piss anyone off, but the same can't be said for most OSS projects, apart from those released through the few large OSS houses that have their own QA departments.

          And yet most of these projects without a QA department are still able to make software of quali

          • Re: (Score:2, Insightful)

            by DaveV1.0 (203135)

            And yet most of these projects without a QA department are still able to make software of quality rivaling these proprietary vendors.

            Actually, that statement if false. The majority of OSS is half-finished, poorly-planned crap that is in perpetual beta. Of what remains, most does not come close, let alone rival, the software provided by proprietary vendors.

            The truth is that, with a very few notable exceptions, OSS is generally crapware that gets abandoned once the project obtains an arbitrary level of usabil

            • The truth is that, with a very few notable exceptions, OSS is generally crapware that gets abandoned once the project obtains an arbitrary level of usability and all the sexy code has been written.

              The vast majority of all proprietary software ever written is also abandoned crapware. The main difference is that you no longer have access to most of it. Old abandoned OSS tends to accumulate on public archives; if you just ignore it, then it won't bother you.

            • I like how you quoted out the very next sentence to try to attack my point.

              A fact that was acknowledged by Microsoft themselves in private emails.
              http://en.wikipedia.org/wiki/Halloween_documents [wikipedia.org]

              Next time please don't dishonestly take a quote out of context to attack it.
            • Re:Downside of OSS (Score:4, Insightful)

              by Spy der Mann (805235) <spydermann.slashdotNO@SPAMgmail.com> on Thursday May 08, 2008 @03:10PM (#23341634) Homepage Journal

              The majority of OSS is half-finished, poorly-planned crap that is in perpetual beta.
              In my experience (and I've held long debates with friends and colleagues about this) this has been caused by plain and simple pride. i.e. what happened with Pidgin - developers imposing their own viewpoints on their software for no valid reason.

              That, and the language/OS elitism. A lot of abandoned projects in sourceforge are developed in an obscure scripting language and/or extension that requires very, VERY careful installation (i.e. wxPython - choose the wrong version and you'll end up in a support nightmare), or perhaps use a specific UI toolkit (perhaps even proprietary *cough cough* cinelerra *cough cough*) that keeps crashing and crashing. I remember when I tried to install GAIM in Windows. It sucked big time. You can't just design something as "cross-platform" if you don't do extensive testing on ALL operating systems, and that includes the Redmond Nightmare.

              I believe that a lot of OSS developers program for selfish reasons - i.e. "I'm programming a tool that does what I want" instead of "I'm programming a tool that will help people who might not use my OS or won't share my personal tastes, therefore I need to think about them".

              The lesson: It's not really the OS or the toolkit, or even the language used. It's the attitude of the developers that ruins projects.
        • When you spend money on a closed-source package, chances are that software house has a QA department.

          So, having a QA department makes better software? Someone at microsoft must have missed the memo...
    • Re:Downside of OSS (Score:4, Insightful)

      by Keyper7 (1160079) on Thursday May 08, 2008 @09:33AM (#23336562)
      Open source allows greater quality control than closed source. If Mozilla did not use this potential, it's their fault and not the open source process'. In fact, the problem here is that the quality control used by Mozilla was not open source enough. They only did automatic scanning, something that can be done in compiled binaries, when a simple code-checking (notice that an extension source is not that big) would get the malicious code rather quickly.
      • Re:Downside of OSS (Score:4, Insightful)

        by dave420 (699308) on Thursday May 08, 2008 @10:14AM (#23337070)
        Open source means the QA can be shifted from a group of QA workers in an office to people who use the software. Both approaches work, and both are not perfect. Saying one is inherently better than the other is a bit strange, as they both achieve the same thing, only in different places. QA performed in-house has access to the source code, and can highlight errors and get them fixed, just the same as any OSS project. The only difference is the QA workers are getting paid for it, and are working directly with the developers. I'm not saying that's better, it's just what happens.
      • Re: (Score:3, Insightful)

        by gnuman99 (746007)
        It is a double edged sword. I speak as a developer and user of Debian.

        On one side, the possibility of getting infected binaries are dropped in Debian. Things are signed, etc.

        On the flip side, there is a much higher possibility of getting malicious code in the source code. Considering the number of possible code "contributions" and unverified source code changes (at upstream, at maintainer, etc.), the possibility of getting malicious code in one of the less known projects is higher than closed source. Then a
    • Re:Downside of OSS (Score:5, Insightful)

      by peragrin (659227) on Thursday May 08, 2008 @09:33AM (#23336574)
      right quality control in closed source. bullshite.

      How many refurburished ipods have had viruses on them/ How many sb thumb drives with custom controls and drivers have had viruses on them? How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?

      OSS has a far better track record on quality control. Even better OSS software knows exactly how many times it has been downloaded and releases the exact date at which the infection happened. That is information that is NEVER released by closed source companies.

      OSS is far from perfect, but it has a much better track record than closed source software. And when it does fail, everything about the failure is spelled out in details so that particular failure is less likely to happen. Unlike closed companies whose own management don't even know what really happened.
      • How many refurburished ipods have had viruses on them/ How many sb thumb drives with custom controls and drivers have had viruses on them? How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?
        Yeah, see, but... you can hold companies responsible. Who will be held responsible for this trojan? Hm? With the Sony rootkit, we knew. With OSS, "some guy that posted it" just doesn't cut it.
        • Yeah, and just see how far you get with a liability claim against almost any proprietary software vendor. They will just point to their EULA, which you must have agreed to in order to use their software, that disclaims any and all liability on their part. So you can't really hold them responsible, not in a legal sense.
          • by Sancho (17056) *
            You can still sue them and ask to have that portion of the EULA stricken as unenforceable.
      • by dave420 (699308)
        Using a few examples of flawed QA to claim all closed-source QA doesn't happen is a ridiculous argument. I could point out how many flaws are introduced in updates to open-source software, and use your logic to say OSS has no QA. OSS has enough merits to guarantee it a very glorious future - we don't have to make stuff up or sensationalise problems both camps go through to distort reality. FUD - I thought we didn't like that here.
      • RMS is that you?
        How many refurburished ipods have had viruses on them
        I don't know how many?
        How many sb thumb drives with custom controls and drivers have had viruses on them?
        Again I don't know how many?
        How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?
        You tell me.
        OSS has a far better track record on quality control.
        What are your standards for this statement?
        Even better OSS software knows exactly how many times it has been downlo
    • Re:Downside of OSS (Score:4, Informative)

      by betterunixthanunix (980855) on Thursday May 08, 2008 @09:34AM (#23336584)
      http://fedoraproject.org/wiki/QA [fedoraproject.org]

      We have quality control also. Also, this language pack trojan was caught early on...

    • Re: (Score:3, Insightful)

      by cyfer2000 (548592)
      So company or organization supported OSS projects with proper QA is the solution.
    • Re:Downside of OSS (Score:4, Interesting)

      by RiotingPacifist (1228016) on Thursday May 08, 2008 @09:37AM (#23336620)
      The Downside is when the project gets too big, the number of users >>> developers so resources get stretched to try and satisfy the large number of users and the quality of the project drops.
    • Re: (Score:3, Insightful)

      Open Source should be treated with care, just like any other software you download from the net. Stick to the lighted paths and generally you should be fine. In this case, we have user-generated code which can be iffy, but you can feel fairly safe if it has been downloaded and used a number of times. These things usually come out into the open sooner or later.
    • Re:Downside of OSS (Score:5, Insightful)

      by JustinOpinion (1246824) on Thursday May 08, 2008 @09:47AM (#23336718)
      To be fair, this particular sequence of events could have happened to a proprietary product as well. The article explains that an add-on developer uploaded a new version of the language pack. The language pack was automatically scanned for viruses, and found to be clean (since the signature for this particular Trojan wasn't yet known). It appears that this occurred because the developer's computer was infected (i.e.: this was accidental, not intentional, on the part of the contributor).

      This isn't too different from a hypothetical employee whose home computer is infected, and who is working from home and emails a module to his boss, who merges it into the final product. If his home computer was infected, and the standard virus scans missed it, then the final product could end up having Trojan code buried inside.

      Would the company necessarily have caught the Trojan? Doubtful. They, too, would probably not have done a line-by-line review of each module update that is submitted.

      So I'm not convinced this can be pointed to as a failing of the OSS development model per se. The only difference is that the OSS user contributor is perhaps less well-known (less trustworthy?) to the distributors than in a corporate setting. (But, again, this wasn't a problem of trust... this was a contributor machine being infected. And I assure you that corporate developers can and do get their machines infected.)

      Nevertheless, this points to a breakdown in Mozilla's auditing practices. They should be very careful with any code they distribute. But these kinds of quality-control breakdowns occur in OSS projects and corporations, too. (One could tangentially argue that at least with OSS, breaches are likely to be publicized, whereas companies will frequently try to suppress information that points out a security breach.)
      • It also argues for having developers provide source rather than binaries to the people who build the final releases.

        If mozilla insisted that contibuted extentions were submitted in source code form and then compiled by mozilla machines this kind of screwup would be much less likely.
    • Re:Downside of OSS (Score:4, Informative)

      by Paradise Pete (33184) on Thursday May 08, 2008 @09:48AM (#23336730) Journal
      I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.

      Creative MP3 players ship with virus [theregister.co.uk]
      Apple Ships iPods with Windows Virus [betanews.com]
      Seagate Storage Units Ship with Virus [eweek.com]
      Sega Dreamcast console game spreads virus [findarticles.com]
      Maxtor USB Hard Drives Ship Virus Infected [everythingusb.com]
      Digital photo frames ship with computer virus [itrportal.com]
      Sony Ships Rootkit [schneier.com]

    • by Hatta (162192)
      Nice troll. There are 34 comments on this article, and 13 of them are in response to your post. That's over 1/3 of the discussion so far. Excellent work.
      • by elrous0 (869638) *
        Since the popular definition of troll seems to be "Anyone who posts anything that I disagree with," I shall label you a troll as well.
        • No, the definition of a troll is someone who post inflammatory material in order to get responses which is what you did. Your anti-OSS FUD has little bearing when it comes to the actual reality of this case. The problem was with the fact that this trojan had an unknown signature and thus was able to slip in past the virus scanner being used by mozilla. And here's the real kicker, proprietary anti-virus scanners, the stuff you are trying to claim is the pinnacle of software QA, didn't know about it till M
          • by DaveV1.0 (203135)
            No, here the definition has come to me exactly what he said.

            Doesn't matter how much truth there is to a statement, or how much proof one provides. Disagree with the fanboys and watch your karma burn. I have actually seen fanboys go back and mod down posts I have made months back. They have formed cliques and are busy modding everyone who posts against them down.

            And, I am pretty sure you are one of them.
        • by Hatta (162192)
          That was a compliment. It's not easy to get that kind of haul with statements that ignorant. Good job.
    • "Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?"

      Sure, proprietary software has THEORETICAL quality control (because they are charging for it), but how often does that REALLY happen? If someone slipped in a virus into some proprietary program (which they, of course, only distribute as

    • Re: (Score:3, Insightful)

      by _Sprocket_ (42527)

      I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.

      Quality control fails in the proprietary software world (aside - OSS is commercial as well) but hey... at least it's there! Meanwhile, this particular case is supposed to be an example of how OSS has no quality control? And we see the same failures in the quality-controlled proprietary world? I'm not following your logic.

      You ask how long it would take to find a virus slipped in to an OSS program? Interesting question. A little bit of Googling would show where major OSS projects were compromised and

    • by kdemetter (965669)

      I know this isn't going to be a popular opinion here, but two of the big downsides of open source software to me are the lack of documentation and the lack of quality control. Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?

      I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.

      actually , that is incorrect . The entire nature of open source forces it to make sure peer review is enforced , because of the danger .

      In closed source this can happen just as easily , but the control will be more relaxed because they think it will be safer.

      Just look up AES , and you will know it is possible

      • by sqlrob (173498)
        The entire nature of open source forces it to make sure peer review is enforced , because of the danger

        Right, sure it is. How long was the exploitable double free in zlib? It was what, a year and a half before a PLAIN TEXT password was found in firebird?
    • If you have ever worked for a closed source software maker you wouldn't be talking about the quality control in closed source.

      Yes, I agree that having a trojan slipped in is a little less likely as it would require a malicious employee rather than a malicious random contributor. But the quality of the code is utterly and horribly abysmal. For every trojan that doesn't make it in there must be at least 500 security bugs that make it out because of the horrible quality control of closed source.

      The softwar

    • I know this isn't going to be a popular opinion here, but two of the big downsides of open source software to me are the lack of documentation and the lack of quality control.

      I'll refrain from asking what you mean by quality control, but documentation? Seriously? Outside of OSS, you'd be hard pressed (with a few exceptions) to find anything that has any meaningful documentation. And if you're looking for hand-holding HowTo's or FAQs, well, the web is littered with them.

      Windows, for example, offers little
    • Sure, OSS has THEORETICAL quality control

      Mozilla has an actual 16 person [mozilla.org] quality control team, probably as many as a comparable proprietary product.

      The trojan itself uses a Windows-specific exploit, so Linux users will be safe.

      Interestingly, Google has founded an open-source security group [theregister.co.uk] to coordinate responses to threats like this.

    • by pembo13 (770295)
      Not that this has ever happened with closed-source
  • by davidwr (791652) on Thursday May 08, 2008 @09:22AM (#23336422) Homepage Journal
    I'm sure the Mozilla Foundation wants to know.
  • by Assmasher (456699) on Thursday May 08, 2008 @09:26AM (#23336466) Journal
    ...vulnerable to these sorts of attacks (which anyone with any common sense would already know), the fact that it is such an open process means a greater possibility of earlier detection, faster analysis and response, and the rapid repair of the process which made such a gaffe possible. In the closed source world most of these steps would take exponentially longer, and quite often the process would remain the same.
  • by jrumney (197329) on Thursday May 08, 2008 @09:26AM (#23336474) Homepage
    This has nothing to do with Mozilla accepting user-submitted extensions. If anything, that makes them more careful about what they publish. A developer's machine becoming infected with an as yet unknown virus that is undetected by anti-virus scanners is a risk that every software producer faces. How many commercial software vendors even run their developers' code through a virus check when it is committed, let alone running regular anti-virus checks on software they have already released?
  • Ignore this (Score:3, Informative)

    by Anonymous Coward on Thursday May 08, 2008 @09:34AM (#23336578)
    post. removing incorrect mod.
    • by iknowcss (937215)
      Wow, talk about irony. In an effort to prevent putting a kink in the moderation system, two separate mods have modded you Funny and Interesting. Great job, you've wasted a total of 3 mod points today.

      And now, with my post, they'll waste even more on me :P
  • I think RMS did this on purpose to make those users of proprietary Operating systems pay!
  • by MobyDisk (75490) on Thursday May 08, 2008 @09:50AM (#23336768) Homepage
    The article says:

    ...That Trojan inserted a banner-ad displaying script into any html file on his system, which included the help files for the language pack.

    That meant that anyone installing the language pack would have malicious ad displaying code inside their browser -- which could be used for other exploits.
    So the language pack did not have a Trojan. I don't think the language packs even have executable code. The language packs had help files with banner ads in them. That's not even close to what the headline says. But I guess "Vietnamese help files may contain ads" doesn't sound as scary.

    (I guess this means Slashdot sensationalism isn't restricted to anti-Microsoft articles.)
    • by trifish (826353) on Thursday May 08, 2008 @12:33PM (#23339126)
      Eh? From the article: "On Tuesday, a user named Hai-Nam Nguyen reported that anti-virus programs detected the Xorer Trojan inside the add-on. Firefox admins quickly confirmed the presence of the Trojan's code and removed the file the same day."
      • by MobyDisk (75490)
        Yeah, that does seem to conflict with the other line I quoted. If there was a Trojan in there, what OS did it apply to? Was it in the installer or in the language packs that it installed?
        • by trifish (826353)
          No they do not necessarily have to contradict. Trojan horses can inject HTML content (including ad content or links to it). I wonder why such misleading knee-jerk posts get modded +5 now.
  • Not really infected (Score:5, Informative)

    by hweimer (709734) on Thursday May 08, 2008 @09:53AM (#23336796) Homepage
    According to the Mozilla Security Blog [mozilla.com] the language pack did not contain any malicious code, but only manipulated HTML files:

    The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself.
    • Re: (Score:3, Informative)

      by trifish (826353)
      From the article: "On Tuesday, a user named Hai-Nam Nguyen reported that anti-virus programs detected the Xorer Trojan inside the add-on. Firefox admins quickly confirmed the presence of the Trojan's code and removed the file the same day."
      • Re: (Score:3, Informative)

        by Burpmaster (598437)

        "Firefox admins quickly confirmed the presence of the Trojan's code"
        That would be the HTML code that places the ad, not the trojan itself.
  • Unless this trojan was discovered by analysis of the binary, then this is prima facia evidence that F/OSS tends toward greater security than proprietary software. When the typical person (as this thread shows) exclaims: OMFG, look! A trojan in F/OSS was discovered, but none have been discovered in competing proprietary products! they are wrongly assuming, as has been done over and over in this thread, that the code I cannot see is more secure than what I can see! I mean if I have no way to see the trojan
  • There have been a number of incidents of trojans and viruses being distributed in commercial shrinkwrapped software. Firefox was slack, like commercial distributors have now and then been slack. You get caught by surprise, fix the process, and keep going, and keep it from happening again.

    If they don't address the process that caused the problem, then start worrying.
  • Vietnamese is one of those "economically disadvantaged" languages that haven't received much attention in open-source programs until very recently, even with its 80 million+ users. Firefox support of Vietnamese was "in the works" for at least 5 years with not much to show for it. As recently as last year, I wasn't able to find anything installable from the Mozilla Foundation that supports Vietnamese. Meanwhile, Vietnamese language users rely on unofficial "patches" found elsewhere to enable support for t
    • by HungWeiLo (250320)
      Since you can mostly get away with typing Vietnamese with just any Latin-based alphabet OS/software, that may have hindered the speed of development of a Vietnamese language pack.
  • by The MAZZTer (911996) <megazzt@noSpAM.gmail.com> on Thursday May 08, 2008 @11:41AM (#23338366) Homepage

    He posted on [url=https://bugzilla.mozilla.org/show_bug.cgi?id=432406]the bugzilla post[/url] saying he's preparing a cleaned pack. Apparently his computer was infected with the trojan which infected the lang pack files.

    It's noteworthy that the actual trojan isn't in the files... just the code which does the advertising stuff, I think. It can't propagate from these files. Since it took so long to be detected it's possible the infected code doesn't work (after all it was intended for HTML documents and not language packs) but this is just personal speculation.

  • I don't know if this has been done yet, but each new extension submission or upgrade must be signed by Mozilla with some type of private exchange with the author. My concern right now is, I know some of my extensions come from third parties, whats stopping someone from hacking the server and introducing a fake upgrade that gets spread across to all users in the auto upgrade? Thus when the update downloads it, compares they checksum signatures it would know it was not an authorized release. Thus besides h
  • There has been a lot of discussion about closed source projects having dedicated QA departments and the relative merits of that.

    The problem is most software companies don't do QA right.

    It's fundamentally against the quarter by quarter business mindset that dominates most companies. QA doesn't produce anything. QA usually pushes back release dates. QA can be almost as resource intensive as engineering.

    QA only pays off in the long term as a reputation for quality outside of the company, and then on

Aren't you glad you're not getting all the government you pay for now?

Working...