Mozilla retracts Firefox add-on malware claim
False-positive on AV scan incorrectly pegged Sothink add-on as infected
Computerworld - Mozilla Corp. today acknowledged that it had falsely accused a developer of infecting a Firefox add-on with attack code.
The admission came a week after Mozilla announced that a pair of add-ons, Sothink Web Video Downloader 4.0 and Master Filer, had slipped through its security check-in. According to the company, both were infected with Trojan horses designed to hijack Windows PCs. Mozilla removed both extensions from its official add-on download site.
Today, Mozilla said that it had been wrong about Sothink Web Video Downloader. "We've worked with security experts and add-on developers to determine that the suspected Trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware," Mozilla said in a statement posted to its add-ons blog.
Master Filer, on the other hand, does contain a Trojan, Mozilla reiterated today.
Last week, Sothink's developer denied that its add-on had given malware a ride into PCs running Firefox. "For every product, we test [for a] virus before release," said Joey Deng of SourceTec Software Co. in an e-mail reply to questions from Computerworld."We haven't found any Trojan during our test, for both Web Video Downloader 4.0 and 5.7."
In fact, Deng said SourceTec was "very surprised" to hear that its add-on had been pulled from the Firefox download site. Mozilla has never said whether it was in contact with the developers of the two add-ons prior to removing them from its site.
SourceTec is based in China, and Deng was not available for comment today due to the time difference.
Mozilla credited security software vendor McAfee Inc. for helping it determine that the Sothink add-on was not infected. According to Craig Schmugar, a threat researcher at McAfee, Mozilla reached out to McAfee, which had a team of researchers evaluate the Sothink add-on code. "They looked at the binary and determined that it did not contain [malware]," said Schmugar. "They gave that information back to Mozilla."
Schmugar said that several antivirus scanners had incorrectly flagged the Sothink add-on as harboring malware. "There are many things that vendors can do to reduce false positives," Schmugar said. Among other things, he explained, they can avoid using tools that hackers commonly employ.
SourceTec failed to do that, Schmugar said, citing its use of a code packer. "Packers are used to compress the file so it's smaller in transit and downloads faster," he noted. "They're also used as a kind of protection against reverse engineering. But they're used by malware authors for the same reasons."
Sothink's developers used a commercial packer to reduce the size of the add-on and obfuscate its code, Schmugar explained. "They used a packer that's also widely used by the bad guys," he said.
Mozilla has restored Sothink Web Video Downloader to its add-on download site. "We apologize to our users and the developers of Sothink for any inconvenience this has caused," the company said today.
Mozilla has not replied to multiple requests for comment on the add-on snafu.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts