Ngựa thành Troy

By Minh Nguyễn on Thursday, May 8th, 2008 at 12:05 AM | | Edit | Comments (0) | TrackBacks (0)

With extensions for programs like Firefox at the convergence of desktop applications and the Web, they can at times become attack vectors:

Starting in mid-Feburary, Vietnamese users of Mozilla’s open source Firefox browser were at risk of infection from malicious Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site.

The add-on’s author is not suspected of intentionally booby-trapping the file, but instead had his own system infected. That Trojan inserted a banner-ad displaying script into any html [sic] file on his system, which included the help files for the language pack.

Ironically, the HTML files have been removed altogether from the forthcoming Firefox 3, because Mozilla has decided to use an online, wiki-based help system, rather than the static help files that come packaged with Firefox 2.

Application security is still important these days, but as software vendors race to embrace add-ons and RIAs, Web technologies can no longer be considered confined within a tight security “sandbox”. It’s not even just a security issue, either: with phishing- and other fraud-based attacks so prevalent, software developers need to be especially vigilant about any user interface details that could be used to deceive.

As the author of a similar extension for Thunderbird, Firefox’s companion e-mail client, I should note that the Vietnamese localization pack I wrote for Thunderbird is not affected by the trojan. The current version was released in 2005, long before the Firefox localization package.

By the way, an updated version of that localization pack is in the works, based on the Firefox extension. Although I did consult some parts of the Firefox extension’s source code to resolve some tough-to-translate terms, there was no code sharing of any kind. (Not even copy-pasting.)

You can track my progress by pointing your Subversion client (such as TortoiseSVN) to http://version.1ec5.org/vi/. And if you happen to be thạo tiếng Việt, please contact me; I’d be more than happy to accept your help.

To clarify, only advertising banners were inserted, not actual worm or trojan code. See Asa Dotzler’s explanation.

Categories

Google Summer of Code , Mozilla Firefox , Mozilla Thunderbird

Tags

0 TrackBacks

Listed below are links to blogs that reference this entry: Ngựa thành Troy.

TrackBack URL for this entry: http://panel.1ec5.org/mt/mt-ping.fcgi/824

Leave a comment

Search

About this Entry

This page contains a single entry by Minh Nguyễn published on May 8, 2008 12:05 AM.

Portfolio was the previous entry in this blog.

Pills with bank accounts is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Powered by Movable Type 4.1