Firefox Vietnamese Language Pack Infected With Trojan 200
An anonymous reader writes "Wired.com is reporting that the Firefox browser has been unknowingly distributing a trojan with the Firefox Vietnamese language pack. Over 16,000 downloads of the pack occurred since being infected. This highlights a risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."
infected with Trojans? (Score:5, Funny)
Re:infected with Trojans? (Score:4, Funny)
Re: (Score:3, Funny)
Re: (Score:2)
Firefox keeps begging me to update it, and I keep saying "no" "no" "no". Glad I followed that procedure rather than download a trojan.
Re:infected with Trojans? (Score:5, Funny)
Re: (Score:2)
Downside of OSS (Score:4, Interesting)
I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.
Re: (Score:3, Insightful)
Re: (Score:2, Interesting)
Joe Six-pack is not going to be as upset when he gets infected by the free thing vs. the thing he had to pay for.
Is this fair to say? Can anyone say that better then me?
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re:Downside of OSS (Score:5, Interesting)
Re:Downside of OSS (Score:4, Funny)
Re: (Score:2, Insightful)
Re: (Score:2, Interesting)
Re: (Score:2, Insightful)
No, the "hahaha" is on you, if you think proprietary software has no quality control.
Good thing I never made such a proclamation. If you think I did please quote the relevant section.
It has plenty.
By plenty, you mean the bare minimum? Cause that's what happens in almost every case.
When you spend money on a closed-source package, chances are that software house has a QA department.
So? If someone slips in a trojan into their software that is undetectable to their virus scanners, as was the case here, how exactly is that big bad QA department going to prevent it from being released? Oh, you mean it won't?
I don't mean to be rude to anyone or piss anyone off, but the same can't be said for most OSS projects, apart from those released through the few large OSS houses that have their own QA departments.
And yet most of these projects without a QA department are still able to make software of quali
Re: (Score:2, Insightful)
Actually, that statement if false. The majority of OSS is half-finished, poorly-planned crap that is in perpetual beta. Of what remains, most does not come close, let alone rival, the software provided by proprietary vendors.
The truth is that, with a very few notable exceptions, OSS is generally crapware that gets abandoned once the project obtains an arbitrary level of usabil
Re: (Score:2)
The vast majority of all proprietary software ever written is also abandoned crapware. The main difference is that you no longer have access to most of it. Old abandoned OSS tends to accumulate on public archives; if you just ignore it, then it won't bother you.
Re: (Score:2)
Re:Downside of OSS (Score:4, Insightful)
That, and the language/OS elitism. A lot of abandoned projects in sourceforge are developed in an obscure scripting language and/or extension that requires very, VERY careful installation (i.e. wxPython - choose the wrong version and you'll end up in a support nightmare), or perhaps use a specific UI toolkit (perhaps even proprietary *cough cough* cinelerra *cough cough*) that keeps crashing and crashing. I remember when I tried to install GAIM in Windows. It sucked big time. You can't just design something as "cross-platform" if you don't do extensive testing on ALL operating systems, and that includes the Redmond Nightmare.
I believe that a lot of OSS developers program for selfish reasons - i.e. "I'm programming a tool that does what I want" instead of "I'm programming a tool that will help people who might not use my OS or won't share my personal tastes, therefore I need to think about them".
The lesson: It's not really the OS or the toolkit, or even the language used. It's the attitude of the developers that ruins projects.
Re: (Score:2)
I think that may have been what the poster meant.
Re: (Score:2)
So, having a QA department makes better software? Someone at microsoft must have missed the memo...
Re:Downside of OSS (Score:4, Insightful)
Re:Downside of OSS (Score:4, Insightful)
Re: (Score:3, Insightful)
On one side, the possibility of getting infected binaries are dropped in Debian. Things are signed, etc.
On the flip side, there is a much higher possibility of getting malicious code in the source code. Considering the number of possible code "contributions" and unverified source code changes (at upstream, at maintainer, etc.), the possibility of getting malicious code in one of the less known projects is higher than closed source. Then a
Re:Downside of OSS (Score:5, Insightful)
How many refurburished ipods have had viruses on them/ How many sb thumb drives with custom controls and drivers have had viruses on them? How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?
OSS has a far better track record on quality control. Even better OSS software knows exactly how many times it has been downloaded and releases the exact date at which the infection happened. That is information that is NEVER released by closed source companies.
OSS is far from perfect, but it has a much better track record than closed source software. And when it does fail, everything about the failure is spelled out in details so that particular failure is less likely to happen. Unlike closed companies whose own management don't even know what really happened.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
How many refurburished ipods have had viruses on them
I don't know how many?
How many sb thumb drives with custom controls and drivers have had viruses on them?
Again I don't know how many?
How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?
You tell me.
OSS has a far better track record on quality control.
What are your standards for this statement?
Even better OSS software knows exactly how many times it has been downlo
Re:Downside of OSS (Score:4, Informative)
We have quality control also. Also, this language pack trojan was caught early on...
Re: (Score:3, Insightful)
Re:Downside of OSS (Score:4, Interesting)
Re: (Score:3, Insightful)
Re:Downside of OSS (Score:5, Insightful)
This isn't too different from a hypothetical employee whose home computer is infected, and who is working from home and emails a module to his boss, who merges it into the final product. If his home computer was infected, and the standard virus scans missed it, then the final product could end up having Trojan code buried inside.
Would the company necessarily have caught the Trojan? Doubtful. They, too, would probably not have done a line-by-line review of each module update that is submitted.
So I'm not convinced this can be pointed to as a failing of the OSS development model per se. The only difference is that the OSS user contributor is perhaps less well-known (less trustworthy?) to the distributors than in a corporate setting. (But, again, this wasn't a problem of trust... this was a contributor machine being infected. And I assure you that corporate developers can and do get their machines infected.)
Nevertheless, this points to a breakdown in Mozilla's auditing practices. They should be very careful with any code they distribute. But these kinds of quality-control breakdowns occur in OSS projects and corporations, too. (One could tangentially argue that at least with OSS, breaches are likely to be publicized, whereas companies will frequently try to suppress information that points out a security breach.)
Re: (Score:2)
If mozilla insisted that contibuted extentions were submitted in source code form and then compiled by mozilla machines this kind of screwup would be much less likely.
Re:Downside of OSS (Score:4, Informative)
Creative MP3 players ship with virus [theregister.co.uk]
Apple Ships iPods with Windows Virus [betanews.com]
Seagate Storage Units Ship with Virus [eweek.com]
Sega Dreamcast console game spreads virus [findarticles.com]
Maxtor USB Hard Drives Ship Virus Infected [everythingusb.com]
Digital photo frames ship with computer virus [itrportal.com]
Sony Ships Rootkit [schneier.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Doesn't matter how much truth there is to a statement, or how much proof one provides. Disagree with the fanboys and watch your karma burn. I have actually seen fanboys go back and mod down posts I have made months back. They have formed cliques and are busy modding everyone who posts against them down.
And, I am pretty sure you are one of them.
Re: (Score:2)
Re: (Score:2)
Sure, proprietary software has THEORETICAL quality control (because they are charging for it), but how often does that REALLY happen? If someone slipped in a virus into some proprietary program (which they, of course, only distribute as
Re: (Score:2)
Bribes from competitors?
Re: (Score:3, Insightful)
I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.
Quality control fails in the proprietary software world (aside - OSS is commercial as well) but hey... at least it's there! Meanwhile, this particular case is supposed to be an example of how OSS has no quality control? And we see the same failures in the quality-controlled proprietary world? I'm not following your logic.
You ask how long it would take to find a virus slipped in to an OSS program? Interesting question. A little bit of Googling would show where major OSS projects were compromised and
Re: (Score:2)
I know this isn't going to be a popular opinion here, but two of the big downsides of open source software to me are the lack of documentation and the lack of quality control. Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?
I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.
actually , that is incorrect . The entire nature of open source forces it to make sure peer review is enforced , because of the danger .
In closed source this can happen just as easily , but the control will be more relaxed because they think it will be safer.
Just look up AES , and you will know it is possible
Re: (Score:3)
Right, sure it is. How long was the exploitable double free in zlib? It was what, a year and a half before a PLAIN TEXT password was found in firebird?
Re: (Score:2)
If you have ever worked for a closed source software maker you wouldn't be talking about the quality control in closed source.
Yes, I agree that having a trojan slipped in is a little less likely as it would require a malicious employee rather than a malicious random contributor. But the quality of the code is utterly and horribly abysmal. For every trojan that doesn't make it in there must be at least 500 security bugs that make it out because of the horrible quality control of closed source.
The softwar
Re: (Score:2)
I'll refrain from asking what you mean by quality control, but documentation? Seriously? Outside of OSS, you'd be hard pressed (with a few exceptions) to find anything that has any meaningful documentation. And if you're looking for hand-holding HowTo's or FAQs, well, the web is littered with them.
Windows, for example, offers little
Re: (Score:2)
Mozilla has an actual 16 person [mozilla.org] quality control team, probably as many as a comparable proprietary product.
The trojan itself uses a Windows-specific exploit, so Linux users will be safe.
Interestingly, Google has founded an open-source security group [theregister.co.uk] to coordinate responses to threats like this.
Re: (Score:2)
Re:Downside of OSS (Score:5, Insightful)
I'm sure that Firefox has quite a bit of QA done to it... but it's usefulness relies too much on extensions, which we don't that many assurances about.
Re: (Score:2, Informative)
Re: (Score:2, Insightful)
Re:Downside of OSS (Score:5, Informative)
Unknown trojan? Is that an excuse? (Score:2)
I'm sure that Firefox has quite a bit of QA done to it... but it's usefulness relies too much on extensions, which we don't that many assurances about.
I'm guessing you didn't read the article. The breakdown came with the fact that the signature of the trojan was unknown at the time it was uploaded and so the anti-virus scan on the extension came up clean. This had nothing to do with a failure of OSS but with the fact that at the time it was an unknown trojan.
It sounds like you're saying, "But this is just because the trojan was unknown at the time! If the evil hackers had used a known trojan, Mozilla would have detected it!"
If you are asking whether Mozilla failed to virus-scan an extension, then, alright, I'll grant that they did to a virus scan, at least once.
But it would be foolish to say, "So that's why it's not really a Mozilla problem, because the software program couldn't detect it." It would be akin to that time when some reporters tested Homeland Se
Re: (Score:2)
Re:Downside of OSS (Score:4, Interesting)
Re:Downside of OSS (Score:5, Funny)
Re: (Score:2)
I'm sure that Firefox has quite a bit of QA done to it... but it's usefulness relies too much on extensions, which we don't that many assurances about.
Fair enough. However, the usefulness of Firefox (and any other web browser - proprietary or not) also depends even more on web pages. The QA on those are even more nebulous and are a larger potential threat than browser extensions / modules.
Now - the danger here is to entirely discount the importance of QA. It's a good thing to do. But be careful about putting too much faith in to it.
Agree: extensions not trustworthy (Score:2)
The untrustworthiness of extensions has long been a concern of mine, and in a way I'm actually glad that this trojan, which affects a relatively small segment of the Firefox user community, came to be. I hope it's a warning call to Firefox users and especially to the Mozilla foundation, which actually said in a Slashdot interview, "Oh, we don't see a lot of
Re: (Score:2)
In the same way, I'm pretty sure that the Ubuntu or Red Hat guys are giving me a good kernel and core libraries with their distro... but I find it hard to believe that any serious QA is done to the
Re: (Score:2)
The difference is that in the closed source world something as basic as a language pack would come with the same QA that the program... while Firefox doesn't give much assurance beyond what they directly produce, although the value of the product is directly connected to the availability of third party extensions.
The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.
Mozilla ran an anti-virus check on the most recent version in February when it was added to the official Firefox add-ons site, but the Trojan's virus signature was not known until April.
So basically according to you Mozilla is supposed to be able to recognize trojans whose signatures are unknown to any anti-virus software?
Re: (Score:2)
I don't even begin to understand how a trojan can be slipped inside a LANGUAGE pack.
Re: (Score:2)
So basically you're saying that a virus scanner is a proper substitute for putting actual eyes on code??
No, but it's no less checking than Opera does for the 3rd party add-ons they host for their proprietary browser. If I were to create a trojan and upload it to Opera's site and it bypasses any virus scans, is that somehow the fault of the proprietary business model? No. It's just the fact that sometimes you can't always check everything. Especially when a group gets thousands upon thousands of these 3rd party add-ons submitted.
That sure seems like what you are saying since you seem to be solely blaming the virus scanner.
Nope, it's just you putting words in my mouth.
Re: (Score:2)
Re: (Score:2)
Re:Downside of OSS (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
You do realize that it's just as easy to have put a virus into an add-on for a proprietary browser as well, right? Explain to me exactly how for no other reason than being closed-source does that attack vector get closed for software like IE or Opera? Oh, you mean it doesn't? Yeah, you're just spreading FUD.
It's not quite the same thing if Microsoft or Opera Software don't distribute third party extensions themselves (I'm not sure whether or not they do). One can't expect them to control the actions of totally independent entities. Mozilla presumably had every opportunity (regardless of the resources required) to review the source before making it available for download.
How do you say "oops" in Vietnamese? (Score:5, Funny)
Re: (Score:2)
Although this shows that Open Source is also... (Score:3, Insightful)
Proprietary software has the same risk (Score:3, Interesting)
Ignore this (Score:3, Informative)
Re: (Score:2)
And now, with my post, they'll waste even more on me
Its a conspiracy (Score:2)
Re: (Score:2)
More Slashdot Sensationalism (Score:5, Informative)
(I guess this means Slashdot sensationalism isn't restricted to anti-Microsoft articles.)
Re:More Slashdot Sensationalism (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
Not really infected (Score:5, Informative)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
So it was discovered because ... (Score:2)
Trojans and viruses on commercial CDs (Score:3, Insightful)
If they don't address the process that caused the problem, then start worrying.
Firefox supports Vietnamese?? (Score:2)
Re: (Score:2)
Author of the lang pack notified (Score:3, Informative)
He posted on [url=https://bugzilla.mozilla.org/show_bug.cgi?id=432406]the bugzilla post[/url] saying he's preparing a cleaned pack. Apparently his computer was infected with the trojan which infected the lang pack files.
It's noteworthy that the actual trojan isn't in the files... just the code which does the advertising stuff, I think. It can't propagate from these files. Since it took so long to be detected it's possible the infected code doesn't work (after all it was intended for HTML documents and not language packs) but this is just personal speculation.
Accident Waiting to happen - Should Sign All Updat (Score:2, Interesting)
Its good QA not closed QA that's needed (Score:2, Insightful)
The problem is most software companies don't do QA right.
It's fundamentally against the quarter by quarter business mindset that dominates most companies. QA doesn't produce anything. QA usually pushes back release dates. QA can be almost as resource intensive as engineering.
QA only pays off in the long term as a reputation for quality outside of the company, and then on
MOD PARENT DOWN (Score:2, Insightful)
Not infected (Score:4, Informative)
"the author's local network was infected with the virus, so it modified html files. The main virus is a Win32 program. The infected code just display annoying banner but it can't propagate." -- https://bugzilla.mozilla.org/show_bug.cgi?id=432406#c10 [mozilla.org]
I'm replying to this thread to put this information at the top of the discussion because the article summary makes it sound like the language pack actually infected people's systems with the trojan.
A rebuttal (Score:3, Funny)
Your reasoning is flawed.
You are coming to the conclusion that open source "sucks" because a trojan was supplied with one version of Mozilla Firefox. The problem with that reasoning is twofold:
1) The problem was detected nonetheless
2) It is being fixed rather quickly
Another problem with your reasoning is that you jump to saying "Long live microsoft!". While I applaud you for sharing your love, the link between a competitor's browser having a problem and your love of Microsoft is quite shallow.
For example,
Re: (Score:2)
Re: (Score:3, Informative)
That does not excuse the FF problem, though.
dear Mr MOD TROLL .. (Score:2)
Pray tell all, produce any citation or historical practice of using virus signatures to validate software.