Last July, we pointed out that the Google Reader Notifier extension had turned into crapware, the NoScript add-on was hijacking another extension, and even the Fast Dial extension was spamming you—so it was only a matter of time before an extension came bundled with a full-blown trojan.
去年7月,我们指出Google Reader Notifier扩展已变成垃圾软件 ,NoScript附加组件劫持了另一个扩展 ,甚至Fast Dial扩展也向您发送了垃圾邮件,因此捆绑扩展只是时间问题与一个成熟的木马。
Last time, it was as simple as spam links showing up in your browser, and tracking the URLs you were going to—really frustrating and evil, but not necessarily the end of the world, since it wasn’t going to take over your PC.
上一次,它就像在浏览器中显示垃圾邮件链接并跟踪您要访问的URL一样简单,确实令人沮丧和邪恶,但不一定是世界尽头,因为它不会接管您的PC 。
Yesterday, the Mozilla Add-ons blog reported that two extensions contained nasty trojans that hijacked your PC.
昨天,Mozilla附加组件博客报告说, 两个扩展包含劫持您PC的讨厌木马 。
Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.
发现两个实验性附件,即Sothink Web Video Downloader的4.0版和Master Filer的所有版本都包含针对Windows用户的Trojan代码。 Sothink Web Video Downloader的4.0版包含Win32.LdPinch.gen,而Master Filer包含Win32.Bifrose.32.Bifrose木马。 两个加载项均已在AMO上禁用。
If you’ve installed those extensions at any point, you should make sure to run a full virus scan on your PC.
如果您随时安装了这些扩展,则应确保在PC上运行完整的病毒扫描。
Rant About Firefox Extension Security
关于Firefox扩展安全性
Instead of ranting again, let me just quote what I said last time this happened…
让我只不过引用我上次发生这种情况时所说的话 ,而不是再次大声疾呼。
What’s to stop yet another Firefox extension from turning into badware, sneaking in tracking codes, or stealing your personal information? It’s already happened with two of the most popular extensions… Somebody at Mozilla needs to do something about this.
是什么阻止另一个Firefox扩展变成恶意软件,潜入跟踪代码或窃取您的个人信息? 两个最受欢迎的扩展已经发生了……Mozilla的某个人需要为此做些事情。
The current process over at Mozilla is to run an automated virus scanner against the extensions, and as a result of this issue they have added more scanning tools to the process. This doesn’t solve the real issue, because any virus programmer with some skills can write a customized virus that doesn’t get picked up by any of the commercial virus scanning tools. Sure, some of the tools have heuristics that will probably detect rootkits and some of the nastier techniques, but it’s not going to prevent the issue entirely.
Mozilla当前的过程是针对扩展运行自动病毒扫描程序,由于这个问题,他们在该过程中添加了更多的扫描工具。 这不能解决真正的问题,因为任何具有一定技能的病毒程序员都可以编写自定义的病毒,而该病毒不会被任何商业病毒扫描工具所捕获。 当然,某些工具具有启发式功能,可能会检测到Rootkit和一些更恶劣的技术,但并不能完全防止该问题。
The real problem isn’t even a traditional virus, as far as I’m concerned. How difficult would it be for somebody to write a native Firefox extension that simply takes all your passwords and sends them to a rogue site? There’s no security layer to prevent add-ons from accessing your personal information stored in the browser, and no virus scanner is going to pick up a native Firefox extension since they are written in Javascript.
就我而言, 真正的问题甚至不是传统病毒 。 有人写一个仅用您所有密码并将其发送到恶意站点的本地Firefox扩展,对某人有多难? 没有安全层可以阻止加载项访问您存储在浏览器中的个人信息,并且病毒扫描程序也不会采用本机Firefox扩展,因为它们是用Javascript编写的。
The Partial Solution
部分解决方案
Nobody’s expecting Mozilla to scan through the source code of every single extension—that’s just prone to human error anyway. What would make sense, however, is to have some layers of security that prevent add-ons from accessing any of your personal information stored in the browser unless you specifically allow them to.
没有人期望Mozilla能够扫描每个扩展的源代码,无论如何这都容易出错。 但是,有意义的是要具有一些安全性层,以防止附加组件访问存储在浏览器中的任何个人信息,除非您明确允许。
What Can You Do to Keep Safe?
您可以采取什么措施来确保安全?
You should always make sure to check the reviews on an extension before you install it—don’t just take somebody else’s word when they vouch for an extension… make sure to do your due diligence to check things out first. The same thing applies for any application, of course—if you’re installing applications without doing a virus scan, you’re leaving yourself wide open to having your PC hijacked.
您应该始终确保在安装扩展程序之前先检查一下扩展程序上的评论-当别人担保扩展程序时,不要只听别人的话……请务必尽一切努力首先检查出问题所在。 当然,同样的情况适用于任何应用程序-如果您在安装应用程序时没有进行病毒扫描,那么您就有可能被劫持PC。
Please read: Security Issue on AMO [Mozilla Add-ons Blog]
3434
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
