Be aware: junk extensions

General Topics
1

Hi malware fighters,

Be aware of adware, spyware and tracking ware. Security extensions in Firefox, Flock etc. can be rather helpfull, but on the other hand there are extensions or add-ons you can better do without. We call them junk extensions. Evaluate what an extension does before downloading it: http://www.firefoxhacker.com/2006/12/04/junk-firefox-extensions/

Better safe than sorry. What was the extension that made you go: “Yikes”?

polonus

2

Interesting, should we junk the junk at firefoxhacker.com ?

NoScript does its job of blocking scripts and I thought I would check what scripts from what 3rd party domains, see image. and the three at the top don’t fill me full of confidence in what this site might be peddling. And there is no way I’m enabling scripts to find out.

This site might well be legit, but I can’t help wondering why the rash of third party domain scripts. Perhaps I’m just too suspicious ;D

3

Nope, I don’t think so. I saw the same thing, and kind of chuckled about it.

Regarding Polonus’ original comment, I guess it was only a matter of time before extensions were exploited for “no good” on Firefox. May the installer beware…

4

There are already some that don’t even purport to be legit extensions serving a specific if trivial purpose whilst at the same time tracking or monitoring activity.

They just try to get you to click an install button for some piece of factious software and instead try to install an extension. You would have to have an old version of firefox that didn’t have a two step check to installing extensions and be compliant to their wishes to be effectively infected.

5

True. I just read recently that when 1.5 support ends in April, Firefox 2.whatever will be pushed automatically through the upgrade mechanism. That should take care of most of the old version issues.

I’m using the long term support version of Ubuntu. I currently have the 1.5.0.9 Linux version, and I read that 2.whatever will be pushed through the updates “fairly soon”. Though you can generally just go and “grab” newer versions of programs, usually they don’t backport newer versions of programs for earlier releases. But, this appears that it’ll be an exception. Goodbye to 1.5 and earlier versions soon, I guess.

I’m sure there are. If you do your homework, and use highly rated extensions, you’re O.K. Can’t imagine how or why someone would need 20 or more extensions. The more you install, the greater chance of finding something flaky.

6
I guess it was only a matter of time before extensions were exploited for "no good" on Firefox. May the installer beware...

Unfortunately, the “Honeymoon” is over…
“caviet emptor” (buyer beware)

7

Hi David,

the two randomly named sites are registered to ValueClick (whois). Pinging qksz.com and jdoqocy.com failed to resolve an IP for them;

ping: unknown host jdoqocy.com

???

8

I didn’t even bother to do a whois, though your check just confirmed my suspicion, the domain names just looked suspicious and alexa used to be associated with adware/spyware.

9

Hi ye all,

Well extensions is the weak point of every browser, and I would not discriminate against the Mozilla browser, there are ample junk extensions for IE as well. That is not the point of discussion. In FF 3.0 only a few extensions work (NoScript etc.), others can only be forced through the night-tester tools, but a lot cannot (max issues). As a rule of fist: do not install third party code, only from official Mozilla add-on/extension site(s). Then all extensions should be tested for security that go there. Too many extensions are either out-dated or have issues (memory leaks). For instance safe.history made by coders of Standford is a monster considering mem leaks. But also look at what is in about:config here: "network.dns.ip4 OnlyDomains status: default ; type: string ; value: doubleclick…net What is the deal here? I saw this in the Flock browser, now I work ip6 with ip4 on top.
There is even a rally (Gandalf) against using AdBlockPlus and the G.Updater. I know some parties do not like ads to be blocked, but I like the user of the browser to decide what content he likes to see. Then coders meet the boundaries of the possibilities with certain code (like shortly with Ajax). Yes folks, it is a constant battle. Security has become a relative term. But I am of the opinion that education and secure habits can do a lot.

polonus

10
  1. I guess we should expect that though, FF 3.0 is still in Alpha isn’t it?

http://wiki.mozilla.org/Firefox3/StatusMeetings/2007-02-07

  1. As it relates to this thread topic, that’s the best advice of the day, and I wholeheartedly agree.

  2. The “rally” is most likely being led by the people who wrote the ads ;). I wouldn’t even contemplate browsing the web in this modern day and age without NoScript and Adblock Plus.

  3. As always, you’re bang on with your opinions, and you offer much help here with options to think about. Thanks.

11

Hi OrangeCrate,

This question with extensions is just the issue why I uninstalled the Minefield nightly build of FF 3.01 recently - after an incremental update all my essential security add-ons/extensions flew out of the window.
If you have the latest Flock test builds you can always enforce your essential security add-ons to run inside Flock.
I for one will not use a browser without the possibility to deny script to run, so living without NoScript is a no way for me!, then I need ABP and the G-Updater, the Netcraft Toolbar, Stealther, a good Cookie editor, JS view, like to have my essential security in-browser tools there (DrWeb’s av hyperlink checker for instance, Phistank), etc.
I gonna go and see what new coding is brought in from time to time in the FF Minefield, and I can always implement it into Flock. Flock also has some hickups, but digests more and is so stable it hardly crashes, only stalls when you force something through it’s throat. That why it is my browser of choice. I haven’t the greenest why this browser has not been launched on a grand scale (heavily funded by Besemer’s)?

With FF 3.0 and extensions I think the background of the whole story is there are too many fingers in FF’s code brewing cauldron, and too many cooks can come up with some strange smelling meals (flaws, holes, old code that is ignored).

Flock needs more working on the search-engine options, some extensions can interact strangely with others: Re-arrange searchengines for instance is a crime.

The champion of the mem leaking add-ons was SafeHistory made by the famous Standford University coders (securety-wise a nice add-on, but leaks like a proverbial sieve).
Learned a lot over the last months, comparing the code inside the browser with code available on for instance coders, and using a bit of your grey cells. Thanks for your comment and kind words, I stay on plonking security issues for Flock.

Stay malware free, and keep us informed is the wish of,

the old pol

12
there are too many fingers in FF's code brewing cauldron, and too many cooks can come up with some strange smelling meals
This polonus is precisely why I could never understand why Open Source could be considered more secure than software produced by a Software company. ("Closed Source") I know it's easier to plug a hole in Open Source but, the potential for leaks is also greater.
13

Hi bob3160,

Well I like to buy your story if the so-called closed software is all yours, and you and your team have been coding it from A to Z. But if you start out with some-one else’s browser (that you bought up), you upgrade only if the competition launches a product that has more features, and your main concern is to own the market, the user does not know what skeletons are hanging in the cupboard. OK, you can shoot down “open source” because the disadvantages are told at the front-end, but closed source also borrowed heavily from open source. I think it is a story about the cat and the dog. Only if closed source is a dog, I do know how ferocious this dog is. At least I know about its appetite. They better tell me how to ty it down good: safeXP, no admin rights. Better would be if this wishlist could be brought in, and webdeveloping should stick by these rules, we could sleep a lot better, because everything is really “broken” now:
f we could start all over again, and we could change everything using “Bob’s magic wand”, what would there be different? Here is the wish list:

  1. Complete language separation of JavaScript from HTML
  2. Nuke Basic and Digest Auth for something way more secure, but just as simple.
  3. HTTP stripped down and streamlined (no off-domain referers, no passive third-party cookies, native support for URL and cookie encryption)
  4. Browsers only support well-formatted XHTML
  5. Compliable web pages (HTML/JavaScript) into byte-codes
  6. SSL certificates may contain trademarked logos that show up in the browser chrome (M$ promised to bring this in, but it is too expensive for a lot of small companies).
  7. Browser integration of Secure Cache, Safe History, and Netcraft’s anti-XSS URL features in their toolbar
  8. Implement Content Restrictions
  9. Same-origin policy applied to the JavaScript Error Console
  10. Restrict websites with public IP’s from including content from websites with non-routable IP

polonus

14

Interesting thoughts and suggestions. The key operative term would be “starting over” though…

The image of the dog reminds me of a famous Will Rogers quote:

“Diplomacy is the art of saying ‘Nice Doggie’ until you can find a rock.”

15

Though I remain committed to open source, I do agree with your premise. However, I would rather trust the thousands of volunteers of the various open source projects to come up with timely and accurate fixes, than trusting the employees of MS in Redmond to even disclose problems in a timely manner, and then to come up with fixes for the problems.

Interesting read here:

http://en.wikipedia.org/wiki/Open_source_software

Particularly the portion on “Open source versus closed source”.