X
Tap here to go to the mobile version of the site.

Support Forum

Can Mozilla be hacked, and later distribute Malware in Automatic Updates, as in the recent Petya attack?

Posted

Given that this latest Petya malware attack apparently originated in a software company that got hacked, and unknowingly delivered malware in their software updates, how can we be confident that Mozilla's automatic updates are safe? I have since turned off Automatic Updates with FireFox and Thunderbird, but I would like to know what Mozilla is doing to guarantee that this can't happen with them. If I was out to cause chaos using this method, then Mozilla would be the first company I would think of to get deep worldwide infiltration of my malware. Has NSA already penetrated Mozilla, and if so were those exploits released into the wild along with all the others put out by "Shadow Brokers" recently?

Given that this latest Petya malware attack apparently originated in a software company that got hacked, and unknowingly delivered malware in their software updates, how can we be confident that Mozilla's automatic updates are safe? I have since turned off Automatic Updates with FireFox and Thunderbird, but I would like to know what Mozilla is doing to guarantee that this can't happen with them. If I was out to cause chaos using this method, then Mozilla would be the first company I would think of to get deep worldwide infiltration of my malware. Has NSA already penetrated Mozilla, and if so were those exploits released into the wild along with all the others put out by "Shadow Brokers" recently?

Additional System Details

Installed Plug-ins

  • Shockwave Flash 26.0 r0

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0

More Information

philipp
  • Top 25 Contributor
  • Moderator
5320 solutions 23498 answers

Helpful Reply

hi jeff, our whole codebase is open source and will be monitored by a lot of people so it is rather unlikely that code could be smuggled in by a malicious third-party without getting noticed. updates that we release are digitally signed and verified before they are applied. updates are also tested and need to be signed off by multiple different people within mozilla, before they are released to the public so an attacker would have to compromise multiple people/systems. since updates for firefox and thunderbird often contain critical security fixes i think you're better off leaving them on...

hi jeff, our whole codebase is open source and will be monitored by a lot of people so it is rather unlikely that code could be smuggled in by a malicious third-party without getting noticed. updates that we release are digitally signed and verified before they are applied. updates are also tested and need to be signed off by multiple different people within mozilla, before they are released to the public so an attacker would have to compromise multiple people/systems. since updates for firefox and thunderbird often contain critical security fixes i think you're better off leaving them on...

Question owner

Thanks Philpp, I appreciate your response. It comes close, but does not quite address my main concern. Is it merely a matter of policy that your updates are tested and signed off on before release, or is it physically impossible to send out updates without multiple people approving? The issue is that we tend to trust updates more than new software, but this recent Petya attach has made me realize that this trust can be exploited. If someone hacks Mozilla, can they use your system to deliver their own malware without you being able to prevent it? If so, then the fact that you are open-source and have good systems to ensure reliable updates is kind of beside the point. I suspect the software company that got hacked with Petya probably also had good systems to ensure good software, but the hackers didn't care. Thanks again for your time, Philpp.

Thanks Philpp, I appreciate your response. It comes close, but does not quite address my main concern. Is it merely a matter of policy that your updates are tested and signed off on before release, or is it physically impossible to send out updates without multiple people approving? The issue is that we tend to trust updates more than new software, but this recent Petya attach has made me realize that this trust can be exploited. If someone hacks Mozilla, can they use your system to deliver their own malware without you being able to prevent it? If so, then the fact that you are open-source and have good systems to ensure reliable updates is kind of beside the point. I suspect the software company that got hacked with Petya probably also had good systems to ensure good software, but the hackers didn't care. Thanks again for your time, Philpp.

Modified by Jeff_Jenness

philipp
  • Top 25 Contributor
  • Moderator
5320 solutions 23498 answers

Helpful Reply

we're mostly volunteers replying here in the forum - if you're interested more in the nitty-gritty parts of the process you might get a better answer reaching out to the release engineering team at mozilla: https://wiki.mozilla.org/ReleaseEngineering

we're mostly volunteers replying here in the forum - if you're interested more in the nitty-gritty parts of the process you might get a better answer reaching out to the release engineering team at mozilla: https://wiki.mozilla.org/ReleaseEngineering

Question owner

Thanks Philpp! I'll do that.

Thanks Philpp! I'll do that.
Richard_Palomer 0 solutions 3 answers

The other day FireFox let a "demon" malware click through, which popped up pages telling me to call a phone number "for Microsoft", or else they would erase my Hard Drive. . . . I thought I escaped via Ctrl-Alt-Del and shutting down FireFox, but the next day, FireFox opened without any of my Tabs, and I had to re-download it and re-install it, and I never got all my Tabs back. Is there a record of those Tabs stored "inviolate" somewhere, so I can open them all up again? I snapped a picture/PDF of what the malware said - it was on a click on July 6 or so, about U.S. Bank (how they are supposed to help with foreclosure), or maybe it was from a click on July 4, re Problems at U.S. Bank (it could be on both of those clicks), so how do I attach my PDF of that extortion attempt and/or takeover attempt against my computer?

The other day FireFox let a "demon" malware click through, which popped up pages telling me to call a phone number "for Microsoft", or else they would erase my Hard Drive. . . . I thought I escaped via Ctrl-Alt-Del and shutting down FireFox, but the next day, FireFox opened without any of my Tabs, and I had to re-download it and re-install it, and I never got all my Tabs back. Is there a record of those Tabs stored "inviolate" somewhere, so I can open them all up again? I snapped a picture/PDF of what the malware said - it was on a click on July 6 or so, about U.S. Bank (how they are supposed to help with foreclosure), or maybe it was from a click on July 4, re Problems at U.S. Bank (it could be on both of those clicks), so how do I attach my PDF of that extortion attempt and/or takeover attempt against my computer?
Richard_Palomer 0 solutions 3 answers

Sorry for the duplication . . . If the PDF-picture still shows, it is about the attack reported by Richard_Palomer above.

Sorry for the duplication . . . If the PDF-picture still shows, it is about the attack reported by Richard_Palomer above.

Modified by Richard_Palomer