Update on the AMO Security Issue

Nick Nguyen (osunick)

12

Last week, we disclosed two instances of suspected malware in experimental add-ons on AMO.  Since that disclosure, we’ve worked with security experts and add-on developers to determine that the suspected trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware.  The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan.  Our estimate of 6,000 affected downloads has been revised to under 700.  The Sothink Video Downloader has been re-enabled on AMO.  We apologize to our users and the developers of Sothink for any inconvenience this has caused.

Thanks to the team at McAfee for working with us to better understand this threat.

12 responses

  1. anon wrote on :

    So, this means that Mozilla Add-Ons are infact vulnerable to viruses / trojans. In the race to be the “best” browser, it is ofcourse important to have a community of add-on developers. But it is irresponsible of Mozilla to allow non-Mozilla-approved plugins to even exist. At the very least, those non-Mozilla-approved plugins should be with displayed a STERN warning – “Mozilla has not tested this plugin for vulnerabilities – Use at your own RISK”.

  2. Bee wrote on ::

    «The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan»

    A good reason to don’t trust addons hosted at AMO!!!!!!!

    Neither, this is the first time of a backdoored addon!!!!!!!! (look at NoScript’s history).

    As i wrote elsewhere: who’s driving the controls at AMO is sleeping at the wheel!!!!!!!!!!!!!!!!!!!!!!!!

    Download only extensions that YOU trust!!!!!! made by developers that YOU trust!!! or, install addons after having checked their source code YOURSELF!!!!!!!!!!!!!!!!!

    Another suggestion i like to add here is to trash proprietary operating systems (like Mac and Windows), and to install one open source operating system (like one of the GNU/LINUX distros!!!!!!!!!)
    Worms are structurally less effective against Linux!!!!!!

    bye!!!!!!!!!!!!!!!!
    ~bee!!!!!!!!
    http://honeybeenet.altervista.org/beefree/

  3. Matti wrote on :

    @Bee: Your “!” key is broken, you should get a new keyboard.

    2 things :
    This 2 experimental addons and you need an AMO Account if you want to download such addons

    >Download only extensions that YOU trust
    That is true, always install Software (not only Addons) that you thrust.
    There is no difference between “normal” applications, plugins and addons.

  4. Daniel Veditz wrote on :

    This incident says nothing about reviewed addons on AMO (other than don’t put all your anti-virus eggs in one basket). Average users should not be installing untrusted, unreviewed, “experimental” addons and this incident does point out that the site is not at all clear that the intended audience for unreviewed addons (hard-core testers and experimenters) is very very different than the general Add-ons user.

  5. wrote on :

    Would be nice if add-ons with files that aren’t open-source were marked in some way.

    @anon
    They are tested. But the anti-virus used just didn’t know about that trojan. Any usable anti-virus and anti-malware program work using blacklists. But they use three programs now instead of just one, if I remember correctly, which is what caught this particular bug.
    You’re an ignorant fool if you think you’re 100% safe just because a program tells you so.

    There’s also no reason to not allow non-approved to be listed on the “untested” page. The same users who installed this extension might as well have downloaded some random “increase your internet speed by 150%” application from some other place.

    The correct way to create a secure environment are through education and not censorship.

  6. David Gerard wrote on ::

    “Would be nice if add-ons with files that aren’t open-source were marked in some way.”

    +1

    Big red warnings for:

    * binaries
    * closed source

  7. annoyed wrote on :

    t the very least, those non-Mozilla-approved plugins should be with displayed a STERN warning – “Mozilla has not tested this plugin for vulnerabilities – Use at your own RISK”.
    You mean with something like the big fat “Install add-ons only from authors you trust” warning dialog that already appears when installing *any* add-on and also says “Malicious software can damage your computer or violate your privacy”? How much more hand-holding do you need?

  8. Doelf wrote on ::

    Last time you said Master Filer was downloaded 600 times, now the number is reduced from 6,000 to 700 times. So: How many?

  9. tricks wrote on :

    What is this about NO SCRIPTS history? I thought NO SCRIPTS was a good security program. I run it now, is there a reason I should remove it?

  10. Bee wrote on ::

    Hi tricks!!!!!!!

    I don’t want to write it again!!!!!!!!!!!It’s so boring!!!!!!! but I wrote something about NoScript’s history one week ago, here http://forums.lanik.us/viewtopic.php?f=86&t=5809 you could read it there!!!!!!!!!! follow the links!!!!!!!

    bye!!!!!!!!!!!!!!!!!!!
    ~bee!!!!!!!!!!
    http://honeybeenet.altervista.org/beefree/

  11. wrote on :

    @tricks

    He’s probably talking about the drama with Ad-block Plus.
    http://www.schillmania.com/content/entries/2009/adblock-vs-noscript/

    @Doelf

    I haven’t checked, so I’m not sure about exact numbers, but I do remember that Sothink Video Downloader where pointed to as the major infector with Master Filer only contributing a minor amount of downloads.

    Now that Sothink Video Downloader has been shown to have been a false positive the only infector is Master Filer, which only made out a minor part of the downloads.

    That is, at first it were Sothink Video Downloader downloads (~5000) + Master Filer downloads (~700) = total downloads (~6000) and now, after more thorough checks, it’s Master Filer downloads (~700) = total downloads (~700).

    Also, it’s important to remember that Mozilla isn’t the only one hosting add-ons.

  12. Ram wrote on ::

    I do agree that an anti virus need to be up-to-date and shield your computer, so if the file contain a virus it know it will tell you, or stop the virus.

    To ‘let people read the source code’ is not the best way, after all not all the user know how to read code…

    a file signature is a good method it can work but not all the time.

    I just think users need to be alerted that virus live among us, and to double check any thing that is downloading form the web…

    Ram.