Firefox 94.0.2 was hacked
Last night my Firefox 94.0.2 was hacked. When running Firefox, it would lock up my desktop. It disabled Norton Security, it disable other installed security software, and it disabled Windows System Restore. The hacker put up a message claiming to be Microsoft Support, with a phone number to call for help. This was a scam. I ran Firefox refresh, and that removed the hacker's program from Firefox, but then I had to do a full repair of my Window's installation. To protect my system, and prevent this from happening again, I added "xpinstall.enabled = false" into about.config. Please let me know if this will prevent a web site from installing a dangerous hack into Firefox, or if there is something else that I need to do. I have used Firefox for years, and have never encountered this problem before. Firefox is my favorite browser, but I am now afraid to use it. Please advise me what to do. Thanks, Jim
All Replies (13)
Don't panic. "xpinstall.enabled" settings is for extensions related things. For better protection, you can enable Enhanced Tracking Protection in Strict mode. Make sure to update your PC and scan your pc routinely to prevent this from happening in the future.
There is an extension called UBlock Origin, this will block ads and increasing your web security by overall.
I agree with using UBlock Origin or other ad blockers.
You should contact Norton support and let them know what happened to you. Give them any details that ask for.
You may have ad/mal-ware.
Further information can be found in this article;
https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware?cache=no
Run most or all of the listed free to use malware scanners. Each works differently. If one program misses something, another may pick it up.
Forgot to add; https://support.norton.com
I set the "Enable Tracking Protection to Strict", so that should help. I found the uBlock Origin add-on but when I tried to install it, it failed to install with the error: "An unexpected error occurred during installation."
I use Norton 360 Security for Virus Protection and MalWare Premium for Malware Protection. I suspect the program/virus/malware, or whatever we might call it, was installed by news web site. That is just a guess. I do not think that it was in my PC before.
After getting the PC working again, I ran a Norton Scan of the system, and then I downloaded and ran the Norton Restoro Tool and did the advanced scan repair of my Windows installation. That tool took a few hours to run.
I suspect that the hacker program was installed into Mozilla Firefox by a website ... at least that is my theory. I am retired from IT, so I know enough to get into trouble.
I guess the next question is how can I get "uBlock Origin" to install, and is there anything else that I need to do. Norton 360 and MalWareBytes are both now running, but those will not protect Firefox from a website depositing something bad into the browser. I have never seen this issue before. I guess this is the way browsers get viruses or Malware.
I appreciate your help. I wish that I knew more.
Thanks, Jim
I am still not able to install the uBlock Origin add-on.
This discussion is getting deep into technical detail in protecting Firefox from attacks.
I appreciate your suggestions and your help, but I believe this is something you should be building into your Firefox distribution by default, and not expecting users to have this technical depth of knowledge in order to protect their system.
I am retired from IT after over 40 years. I am definitely not brilliant, but I am not a complete novice. I was involved in Scientific Program development at Oak Ridge National Lab and Los Alamos National Lab for 15 years. I was in IBM dedicated technical support for 11 years. I was in Openwave Systems professional services for 16 years.
I am able to follow most, but not all, of your suggestions for improving the security of Firefox and protecting my installation from malicious attacks.
I am concerned that you have not built this logic into your software by default. Most users are not technical experts. The instructions that you are giving me is appreciated, but are not simple. I am still not convinced that my system is secure from future attacks.
This is a Mozilla Firefox problem, and NOT a Norton Security problem, NOT a MalwareBytes problem.
A web site was able to upload a small program into Firefox, during an ordinary web connection and store that program into Firefox, without my permission or knowledge. That is a major Firefox security problem. They did not just upload data, they uploaded an executable program. That could be a major security problem for a secure data center, or for a data working with critical information.
Websites should not have the ability to modify your own software installation. They did not just upload data, they uploaded a dangerous executable program.
Their program locked up my computer desktop, and modified a large number of security files. Their program disabled Norton Security, MalwareBytes, and a few other programs. Their program disabled Windows System Restore. This was a pretty smart program that did a large amount of damage, before I realized that the program was running inside Mozilla Firefox. Their software was communicating over the internet back to their home base.
First that when I disconnected my computer from the internet, that the software was not able to lock my display. Then I discovered that my keyboard and display was only being locked up when I ran Firefox.
I have never seen software that would give a client the ability to modify the software configuration, much less install an executable program into their software.
I am certain that my mother, my wife, or anyone in my immediate family, or any of my friends
could not follow your security suggestions.
Technically these are good suggestions, but realistically, you need to be configuring better security into Firefox, so users do not need this level of detail technical support.
You should NOT be allowing a user/client to modify the Firefox configuration, much less to install an executable program into Firefox. That is a major security hole.
If I was an IT Manager in a security environment, I would NOT allow your software behind my firewall. If I was a corporate IT Manager dealing with sensitive data, I would NOT allow your software behind my firewall.
This is not poor security this is almost no security.
For you to allow a user to upload a program into Firefox without a user's permission without a user's knowledge, is a major security problem.
I was deeply involved in scientific software development for 15 years, and dedicated technical customer support for 27 years. You seriously need to strengthen your internal Firefox security.
An arbitrary website should not be modifying your add-ons, extensions, or anything in your software, without a user's knowledge or more importantly without a user's permission.
This such a basic issue, that I find it hard to understand how you could have this problem.
My knowledge of the technical details of Firefox is limited, but at this point, I would not trust Firefox in a mission critical secure environment. If you know of details in your configuration to improve your security, those should be defaults in your system, not support issues.
It is not reasonable for you to be allowing an arbitrary website to modify or add malicious software into Firefox, without a user's permission or knowledge. Your security hole completed disabled other software installations in my computer. That program trashed my Norton Security Installation, and I had to do a complete re-install of Norton Security. If this was large corporate environment, you would have a significant liability from other software companies.
Unfortunately, in my opinion, large data centers are installing Window Server operating systems to run large servers. If a large data center server had Window's commercial security software protecting their data center, your security hole would have disabled that security. If that happened in a major security data center running a large Window's server, you would have some major legal and financial liabilities.
I really like Firefox, but you have a major security problem, that you could float a battleship through.
Hello,
Most likely, this website was not the cause of the issue. As said earlier, ublock origin is probably the best extension to use; however, this will do nothing in the case of a threat on your windows install.
xpinstall.enabled = false is a config tweak that disables extension installation. It does not disable plugins or dll injection. (you can check dlls at about:thirdparty)
As said by FredMcD, this may be a piece of malware on your pc. Make sure to install Firefox only from trusted sources. Best case scenario, use winget or directly download from mozilla.org.
Firefox can not completely mitigate the risk of malicious software on your computer.
Okulungisiwe
While it is possible that a virus could have made these changes, I think that is unlikely. I run Norton 360 for Virus protection. Every night my system uploads new virus updates, and then scans my system every night for viruses. Even if a virus made the change, Firefox should not have allowed the change, regardless of where the change came from. I have no doubt, that "Group Policy" configurations, or Firefox Config keys could protect Firefox from a website or a virus, from installing an add-on or an extension to Firefox, but that would make no sense. If a Virus was already on my computer, there would be no need for it to install anything into Firefox. Since the program was installed inside Firefox, it probably came from a website, otherwise there would be no reason to install the program inside Firefox. I agree that Firefox config keys, and Wndows Group Policy configurations probably could protect Firefox from having an extension or an add-on from being loaded, that might be simple for computer gurus, but it is not something that most people would even begin to know how to do. Recently, I had some heart surgery. While the surgeon was brilliant in his knowledge of heart surgery, I would bet that he would not know what Windows "Group Policy" was or what a Firefox config file would contain. Here is the problem, and I strongly believe the malicious software was uploaded somehow from somewhere into Firefox, and the malicious software only ran when I ran Firefox. This security hole expose Firefox users in homes, offices, government offices, corporations, to ransom ware. I can't rule out that the add-on or extension did not come from a website, but a website uploading the malicious software is the most logical conclusion. Given the control that malicious program had to my computer, this was a ransom ware attack, where if I had called the phone number that he wanted me to call, he would have wanted a large amount of money to restore my system. It would have been easy for that malicious program to have encrypted all or part of my disk. If you can think of a plausible way that malicious program was installed into Firefox from some place other than a website, please suggest it. Regardless of how the add-on or extension was added into Firefox, it should have been blocked from being added, unless the hacker was an expert in Firefox. In my opinion, this security hole in Firefox is exposing ordinary people to ransom ware, and that is a major problem, and a major expense to people and corporations. If the installation did not come from a web connection, what would be reason to run the malicious program inside Firefox. When I discovered the program was running inside Firefox, and I could avoid the problem by disconnecting from the internet and by not running Firefox, then I was able start cleaning up Firefox and cleaning up my computer. If the malicious software had been running from a virus or a program installed on my computer, this would have been a more difficult problem to solve. I really like Firefox, and I don't want to be a pain in the rear to you, I just think this is a serous problem that you need to address. I could be wrong, but I think the current default installation of Firefox today would allow a website to upload an add-on or extension into Firefox, otherwise there would be no reason for the malicious program to run inside Firefox. If I am wrong, then I do not know how the malicious program could have gotten into Firefox, except over the internet from a website. Please do not be offended by my comment. I really like Firefox and have used it for years, and I will be the first to tell you that there is much about computer security that I do not know. I am just concerned that this is a serious problem that could expose a large number people to a ransom ware attack, and it is a problem that could be easier solved by Firefox developers than by ordinary users. If I am right, this problem could be a huge liability for Firefox, and needs to be fixed inside Firefox ... and I could easily be wrong. Jim
jimwest1 said
I appreciate your suggestions and your help, but I believe this is something you should be building into your Firefox distribution by default
Hi,
The people who answer questions here, for the most part, are other users volunteering their time (like me), not Mozilla employees or Firefox developers. If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.
You can also file a bug report or feature request. See File a bug report or feature request for Mozilla products for details.
jimwest1 said
I run Norton 360 for Virus protection . . .
Malware is known to hide from protection programs. That is why users should also scan using malware scanners. Re; https://support.mozilla.org/en-US/questions/1359397#answer-1462745
If a hacker had planted a malicious program on my computer, there would be no reason to install the program inside Firefox. If the program was already on my computer, it could simply run, and there would be no advantage to having the program run inside Firefox. Having the program run inside Firefox, made the program easier to discover and easuer ti destroy. In my opinion, the malicious program was probably uploaded into Firefox and added as an extension or an add-on to run inside Firefox. That would have been the easiest and simplest way for the the program to be loaded into Frirefox and then have the program running inside Firefox.
OK, run a test. Prove me wrong. Take a "default" Firefox installation. Write a simple HTML server, maybe with php or java scripts, and see if this test web server, when connected to Firefox on either port 80 or port 443, can load a program into Firefox. If it is easy, then there is a problem. If it can't be done, then my assumption is not correct. Jim
This message may come off as slightly condescending, I am sorry if it does; however, the way I will explain this will be very if this then that.
Let's assume that there is a zeroday that allows websites to install any add-on to Firefox they would like. How would an extension (which in the backend is really just a fancy webpage that can access your tabs with javascript and have its own html and css files, as well as a place to store information) be able to do anything outside of Firefox? And yes, the term add-on encompasses themes as well, this could be leveraged to change how the browser looks, but can't do much else.
And yes, as your response had the question, why would they install an extension if they have access to your pc. This is a great question, as extensions' scripts are secured similarly to webpages scripts. Honestly, I think it would be easier to modify information given to the user if one used the tools available in extensions.
This message you saw was most likely a simple javascript popup.
I personally use the extension NoScript, yes its functionality is avaliable in ublock origin, but I like the interface for NoScript. As the name entails, this disables javascript on websites with a selective whitelist. If you are worried about zerodays and similar attacks, disabling the method at which they exploit will go a long way.
I would like to understand your definition of program in the context of load a program into Firefox, as something as simple as a <script> tag could be defined as a program, and is easy to load into Firefox, as Firefox allows javascript by default. Assuming that you mean an extension, Firefox by default (obviously not if you edit particular about:config settings) will disallow you from installing signed extensions from locations other than addons.mozilla.org. By default, the only way to load an unsigned extension is via about:debugging, and these are temporary.
To reiterate my point, I believe you either have a piece of malware on your system (which has been evading detection, so maybe one that changes its source base every so often or a rootkit), you have a plug-in (like flash) installed that can be exploited, you have third-party dlls injected into Firefox, or you have a non-genuine version of Firefox (or any of these combined).
One thing is absolutely clear, whatever you call the program that was uploaded into Firefox, the virus only locked my Desktop screen when I ran Firefox. When Firefox was not running, the PC was fine. I am assuming the Virus is responsible for disabling Norton 360, MalwareBytes, and for disabling the Windows System Restore feature. When I did a "refresh Firefox", that removed the virus, or whatever you want to call it, from Firefox, and no other changes to my Windows installation after the "refresh Firefox".
In your note, you state that a virus or program inside Firefox could not do what I just described happened on my Computer. I had to re-install Norton 360, and it is still having problems. I had to run a Norton restore program to repair my Windows installation.
The reality of what happened does not agree with your assumption that a program, or whatever you want to call it, could not make modifications to my computer. You are Welcome to believe whatever you like, but I know what I saw and what I experienced. For more details, you'll have to ask the hacker. He appears to have a good understanding of Firefox vulnerabilities.
You would perhaps be the first I have seen to find this so called exploit in Firefox if your claims is indeed true from the threads I have seen here and at older running independent mozillaZine forum. I mean if you could find a way to reproduce it or help with details on the exploit to help getting it fixed, you could even make some extra money.
Mozilla is very into serious security concerns with the desktop Firefox web browser and other products as they have had one of the oldest running security bug bounties on the internet since 2004. https://www.mozilla.org/en-US/security/client-bug-bounty/ https://blog.mozilla.org/security/2020/04/23/bug-bounty-2019-and-future/
I would not put your full trust in Norton antivirus.
Norton antivirus scanners has not been particular great with Mozilla related software as they have had a ton of false positives with new Firefox releases and or internal updates over the last 17-18 years. Norton/Symantec anti-virus (on Windows) for the longest time was singled out in the SeaMonkey release notes due to Norton not bothering to fix false positive concerns that may break SeaMonkey install if you allowed Norton scanner to remove the files it had false positives on. SeaMonkey is the community effort in keeping the old Mozilla suite going. ex in known issues https://www.seamonkey-project.org/releases/seamonkey2.46/
The virustotal site can sometimes mixed results with a long list of antivirus clients on whether a file is infected or such for example also.
Also at start of when you posted this thread (ex at https://support.mozilla.org/en-US/questions/new/desktop/form) there are mentions of "Be nice. Our volunteers are Mozilla users just like you, who take the time out of their day to help." .. "Our Community is here to help ... Kindness is at the heart of our community. Our volunteers are happy to share their time and Firefox knowledge with you." ...
"Helpful Tip icon Helpful Tip! Follow through. Sometimes, our volunteers would ask you for more information or to test out certain scenarios. The sooner you can do this, the sooner they would know how to fix it."
This shows you would much more likely be chatting with other users (like myself) and not Mozilla staff on this community support forum.