In the comments to yesterday’s post on spyware being delivered to Firefox users, Suzi of Spyware Warrior says:
Excellent analysis and write up, Ed. Your write up is quite a contrast with this newsletter from Spywareinfo.com.
I’d be interested in your comments regarding the editor’s article on Firefox and spyware.
The newsletter article that Suzi refers to was written by Mike Healan. I received a copy of it via e-mail earlier this week and considered referring to it in my original write-up. I chose not to do so in that post, because I wanted to stay focused on the technical issues. And the Spyware Weekly newsletter isn’t that well read (it’s apparently not a weekly, either, based on the five-week gap between the two most recent issues.)
But now that the article in question has been picked up by Chris Pirillo’s extraordinarily popular Lockergnome (in a post titled “False Claims of Firefox Spyware Epidemic”), I guess it deserves some comment. [Update: The Lockergnome story has now been pulled and replaced with an apology and a call for Mr. Healan to issue a correction.]
Mike Healan’s article is, to put it mildly, shrill. After a few ad hominem attacks, complete with scare quotes, he gets to the meat of his argument:
What is truly sad here is that the news sites I mentioned earlier are portraying this as a spyware targeting and infecting the Firefox web browser. These news sites are doing a grave disservice to their readers by misleading them. This is not a problem with Firefox or with any other web browser.
The article doesn’t actually include any quotes from other reports, nor does the text link to any other discussion. Presumably, the two links at the end of his column are what Healan is referring to as “slander” and “libelous nonsense.”
My frustration with this is that people are calling it a problem with Firefox. That is patently untrue. Every single browser is going to pop up a similar warning when it encounters this particular Java applet. If this had been labeled a problem with all web browsers, it still would be untrue, but at least it would not slander a particular browser. The people publishing this libelous nonsense should be ashamed of themselves and should print a prominent correction.
Ah. So any criticism of Firefox is libel and slander, and whoever publishes any criticism or commentary should in turn be criticized. I see. Of course, if you’re going to write stuff like this, you should actually do some testing first. Although a Java-based exploit could infect any browser, this particular one is intelligent. The page in question actually looks at the browser type first. If the browser is Internet Explorer, it offers an ActiveX control. If the browser is Firefox, it uses Java. So Healan’s assertion that “every single browser is going to pop up a similar warning when it encounters this particular Java applet” is wrong. One might even call it “nonsense.”
Go back and read my analysis based on testing of the specific exploit. Firefox offers to install the Java plug-in. This plug-in, which is integrated into the Firefox browser, pops up a Security dialog box when you load a Web page in Firefox. If the user clicks Yes, the software gets installed on their system. This is the same sort of social-engineering attack that users of Internet Explorer have been wrestling with for years.
I doubt that Mike Healan has written a single line of code for the Mozilla Foundation, but he seems to take criticism of Firefox personally. Fortunately, the security professionals at the companies that develop this code don’t seem so defensive. According to eWeek, “Sun and Mozilla developers are currently working jointly to secure the browser and JRE’s ability to execute the code.”
Look, any program that allows you to connect to the Internet has the potential to be a vector for viruses and deceptive software. Any program the size of Firefox will have bugs and security holes in it. There’s already been an update that includes some important security patches. As new issues are identified, they should be dealt with promptly and openly. If people in the community think they’re doing the Mozilla Foundation a service by trying to shout down criticism or legitimate discussion of security issues, they’re wrong.
Ed Bott 
But surely the problem is with how the Java Runtime Environment handles the code and not Firefox itself? In which case it’s not Mozilla’s problem, it’s Sun’s.
I’m sorry but I have to agree with Mike Healan here.
Neil,
The user who gets a piece of crapware installed on his machine doesn’t care whose fault it is. Anyway, that’s not the point. Firefox is creating a platform that enables extensions and plug-ins to connect directly to the browser. You can’t do that and then say, when an extension or plug-in behaves badly, “Hey, not our fault!”
And to their credit, no one at Mozilla is doing that. They’ve recognized the problem, they’re acknowledging it, and they’re working with Sun to fix it.
Ed
The common belief out there seems to be that if you use Firefox, you’re safe.
I think these articles that Healan is objecting to are important– it’s time for Firefox users to wake up and realize that the invaders have landed on their shores.
I’ve long dealt with flamers who believe that any criticism of Open Source software, viz., OpenOffice and Firefox, along with freeware (and lately Google apps, which are not OS), are high treason. Their typical response is to color me stupid, and the reason I’m stupid* is because ANY free or OS app is better because it’s free, not because it does the job better, has a better interface, or a superior feature set! That reaction verges on political affiliation, leading me to post an entry on what can be defined as “User balkanization through software”
on my little blog.
*(I’m stupid for other reasons, not this one!)
Been following this debacle for a while now – you may be interested to know that the Lockergnome article has now been “replaced” with this apology.
“I doubt that Mike Healan has written a single line of code for the Mozilla Foundation, but he seems to take criticism of Firefox personally.”
And why wouldn’t he? Its FREE OpenSource software. I respect greatly what the mozilla foundation is doing. Its opensource, if you don’t like it don’t use it, it’s that easy. But when you claim there is a massive problem with a browser (which was done at tomcoyote forums) when there isnt, I think that ticks off a few people.
Yet strangely, Mozilla were only to happy to take the issue on and look to ways they could fix this. If a browser vendor says its an issue for their browser, then its an issue for their browser – end of story. Our opinion of what it is or isn’t doesn’t come into it after that. Just because something is “opensource” doesn’t mean its above exploits. The hysteria generated by people who clearly didn’t even read the original article, simply because a flaw was pointed out with Firefox (and other Mozilla based browsers) has been OTT, to say the least.
Can’t Straddle The Fence…
As a from time to time rather vocal demander that Microsoft fix peripheral security problems with Internet Explorer that they deemed not to be security issues because they were not truly flaws in the browser itself, I also feel that Firefox users shouldn’t fall into the same boneheaded denial and therefore devaluate the “We care about security” image that has been being projected by the whole Mozilla foundation.
It may be a “Java” problem, but if you can filter certain demands passed to the java environment, then you completely circumvent that ever becoming a security issue. Not all browsers running with Sun’s JRE are vulnerable to this. Hmmm…
You may be interested to know – I’ve found a bunch of sites that, last year, targetted FF with .xpi installs…and this year, they now all serve up the java applet instead – though one or two try to serve both.
Coincidence? Heh – not likely…