Is this new Firefox feature a security hole?

Earlier today I posted an item about the “link prefetch” feature recently introduced in Firefox and used by Google for all searches run using Firefox.

To see exactly how this works, I performed a simple experiment.

First, I completely deleted the contents of the Cache folder in my Firefox profile. I left the directory window visible on the screen, opened Firefox, and went to the Firefox home page. After it finished loading, I refreshed the contents of the Cache folder window and observed that there were now a few small files there.

Next, I created a simple HTML page consisting of a single sentence. That sentence contained a hyperlink to a large (2.56MB) executable file on a third-party Web site. In the source code for the page I created, just before the hyperlink, I added a LINK tag using the REL=”prefetch” type, as documented in the Mozilla Link Prefetching FAQ. I uploaded this page, which was 369 bytes in size, to my Web site.

Finally, I returned to Firefox and typed in the URL of the test page I created. My tiny page loaded immediately, and over the course of the next few seconds I watched one file in the Cache folder grow to approximately 2.6MB in size. When I clicked the link to the executable file on my test page, the Firefox Downloads window appeared and almost instantly displayed the message that the download was complete. That’s not surprising, because the executable file was already in my cache.

Let me repeat that: I clicked on a link in one page, and Firefox silently, without any indication to me, downloaded a large executable file in the background and placed it in my browser’s cache.

I repeated the experiment with a much larger executable file (10MB) from a different third-party Web site, using a completely clean Firefox profile. Same result.

If you were to click on the link to my test page using Firefox, that executable code would be on your computer, downloaded from a site you never chose to visit. Now, let me be clear: That code isn’t an immediate danger. There’s no way I’m aware of for it to execute. At least not now. But if I were a bad guy, I’d be working my tail off to figure out how to get that code to execute – or to trick you into running it. I’d also be looking at other creative ways to exploit the fact that I can get you to download scripts and other content from a third-party site that you never even realized you visited. And I would surely be thinking of how I could get my pages to appear at the top of a Google search window, where they would automatically be prefetched by Firefox.

This is not a good thing.

Update: In a comment to my previous post, Alex Halderman, a PhD student in computer science at Princeton, notes that the privacy issue is a legitimate one but the security issue is less worrisome than I might fear. He writes:

There are lots of ways a site can cause your browser to load a page from another site without your knowledge: JavaScript tricks, hidden frames, etc. For legitimate uses, prefetching is preferable to these other methods, since the browser can be smart about only prefetching during idle periods. Disabling the prefetch feature will preclude these benefits without actually preventing malicious sites from loading remote pages.

On the other hand, well intentioned sites like Google need to be careful about what prefetching they cause for precisely the reasons Ed cites. Google’s users trust it not to place embarrassing content in their caches or to connect their browsers to disreputable sites. Google says only certain sites are prefetched, and I’ll bet these concerns enter into their selection algorithm.

Prefetching is also unlikely to exacerbate a vulnerability that “allows code to be executed automatically from a page that triggers a buffer overflow or exploits an unpatched scripting exploit.” The prefetched page is not rendered and any scripts it contains are not interpreted until the user actually follows a link to it. Only the HTTP and caching code is exposed to the prefetched data, and these relatively simple modules are less likely to contain exploitable holes.

I missed the part where Google says only certain sites are prefetched. I’ll have to look more closely at that.

Update 2: OK, I looked at the Google FAQ for Webmasters, which says, “Google only inserts this tag when there is a high likelihood that the user will click on the top result, but clearly this heuristic is not right 100% of the time.” I don’t see anything that suggests any concern for the privacy of the user or whether the content in the top-rated link is work-safe.

Update 3: Some interesting discussion of the issue here.

WaPo’s new security blog finds a Firefox flaw

The Washington Post has just rolled out a new blog, Security Fix. In one of the first posts, Brian Krebs describes an e-mail he received recently, which was forwarded by someone who was concerned about phishing scams:

The phishing e-mail my contact sent tried to hijack my computer in addition to directing my browser to a Web site designed to look like it was operated by a small British bank. After I got done yelling at him for sending this little nastygram without warning me, I got to looking at it a bit more closely.

In this particular phishing scam, simply clicking anywhere in the HTML e-mail caused my Firefox browser to begin downloading a file while the fake site loaded in the background. Needless to say, I killed the download immediately.

I wish Brian had provided more details, but in any event this doesn’t sound like a good thing.

Oh, and kudos to the WaPo for putting the full text of this blog in their RSS feed.

Google adds a (dangerous) Firefox tune-up

From the Google Blog:

Now Google’s faster than ever on Firefox and Mozilla browsers. When you do a search on these browsers, we instruct them to download your top search result in advance, so if you click on it, you’ll get to that page even more quickly.

I’m not so sure I like this idea. It’s basically the “I feel lucky” option with an extra click. On a broadband connection, would I even notice the difference? On a dial-up connection, which I had to suffer with last week, it would impose a performance penalty. I’d prefer it if this were an option.

And why only for Firefox? Is there a technical reason why this can’t be done for another browser?

Updated: The more I think about this, the less I like it. What if the top search result contains content that is objectionable? If I do a perfectly legitimate search on my work computer, I have the option to avoid downloading that page based on its summary and title. But if the page downloads for me, it goes through my company’s proxy servers, where it gets logged as something I downloaded. It’s also cached on my computer. If that page happens to include porn or other unwanted content, I could get in serious trouble and even lose my job, even though I am completely innocent.

Google Help explains how to disable this feature in Firefox:

Type “about:config” the address bar.
Scroll down to the setting “network.prefetch-next” and set the value to “False”.

The default should be off, not on, in my opinion. A browser should never, ever download content from a site that you didn’t specifically choose to visit. What are Google’s developers thinking?

Updated again: In the comments, James Grimmelmann points out:

I agree with you that this combination is dangerous and that it should probably not be on by default for users. But I think the mistake is the browser’s, not Google’s.

After reading the Mozilla Prefetching FAQ, I think James is right. I’m particularly disturbed by this part:

A web page provides a set of prefetching hints to the browser, and after the browser is finished loading the page, it begins silently prefetching specified documents and stores them in its cache… Will Mozilla prefetch documents from a different host? Yes. There is no same-origin restriction for link prefetching. Limiting prefetching to only URLs from the the same server would not offer any increased browser security.

So, if I understand this correctly, a Web page designer can stuff a whole bunch of links into a page and tag them with the “prefetch” relation type. If I click on that page, all those links will begin downloading to my computer automatically, even if they are on other servers. And if I do a Google search using Firefox, this will happen automatically for the first page in the search results list.

I really, really don’t like this. It’s especially ugly if someone identifies a browser flaw that allows code to be executed automatically from a page that triggers a buffer overflow or exploits an unpatched scripting exploit.

Yet another update: See this follow-up article.

Uh-oh. Some people don’t like criticism of Firefox

In the comments to yesterday’s post on spyware being delivered to Firefox users, Suzi of Spyware Warrior says:

Excellent analysis and write up, Ed. Your write up is quite a contrast with this newsletter from Spywareinfo.com.

I’d be interested in your comments regarding the editor’s article on Firefox and spyware.

The newsletter article that Suzi refers to was written by Mike Healan. I received a copy of it via e-mail earlier this week and considered referring to it in my original write-up. I chose not to do so in that post, because I wanted to stay focused on the technical issues. And the Spyware Weekly newsletter isn’t that well read (it’s apparently not a weekly, either, based on the five-week gap between the two most recent issues.)

But now that the article in question has been picked up by Chris Pirillo’s extraordinarily popular Lockergnome (in a post titled “False Claims of Firefox Spyware Epidemic”), I guess it deserves some comment. [Update: The Lockergnome story has now been pulled and replaced with an apology and a call for Mr. Healan to issue a correction.]

Mike Healan’s article is, to put it mildly, shrill. After a few ad hominem attacks, complete with scare quotes, he gets to the meat of his argument:

What is truly sad here is that the news sites I mentioned earlier are portraying this as a spyware targeting and infecting the Firefox web browser. These news sites are doing a grave disservice to their readers by misleading them. This is not a problem with Firefox or with any other web browser.

The article doesn’t actually include any quotes from other reports, nor does the text link to any other discussion. Presumably, the two links at the end of his column are what Healan is referring to as “slander” and “libelous nonsense.”

My frustration with this is that people are calling it a problem with Firefox. That is patently untrue. Every single browser is going to pop up a similar warning when it encounters this particular Java applet. If this had been labeled a problem with all web browsers, it still would be untrue, but at least it would not slander a particular browser. The people publishing this libelous nonsense should be ashamed of themselves and should print a prominent correction.

Ah. So any criticism of Firefox is libel and slander, and whoever publishes any criticism or commentary should in turn be criticized. I see. Of course, if you’re going to write stuff like this, you should actually do some testing first. Although a Java-based exploit could infect any browser, this particular one is intelligent. The page in question actually looks at the browser type first. If the browser is Internet Explorer, it offers an ActiveX control. If the browser is Firefox, it uses Java. So Healan’s assertion that “every single browser is going to pop up a similar warning when it encounters this particular Java applet” is wrong. One might even call it “nonsense.”

Go back and read my analysis based on testing of the specific exploit. Firefox offers to install the Java plug-in. This plug-in, which is integrated into the Firefox browser, pops up a Security dialog box when you load a Web page in Firefox. If the user clicks Yes, the software gets installed on their system. This is the same sort of social-engineering attack that users of Internet Explorer have been wrestling with for years.

I doubt that Mike Healan has written a single line of code for the Mozilla Foundation, but he seems to take criticism of Firefox personally. Fortunately, the security professionals at the companies that develop this code don’t seem so defensive. According to eWeek, “Sun and Mozilla developers are currently working jointly to secure the browser and JRE’s ability to execute the code.”

Look, any program that allows you to connect to the Internet has the potential to be a vector for viruses and deceptive software. Any program the size of Firefox will have bugs and security holes in it. There’s already been an update that includes some important security patches. As new issues are identified, they should be dealt with promptly and openly. If people in the community think they’re doing the Mozilla Foundation a service by trying to shout down criticism or legitimate discussion of security issues, they’re wrong.

Spyware via Firefox? It’s true.

Last weekend I passed along sketchy details of a news report that claimed spyware purveyors have found a way to get to Windows users even when they use Firefox as their primary browser. I’ve now had a chance to test this claim and I can report that it’s true.

The original article included enough details to help me track down the seemingly legitimate Web site that’s distributing this stuff. Like so many of these sites, it offers content designed to attract young people – in this case, a library of song lyrics. I visited the site using both Internet Explorer and Firefox. The results were surprising.

Continue reading “Spyware via Firefox? It’s true.” →

Spyware in Firefox?

Vitalsecurity.org has an interesting report of a potential spyware/adware infestation that directly attacks Firefox users, using the Sun Java Virtual Machine as its installation engine. (In the comments, a security expert from the Mozilla Foundation notes that this exploit could attack Opera users as well.)

I’ll look at this in more detail when I get back in the office.

Firefox update not so automatic

Dear Firefox developers:

When you need to publish a 12-step instruction sheet for the “Automatic Update” to version 1.0.1 (with one step further broken down into three additional steps to be used if the little red Check Now icon is missing), it’s not an automatic update.

I’m just sayin’…

Block those Firefox popups!

My logs show a lot of people visiting this site looking for advice on how to stop Firefox pop-ups and pop-unders, which seem to have increased in frequency lately. Here’s an interesting bit of inside information from Asa Dotzler of the Mozilla Organization:

A number of pundits and bloggers have been wondering aloud whether or not we’ll be able to keep up with the pop-up spammers now that more of them are focused on us. Well, we shipped 1.0 with the capability to block these pop-ups and pop-unders but we didn’t enable it because we were concerned about breaking legitimate uses. If you’d like to turn it on, it’s a fairly simple change — and would be absolutely trivial for us to enable once we determine whether or not lots of websites are depending on the feature.

Here are the specific configuration steps to take to turn on the capability to block pop-ups from plug-ins, according to Asa:

Open your Firefox 1.0 or 1.0.1 browser.

Type about:config in the address field and press Enter.

Right-click in the resulting config page somewhere and click New, Integer.

Type privacy.popups.disable_from_plugins in the New Integer Value dialog box and click OK.

Type 2 in the Enter Integer Value dialog box and click OK.

That’s all you need to do. Note that there are three possible values allowed in this dialog box:

0: open allowed
1: the opened windows are treated as popups, but they’re allowed to open (Firefox limits the number of these types of popups)
2: the window is a popup, block it

If you try this and encounter problems, be sure to let Asa know.

More Firefox security vulnerabilities

Secunia’s Vulnerability Report for Mozilla Firefox 1.x shows seven advisories for 2005, making a total of 11 since the browser was officially released last November. Three of the 11 issues (27%) are unpatched, and five are shown as partially fixed.

In the same period of time, Secunia has issued 15 advisories for Internet Explorer 6, five of them in 2005. According to Secunia, 32% of all current IE6 advisories are unpatched.

Interesting reading.

How fast is Firefox growing?

It’s all in the headline, and who you want to listen to.

VNUNet.com: Firefox market share rockets

ZDNet UK: Firefox’ growth starts to slip

Mozilla’s Asa Dotzler notes that Firefox has been downloaded more than 25 million times since its 1.0 release last November and says: “As Firefox and other Gecko-based browsers push toward 10%, IE has finally fallen under the 90% mark for the first time in WebSideStory’s tracking history.”

But a closer reading of the report from WebSideStory (a leading Web metrics firm that specializes in this measurement) tells a slightly different story. In his analysis, WebSideStory CEO Jeff Lunsford notes:

We track usage rather than downloads, however, and are seeing that the growth in Firefox’s usage has slowed slightly since its big surge in November. This is probably to be expected as we move beyond the early adopter segment. Growing concern over potential security holes in the browser might be another factor to consider. Back in December 2004, it seemed Firefox was a lock to reach 10 percent by mid-2005, ahead of the reported year end goal of the Mozilla Foundation. Given the latest growth rates, the year end target still appears attainable, but a mid-year achievement is unlikely unless we see increased marketing activity from the Mozilla Foundation.

For what it’s worth I’ve been using Firefox as my everyday browser for the past few months, but I’ll probably switch to the latest release of Maxthon (formerly MyIE2) this week. And of course I’m very interested in seeing what’s in the IE7 beta due in a few short months.