Sunbelt Software: Spyware, Adware, & Mozilla Firefox
When Firefox loads a web site that wants to install and run a Java applet, it starts the Sun Java "virtual machine," which promptly displays a notice requesting the user's consent to the applet. This prompt box contains almost no useful information whatsoever beyond the name of the company responsible for the Java applet. That company name isn't helpful because most users won't recognize the names of the companies behind spyware and adware. Still worse, because many Firefox users will be accustomed to clicking through these Java applet installation prompts without thinking twice, most won't even notice the name of the company. Thus, many Firefox users who encounter Java applets that install spyware or adware simply won't realize what they've consented to until their screens start filling with pop-up ads and their PCs' performance begins deteriorating.
Conclusion: Firefox, Spyware, & Adware
How realistic is it to expect adware and spyware to be installed through the installation methods just described? As a matter of fact, we have already encountered and documented examples of spyware and adware that are installed through just these methods. One variant of the "Bridge" spyware program was being installed by popular music lyrics sites last year through the "browser extension" installation method (http://www.sophos.com/virusinfo/analyses/trojbrissa.html & http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=SPYW_BRISS.A). We've also seen a variant of the well-known XXXToolbar installed by "crackz" sites as a "browser extension" through Mozilla-based browsers, which include Firefox. More recently, we've learned of still other music lyrics sites that launch Java applets to install multiple adware programs, including the 180search Assistant, ISTBar, PowerScan, Sidefind, PeopleOnPage, and the YourSiteBar (http://www.vitalsecurity.org/2005/03/firefox-spyware-infects-ie.html). Finally, we know of new software from iSearch/iDownload that specifically detects that Firefox is present on the PC and installs a special "browser extension" for it (http://sunbeltblog.blogspot. com/2005/03/idownload-legal-matter-more.html).
At present such examples of Firefox-enabled spyware and adware are few in number and not widespread. But these examples do illustrate the potential problems that Firefox users could face with spyware and adware as Firefox (like other Mozilla-based browsers) becomes more popular with web surfers and, consequently, becomes a more attractive target for spyware and adware pushers. Without better information about the software that web sites attempt to install, Firefox users could very well be clicking their way through to spyware and adware just as furiously as Internet Explorer users have over the past few years.
More importantly, though, these examples should serve as on object lesson to security researchers, who tend to slight security problems that aren't as "sexy" as full-blown security exploits and vulnerabilities. The story of spyware and adware is largely the unremarkable tale of users being tricked into consenting to the installation of unwanted software, and security researchers would do well not to ignore that reality, however boring and depressing it might be.
------------------ Eric L. Howes 10 Mar. 2005