Mozilla retracts Firefox add-on malware claim
False-positive on AV scan incorrectly pegged Sothink add-on as infected
Computerworld - Mozilla Corp. today acknowledged that it had falsely accused a developer of infecting a Firefox add-on with attack code.
The admission came a week after Mozilla announced that a pair of add-ons, Sothink Web Video Downloader 4.0 and Master Filer, had slipped through its security check-in. According to the company, both were infected with Trojan horses designed to hijack Windows PCs. Mozilla removed both extensions from its official add-on download site.
Today, Mozilla said that it had been wrong about Sothink Web Video Downloader. "We've worked with security experts and add-on developers to determine that the suspected Trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware," Mozilla said in a statement posted to its add-ons blog.
Master Filer, on the other hand, does contain a Trojan, Mozilla reiterated today.
Last week, Sothink's developer denied that its add-on had given malware a ride into PCs running Firefox. "For every product, we test [for a] virus before release," said Joey Deng of SourceTec Software Co. in an e-mail reply to questions from Computerworld."We haven't found any Trojan during our test, for both Web Video Downloader 4.0 and 5.7."
In fact, Deng said SourceTec was "very surprised" to hear that its add-on had been pulled from the Firefox download site. Mozilla has never said whether it was in contact with the developers of the two add-ons prior to removing them from its site.
SourceTec is based in China, and Deng was not available for comment today due to the time difference.
Mozilla credited security software vendor McAfee Inc. for helping it determine that the Sothink add-on was not infected. According to Craig Schmugar, a threat researcher at McAfee, Mozilla reached out to McAfee, which had a team of researchers evaluate the Sothink add-on code. "They looked at the binary and determined that it did not contain [malware]," said Schmugar. "They gave that information back to Mozilla."
Schmugar said that several antivirus scanners had incorrectly flagged the Sothink add-on as harboring malware. "There are many things that vendors can do to reduce false positives," Schmugar said. Among other things, he explained, they can avoid using tools that hackers commonly employ.
SourceTec failed to do that, Schmugar said, citing its use of a code packer. "Packers are used to compress the file so it's smaller in transit and downloads faster," he noted. "They're also used as a kind of protection against reverse engineering. But they're used by malware authors for the same reasons."
Sothink's developers used a commercial packer to reduce the size of the add-on and obfuscate its code, Schmugar explained. "They used a packer that's also widely used by the bad guys," he said.
Mozilla has restored Sothink Web Video Downloader to its add-on download site. "We apologize to our users and the developers of Sothink for any inconvenience this has caused," the company said today.
Mozilla has not replied to multiple requests for comment on the add-on snafu.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Workarounds to purge search bar from Firefox's new tab page are available
- Mozilla ships Firefox 31, adds search to new tab page
- Microsoft's IE steps back from the brink of irrelevance
- Firefox falters, falls to record low in overall browser share
- Firefox risks user backlash by adding search box to new tab page
- Google unseats Microsoft as the U.S. browser powerhouse
- Safari, Chrome push to mask URLs
- Chrome on Windows champs at the 64-bit
- Google pulls trigger, cripples some Chrome add-ons
- Microsoft shoots to shorten Internet Explorer's long tail
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!