Minh’s Notes

Human-readable chicken scratch

Minh Nguyễn
May 8th, 2008
Google Summer of Code
#1,218

Edit

Ngựa thành Troy

With extensions for programs like Firefox at the convergence of desktop applications and the Web, they can at times become attack vectors:

Starting in mid-Feburary, Vietnamese users of Mozilla’s open source Firefox browser were at risk of infection from malicious Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site.

The add-on’s author is not suspected of intentionally booby-trapping the file, but instead had his own system infected. That Trojan inserted a banner-ad displaying script into any html [sic] file on his system, which included the help files for the language pack.

Ironically, the HTML files have been removed altogether from the forthcoming Firefox 3, because Mozilla has decided to use an online, wiki-based help system, rather than the static help files that come packaged with Firefox 2.

Application security is still important these days, but as software vendors race to embrace add-ons and RIAs, Web technologies can no longer be considered confined within a tight security “sandbox”. It’s not even just a security issue, either: with phishing- and other fraud-based attacks so prevalent, software developers need to be especially vigilant about any user interface details that could be used to deceive.

As the author of a similar extension for Thunderbird, Firefox’s companion e-mail client, I should note that the Vietnamese localization pack I wrote for Thunderbird is not affected by the trojan. The current version was released in 2005, long before the Firefox localization package.

By the way, an updated version of that localization pack is in the works, based on the Firefox extension. Although I did consult some parts of the Firefox extension’s source code to resolve some tough-to-translate terms, there was no code sharing of any kind. (Not even copy-pasting.)

You can track my progress by pointing your Subversion client (such as TortoiseSVN) to http://version.1ec5.org/vi/. And if you happen to be thạo tiếng Việt, please contact me; I’d be more than happy to accept your help.

To clarify, only advertising banners were inserted, not actual worm or trojan code. See Asa Dotzler’s explanation.


TrackBacks

  1. Minh’s Notes

    Wrong

    Were you to conduct a comprehensive survey of computer programmers, I’d suspect that nearly all of us would rate ourselves “above average” programmers who keep particularly good best practices in mind at all times. Like, to a...