Security

Mozilla on Friday disabled a Microsoft plug-in for Firefox called the .Net Framework Assistant because of a security problem--then scrambled to give people with patched systems an override option.

Mike Shaver, Mozilla's vice president of engineering, announced the first step late Friday night on his blog. "It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on," Shaver said. "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately."

This warning sign greeted Firefox users after Mozilla blocked use of a Microsoft add-on.

(Credit: Screenshot by Stephen Shankland/CNET)

The .Net Framework Assistant add-on lets Firefox use Microsoft's ClickOnce technology for installing applications that run on its .Net programming foundation. The add-on already was something of a thorn in the sides of some Firefox users: it was automatically installed via Windows Update with the .Net Framework 3.5 Service Pack 1 without telling the user the add-on was being installed or giving an option. More hackles were raised because it wasn't compatible with Firefox 3.5, Shaver said, and because removing it initially required people to edit their Windows Registry--a technically onerous task for most people.

Firefox checks a Mozilla server periodically for a list of add-ons to avoid. Although Mozilla's blocking move was intended to protect users, it caused other problems. Shaver indicated that Firefox's changed behavior irked some system administrators.

That led Justin Angel, a former Silverlight program manager at Microsoft, to tweet, "When business users can't use their core business functionality--they uninstall stuff."

One issue was that Mozilla's add-on blocking technology couldn't tell if people had patched their software and so weren't vulnerable anymore. "We can't distinguish patched from unpatched, so we're blocking it while we sort that out," Shaver twittered. Over the weekend, Mozilla worked to remedy the situation.

"Pushing a change to our blocklist software that will let Firefox 3.5 users override the blocking of .NET FA/WPF plugin if they're patched," Shaver tweeted Sunday. But a few hours later, he added, "We're still working on the blocklist tweaks to help enterprises override the blocking of the WPF plugin, stay tuned!"

Update 6:47 p.m. PDT: Crisis partially averted, apparently. At about 6:10 p.m., Shaver tweeted, "MSFT confirmed that the .NET Framework Assistant is not exploitable, so we've removed it from the blocklist; one down!"

Update 8:34 p.m. PDT: There's still another blocked Microsoft add-on that's vulnerable, one that concerns the Windows Presentation Foundation (WPF), which also is installed with the .Net service pack. Shaver said it was more serious.

"We're hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist," Shaver said in a Sunday night blog post that announced the other plug-in had been removed from the Firefox blocked add-on list.

China is coming under scrutiny as the possible source of malicious software and Internet attacks directed at foreign governments and other institutions.

A pair of recent research reports have cast some light on shadowy online initiatives with roots in China. Completed separately, both reports--"Tracking GhostNet," from the Munk Centre for International Studies in Toronto, and "The snooping dragon," from the University of Cambridge Computer Laboratory--address the Chinese government's efforts to monitor the activities of the Dalai Lama and the governing of Tibet.

Asked about the reports, analysts in China say that such claims are exaggerated and politically motivated, according to CNN.

Meanwhile, Vietnamese security firm BKIS says it has come across clues suggesting that the Conficker worm, which is supposed to start communicating with computers on April 1, may have Chinese origins. BKIS reported Monday that it spotted similarities between Conficker's code and that of the 2001 Nimda virus, though in both cases the findings are not at all definitive.

In "Tracking GhostNet: Investigating a Cyber Espionage Network," issued over the weekend, the Canadian researchers say that the GhostNet comprises 1,295 infected computers in 103 countries, almost one third of them being "high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs."

Despite going into great detail about how the GhostNet operates, and acknowledging the Chinese government's interest in the strategic exploitation of cyberspace, the Munk Centre researchers stop short of pointing fingers directly at a perpetrator:

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The breaches tended to stem from a so-called social-engineering exploit, in which targets in the Tibetan community were sent an e-mail that appeared to be from the address campaigns@freetibet.org and that carried an attached Word document titled "Translation of Freedom Movement ID Book for Tibetans in Exile"--and that Word document was infected with the malicious code.

The compromise of targeted systems could be substantial:

The system directs infected computers to download a Trojan known as gh0st RAT that allows attackers to gain complete, real-time control. These instances of gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan, People's Republic of China.

Our investigation reveals that GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras.

About 70 percent of the control servers behind the attack had Internet Protocol addresses assigned to China, but researchers also found such servers in the U.S., Sweden, South Korea, and Taiwan. Of the nearly 1,300 infected computers, Taiwan had the most, followed by the U.S., Vietnam, and India.

Given that China has the world's largest Internet population, the researchers say, "the sheer number of young digital natives online can more than account for the increase in Chinese malware. With more creative people using computers, it's expected that China (and Chinese individuals) will account for a larger proportion of cybercrime."

And while the Tibetan computer systems were "conclusively compromised," the report says, "it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value."

The University of Cambridge report, "The snooping dragon: social-malware surveillance of the Tibetan movement," doesn't refrain from charging that the Chinese government was directing malware attacks: "(I)t was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed."

Both reports also addressed the broader implications of the practices and behaviors observed in the Tibet-related malware efforts, and warn of the need for increased vigilance by both IT professionals and everyday computer users. As in many other breaches, from the Melissa virus 10 years ago to the Conficker worm today, breaches succeeded in part because people using the computer systems failed to take precautions when surfing the Web or opening e-mail messages.

The costs could be significant, according to the Cambridge University report:

As social-malware attacks spread, they are bound to target people such as accounts-payable and payroll staff who use computers to make payments. Prevention will be hard. The traditional defence against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defences against social-malware attacks will be a real challenge.

See also:

• Conficker worm might originate in China
• '60 Minutes': What's next for Conficker worm?
• U.K. parliament computers get Confickered
• FAQ: Conficker time bomb ticks, but don't expect boom
• Melissa virus turns 10