Why is Firefox STILL allowing website drive by browser hijacking by LAME "Your broswer has been blocked" exploit-NO other malware-just clicked the wrong link.
This silly ass "window-won't-close-just-keeps-relaunching" exploit is so ancient it has whiskers.
Incredibly embarrassed that this happened to my friend, since I was the one that encouraged him to use Firefox in the first place.
... and NO he didn't install any malicious .EXE -or- Pluggins -or- Extensions, just clicked the wrong link in trying to cancel a pop-up that Firefox should never have allowed in the first place.
I say this because, from reading this Forum for YEARS now, this is generally the point where the totally lame "Well there well always be ways to "human engineer" these kinds of exploits..." excuses start, so let's not even go there.
Instead of resisting this attack, Firefox makes it WORSE, because if you open task manager and kill Firefox, then Firefox sees that as a CRASH, and tries to coverer it's tracks by automatically re-launching the previous session (instead of the PROPER behavior, which would be to load the standard user-prompted selective-restore page).
Frankly, as I mentioned above, this is embarrassingly BAD...
Just try to close a pop-up window (that shouldn't have 'popped up' in the first place) and your lame-o broswer locks up and helps some con-man try to scam you for $500.
PATHETIC. This kind of thing is the reason I dumped MS Explorer long ago.
I have been a strong Firefox supporter since the very beginning, so I'm not trying to raise any hackles here, but finding boneheaded serious security vulnerabilities like this, while Firefox developers are wasting time making the the 'new' Firefox interface more like the piece-of-garbage Windows 8 Explorer interface (which I DESPISE), has caused me to loose faith in Mozilla, so can someone suggest some alternatives other than Firefox and Chrome?
Seriously, I'm not looking to fight about it, run your project any way you want, but some help in picking an alternative browser that I can trust would be greatly appreciated.
All Replies (6)
hello, please update to a current version of firefox - there were multiple fixes in this regard after firefox 20 which you are apparently using.
You did not say what version your Friend is using as you yourself appear to be posting with a outdated Firefox 20.0 version (from April 2013) as there has been fixes related to this since.
If you do not want to upgrade to have stability and critical security fixes since, then perhaps try this extension.
https://addons.mozilla.org/en-US/firefox/addon/disallow-script-button/
Thanks guys for all the helpful suggestions, but we are off track.
My friend has the CURRENT version of the PC Windows version of Firefox, with auto updates enabled, so this embarrassing incident happened with either PC version 36 or version 37.
Again, sorry, but I thought I had included that information and made it clear that my friend was running the current version, but I see that that text got lost when I lost the contents of my edit window because of another classic stupid bug - the one where a stray key stroke or mouse click causes you to navigate away from the 'text edit' field you are typing into, and when you return with the back button - you have LOST EVERYTHING YOU TYPED.
Thanks for reminding me. BTW- this STILL happens with my other PCs - which ARE running the CURRENT version of Firefox, and, along with this security issue, this really sucks too...
But, as I noted above, my friends recent browser hijack incident has NOTHING to do with my 'out of date' version of Firefox (and, for what it's worth, ironically, my 'antique' version 20 Firefox has never had a similar problem - NEVER).
My friend was running the CURRENT VERSION (either 36 or 37, with auto updates turned on).
He just clicked the wrong link, and got an unwanted pop-up stating that his "Browser had been locked" for some 'very serious' (but completely imaginary) offense by some supposedly 'official' government enforcement organization, and demanding that he purchase a money card and use it to transfer $500 dollars immediately.
Realizing that this was a scam, he tried to just close the offending window, but...
When you try to close the window using the exit button, the malware window just re-launches.
When you try to close the window with the left titlebar exit drop down, it just re-launches.
When you try to quit and close Firefox with the main Firefox drop-down menu, AGAIN the malware intercepts the command and just re-launches another window.
When, I arrived on the scene, I retried all of the above, then, when that didn't work, hit Control-Alt-Delete to launch the Windows Taskmanager, and used it to kill Firefox.
Then [GREAT] the Firefox windows DOES finally close, but [OH CRAP!!!] just 'auto-restores' as soon as you re-launch Firefox...
... and Around-and-Around you go.
I finally got out of the restart loop by killing Firefox using Taskmanager and then using a desktop shortcut to FORCE Firefox to launch with another URL, which finally broke out of the stupid 'auto-restore' lock loop and cleared the problem.
Immediately after this, I did both a Windows Defender and add-on Anti-Virus scan, plus a full MalwareBytes scan - NO Malware detected -- which means that Firefox fell victim to SOME KIND OF SILLY-ASS CLASSIC JAVASCRIPT 'EXIT FUNCTION REMAPPING' EXPLOIT.
Can 't remember seeing anything this simple-stupid compromise the security of Firefox since the Version 0.8 days. (Including my 'years out of date' antique Firefox version 20 under Ubuntu 10.04).
Not sure how this malware link bypassed the Javascript security interlocks, but it succeded in not only remapping the 'Close' button on it's own window, but ALSO succeeded in re-mapping the MAIN Firefox drop down menu's 'Quit' function.
This last point is what is REALLY SCARY, by definition, Javascript should 'sandbox' itself within a single context, so if the malware window was able to get control of the MAIN Firefox host window to remap 'Quit' then that means that it quite likely had the Firefox equivalent of 'root access'.
Not sure the malware fully compromised Firefox's security framework, but it sure as hell looks that way. Either way THIS IS REALLY BAD... Think about it this way, if someone found some simple-stupid way to remap the 'close' and 'quit' functions in Firefox, THAT'S BAD (because it raises the question 'Why would Mozilla miss something so simple stupid?' --- and on the other hand, if the bug is not 'simple-stupid' and instead involved a really serious complete compromise of Firefox's security framework (basically giving the malware the 'keys to the kingdom') - THEN THAT'S EVEN WORSE.
Again, thanks to everyone for all the thoughtful answers, but they weren't very reassuring
If anyone had said something like "This was just a silly REGRESSION - introduced in 34, and patched in version 37.0.1", then I might have bought it - but nothing I have read here gives me much confidence that this isn't STILL an issue - because it has NOTHING to do with Firefox being years 'outdated'.
I am indeed running an 'antique version' of BOTH Firefox AND Ubuntu on my netbook, but my friend's Windows PC is fully up to date.
BTW, if anybody cares, the reason I am stuck with Ubuntu 10.04 is because my "User Experience" really, really, REALLY sucked on this Netbook in both Ubuntu 12 and 14 - I HATE Ubuntu's 'Unity' desktop (Dumbed down 'Smart-Devices for Stupid-People' GARBAGE) and, with the alternative Ubuntu Gnome 'classic' desktop, LOTs of things which worked PERFECTLY in 10.04 no longer work.
Given this situation, you would think that Canonical would have extended support on 10.04 for at least the five years they NOW offer on their CRAPPY 'Unity interface' but noooooo. Sure for the 'server' 10.04 version they are STILL supporting HUNDREDS of crappy nerp, glerp, gawk, GARBAGE command line tools - but Firefox??? No way!!! It's not like folks that are maintaining those 'ancient' 10.04 servers might want to continue to use tried and true 10.04 desktop tools to maintain them (like the Firefox Web Browser for example).
What's this have to do with Mozilla? - because Canonical's lack of updates should be no problem, right? - Hey just click that little 'auto updates' button under 'advanced options' on your Windows PC's right? -- Oh, sorry Linux users, despite the Linux roots of many of Mozilla's developers, and the many critical Linux spawned tools they use daily to create Firefox, Mozilla apparently feels Linux users are SECOND CLASS CITIZENS WHO ARE JUST NOT WORTH SUPPORTING WITH DIRECT UPDATES LIKE THEY PROVIDE FOR PC USERS.
Number of users still using 10.04 because of hardware compatibility issues -> Thousands
Support they get from Canonical and Mozilla -> ZERO
... and I'm not talking about some guy who runs a geeky, totally insecure 'non-official repository' I'm talking about a simple check-box that I can click, and continue to get updates directly from Mozilla.
... but no such luck, and THAT really sucks too.
Again, thanks for reminding me.
Modified by richsopn
TLDR - any chance that your friend who had that problem can post here?
Maybe we'll get his story and be able to help him without all the surrounding attitude and opinions about how Firefox is so wrong.
richsopn said
What's this have to do with Mozilla? - because Canonical's lack of updates should be no problem, right? - Hey just click that little 'auto updates' button under 'advanced options' on your Windows PC's right? -- Oh, sorry Linux users, despite the Linux roots of many of Mozilla's developers, and the many critical Linux spawned tools they use daily to create Firefox, Mozilla apparently feels Linux users are SECOND CLASS CITIZENS WHO ARE JUST NOT WORTH SUPPORTING WITH DIRECT UPDATES LIKE THEY PROVIDE FOR PC USERS. Support they get from Canonical and Mozilla -> ZERO ... and I'm not talking about some guy who runs a geeky, totally insecure 'non-official repository' I'm talking about a simple check-box that I can click, and continue to get updates directly from Mozilla.
The build you have is a third-party build and not one provided by Mozilla and Mozilla does not provide updates for third-party builds they did not well build.
Mozilla does support Linux and still strongly do as they have both 32-bit and 64-bit builds including for Release. www.mozilla.org/firefox/all
They get Firefox updates just like on Windows as long as the Firefox has red/write permissions as a easy way around for the user is to have it in /home
Since you are using a five year old version of Ubuntu you need to meet minimum package requirements at least. https://www.mozilla.org/en-US/firefox/37.0.1/system-requirements/
Heck Mozilla supports Linux and Mac OSX better when it comes to 64-bit Firefox as there were 64-bit Releases for Linux and Mac ever since Firefox 4.0 while for Windows the first Win64 Release may be finally at Firefox 38.0
If you prefer say Gnome 2 and want to stay away from say Gnome 3 and Unity in newer Linux distros then look into say Xfce as it is both light and can look very much like Gnome 2 and can use gtk2 themes.
Thanks James, I really appreciate your detailed responsive answer, but after checking out the links and info you provide, I am not sure I would characterize Mozilla's support for Linux as 'strong'.
I say this not to be disagreeable, but because, for example, when I checked out the generic Linux 'installer' on the page you pointed me to, I found it's actually NOT an installer at all, just a zipped folder.
First off - NO distro ANYWHERE recommends bypassing the package manager and installing applications 'ala-cart' like this.
Second - the page with the bzipped Firefox folder 'install package' doesn't even have a link to a 'Linux install Instructions' page telling you where to put the folder, and how to import your previous profile from an earlier install if needed (this is critical if I want to update, as I don't want to loose my bookmarks etc.)
I'm sorry James, again, I am not trying to be a pain, but this isn't 'strong' it's pretty bad.
For example, though Virtual Box is a more specialized program, targeted at a narrower, more technically sophisticated group of users, but none the less - they supply GREAT Linux installation support, with SPECIFIC dedicated Deb and Rpm type installs for a half dozen SPECIFIC Linux Distro's, including some which only are use by a relatively small percentage of Linux users.
By way of comparison, Firefox is targeted at a more general, broader group of casual desktop users, who presumably need the installation to be as SIMPLE as possible, but Mozilla doesn't even support a simple Debian/Ubuntu style Deb installer for Ubuntu is the MOST popular distribution, much less a RPM installer.
... but thanks for the advise about just running Firefox from a folder somewhere under my 'home' folder.
Presumably you meant under /home/myusername/Mozilla or something like that, and not that I should create a special Firefox folder under /home/Mozilla or something like that (this is why it's frustrating that I couldn't find a 'Linux Install Howto' link.)
I manually checked all the dependencies listed under system requirements and it looks like I should still be ok with Firefox 37 on Ubuntu 10.04 Lucid using the standard Gnome 2 desktop.
Though I was able to verify ALL the software dependancies with simple dpkg -l | grep -i "LibraryName" type commands, it took more than 30 minutes to check everything.
If Mozilla had, simply confirmed that Firefox 37 still works with the Ubuntu 10.04 Lucid release, instead of just listing a bunch of mumbo-jumbo library dependencies, then it would have saved me a lot of time.
Better still, if they had simply provided a proper DEB format installer file, then GDebi or the Synaptic Package Manager on my Ubuntu desktop would have told me if the dependencies were met INSTANTLY.
Of course, under Linux, the officially CORRECT way for Mozilla to provide 'direct-update' support, for Firefox users who would prefer to update Firefox directly from Mozilla than their native repositories, would be for Mozilla to set up a few official direct Mozilla repositories of their own to support at least a few of the major distributions.
It's not all that big a deal - just support a Debian/Ubuntu/Mint style DEB package, plus Redhat/Fedora RPM package, plus Arch Linux Pacman style packages and you would have virtually all of the Linux Community covered.
James mentioned the XFCE desktop, and I have been considering doing a full custom Debian install and configuring my own XFCE based Linux desktop, and the ability to install Firefox directly from Mozilla's repository would be a big help, since that would at least eliminate concerns about timely secure browser updates.
In any case, thanks again James, you provided some good useful information, and make a good case that Firefox support for Linux isn't quite as horrible as I thought, but I still wouldn't call it 'strong' - not until Mozilla at least provides proper installation packages for the most common DEB and RPM type installs.
The top two distributions right now are Ubuntu and Mint, which would be pretty much identical so far as Firefox package management goes, so this isn't really asking for all that much.
Without proper installer packages, your Linux system's built in package manager can't properly manage dependencies, and so could conceivably REMOVE a critical library needed by Firefox.