For almost a year, an epidemic of Fake Update Notices have been popping up all over the place. https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update

Hmm, I kept JavaScript disabled and on different tries I got either a "Media Player" or "new Flash Player" download page. Those are different (much older) malware from the one Fred is describing.

(I don't plan to enable JavaScript to experiment with it further!)

FredMcD said

For almost a year, an epidemic of Fake Update Notices

6-7 months is not almost a year and there has mainly been only this one thing that that article is for in the past year.

"Read / Download" for that Topcon Gts 300 Interface Manual was in the middle of the first page, with pages 2 thru 4 empty of any visible content.

Redirect for me was to this [I broke the link to make it non-clickable]

http:// 6u4zz.alldownloads.veneerers.xyz/?sov=42377564&hid=cecgecickgmogkgk&&redid=23071&gsid=453&campaign_id=12&id=XNSX.qrggcesxeh-r23071-t453&impid=54710524-d599-11e6-8b49-fa245441bcee

See the screenshot and the JavaScript that is trying to load from that hyperlink.

Plus - 3 tries and Media Player download "suggestion" came up each time.

Sorry, doesn't seem like a particular fault with Firefox.

A wise user would have had at least two reasons to not click anything; 1. being that PDF file looks 'hinky', just a hyperlink to "see.mydocsworld.com/now.php?..." - which leads to an Apache 2 Test Page which shows that the server at that domain hadn't setup yet but is operational. 2. being that Firefox doesn't supply updates in that manner, the user should just ignore any message like that they see - by default Firefox automatically updates all by itself. Unless the user disabled automatic updates on purpose ...

And Firefox 50.1.0 was released on 12-13-2016 -> 3 1/2 weeks ago, so my guess is that you may have disabled automatic updates if in fact you didn't already have the latest version -- or that PC wasn't used since mid-December and the update couldn't be installed, in which case Firefox would have wanted to do the update the first time Firefox was opened this year.

I totally concur ... after the fact. When I get nailed like this, I'm usually tightly focused on what I'm doing ... which is not being vigilant for attacks I haven't experienced before. Once burned, I adapt. But there are continuously new ways to be burned. A non-burned user doesn't "know" Firefox behavior for updating ... which is different from many other apps.

BTW: I did follow the instructions for getting a proper Firefox update. Maybe I missed something but the instruction I followed told me to Help/About Firefox/ and update from there. When I do that it reports 50.1.0 Firefox is up to date. But I'm still experiencing redirects.

I'll keep looking for cures ... but this isn't always a trivial task.

withglee said

BTW: I did follow the instructions for getting a proper Firefox update. Maybe I missed something but the instruction I followed told me to Help/About Firefox/ and update from there. When I do that it reports 50.1.0 Firefox is up to date. But I'm still experiencing redirects.

Unscrupulous malware pushers really don't care if your Firefox and plugins are up-to-date or not. They will say and do anything to convince you to infect your system. Depending on the nature of the redirects, there might be a software or service solution, but in most cases, being extremely skeptical is the best protection.

withglee said

.... A non-burned user doesn't "know" Firefox behavior for updating ... which is different from many other apps.

How is Firefox that different from other applications?

Firefox updates automatically and the only indication the user should see is a notice to restart Firefox to "install" the update. Unless the user has disabled automatic updates; in which case they are creating their own problems.

There is no ultimate "cure", other than being vigilant and being suspicious of anything that seems out of the ordinary. And when an update "suggestion" for anything is put in front of you unrequested, check the website for the developer of the application the update pertains to, to verify the integrity of that update "suggestion".

jscher2000 said

withglee said

BTW: I did follow the instructions for getting a proper Firefox update. Maybe I missed something but the instruction I followed told me to Help/About Firefox/ and update from there. When I do that it reports 50.1.0 Firefox is up to date. But I'm still experiencing redirects.

Unscrupulous malware pushers really don't care if your Firefox and plugins are up-to-date or not. They will say and do anything to convince you to infect your system. Depending on the nature of the redirects, there might be a software or service solution, but in most cases, being extremely skeptical is the best protection.

Fine. That horse has left the barn. When you have a hijacked copy of Firefox, and the process to get a clean copy is to go to Help/About and select update, but when you do that it reports that you are "up to date" and doesn't give you a link to update anyway, well, what's a guy to do?

I'm presuming my issue is with the Firefox.exe and not with plugins as the focus of this is on updating with a bogus copy of Firefox.exe.

Why do you think your Firefox is "hijacked" or "bogus"? Have you scanned your system for malware? Troubleshoot Firefox issues caused by malware

the-edmeister said

withglee said

.... A non-burned user doesn't "know" Firefox behavior for updating ... which is different from many other apps.

How is Firefox that different from other applications?

Firefox is doing things under the covers. Many other applications do not. The more they dumb down these processes, the dumber I get. I've been doing this since 1963. I'm not a babe in the woods.

Firefox updates automatically and the only indication the user should see is a notice to restart Firefox to "install" the update. Unless the user has disabled automatic updates; in which case they are creating their own problems.

I "now" know that is the case. But I didn't when I got snagged. People writing applications don't go to jail for doing things differently than Firefox. So when you have many behaviors out there, and your focus is on what you're doing ... not forensics ... you're going to get snagged. My automatic updates is enabled. That's not the same as "precluding" me from responding to instructions to manually update ... even if they did come from Firefox (which you say they never will).

There is no ultimate "cure", other than being vigilant and being suspicious of anything that seems out of the ordinary.

That's a stupid sweeping statement. The more the problem gets treated, the less vigilant one must necessarily be. When I had to take control myself and "nothing" was done under the covers, I was very vigilant.

And when an update "suggestion" for anything is put in front of you unrequested, check the website for the developer of the application the update pertains to, to verify the integrity of that update "suggestion".

Experienced software developers know to write defensively and "never blame the user". Your mileage may vary. But I programmed my first computer in 1963; I've created my own computer language; I've written code that runs all over the world; early on I learned writing perfect codes is impossible so I wrote quickly maintainable (correctable) code. It worked. It was a simpler time. Now it's a time of guano piled higher and deeper.

jscher2000 said

Why do you think your Firefox is "hijacked" or "bogus"? Have you scanned your system for malware? Troubleshoot Firefox issues caused by malware

Because I remember be directed to manually update Firefox (which I am now being told Mozilla will never ask me to do). I did that update and have had this redirect problem ever since. I have been on the first step of a recommended multi-step mediation process for some days now ... it takes many hours for each pass. The scanner is RogueKiller. One thing it does well is find every malware defense I have ever used (e.g. AVG) and asks me for permission to remove it.

If you'll go back, you will see that I opened this conversation to convey information (the attack vector I think got me), in case someone here is interested in looking into such things ... I think in my groping I read where such information was invited.

Hi withglee, I'm not familiar with RogueKiller, but you've probably noticed that different scanners have different lists and algorithms, so it's often useful to run several different ones when trying to knock down an active infection.

I don't think I can catalog all of the way that Firefox or other browsers could be "infected" -- meaning, someone has overridden normal functioning. Let's set aside external modifications to your network connection and focus on the ones we can advise you on:

(1) Bad Extension. The most common vector. Presumably you culled out anything unknown or untrusted early in the process, but it's worth a recheck if problems return. (Troubleshoot extensions, themes and hardware acceleration issues to solve common Firefox problems)

(2) Injection into Firefox's process in memory. Keeping Firefox and all binary plugins up-to-date should minimize the risk, but there are always zero days. Beyond updating, your regular malware protection regime will carry most of the weight here. If you visit high risk sites, you can add a sandbox or VM to more strongly isolate your browser, at the cost of reduced performance and convenience.

(3) Program folder infection (autoconfig file). These are uncommon but since they survive a Refresh and a regular reinstall, and the workaround is easy, it's often worth ruling out:

Clean Reinstall

We use this name, but it's not about removing your settings, it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.

It only takes a few minutes.

(A) Download a fresh installer for Firefox 50.1.0 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.) Choose the "Windows" version (32-bit) rather than the 64-bit version for maximum plugin compatibility (and of course for 32-bit Windows systems).

(B) Exit out of Firefox (if applicable).

(C) Using Windows Explorer/My Computer, rename the program folder as follows:

64-bit Windows users with 32-bit Firefox: Rename

C:\Program Files (x86)\Mozilla Firefox

to

C:\Program Files (x86)\OldFirefox

Other Windows configurations: Rename

C:\Program Files\Mozilla Firefox

to

C:\Program Files\OldFirefox

(D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings.

Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:

• \OldFirefox\Plugins
• \OldFirefox\browser\plugins

Any improvement?

On the broader question of "Can't Firefox do more about this" I assume people at Mozilla are thinking about this problem quite often.

Firefox uses Google's SafeBrowsing database of sites with a reputation for distributing malware as a way to block phishing/malware pages and mark downloads as likely to be dangerous. The problem is that new sites can be registered more quickly than this data can be updated, so this is seeing diminished effectiveness.

After download, Firefox currently depends on the operating system and the user's security software to weed out bad files from sites that pass the initial screen. That works for many users with frequently updated antivirus software, but not everyone has that, and there will always be undetected problems.

Generic warnings are easily dismissed/ignored, and then you have users post here every week telling us they're not babies and stop trying to protect them.

It's a hard problem to solve.

(A) Download a fresh installer for Firefox 50.1.0 from https://www.mozilla.org/firefox/all/ to a convenient location.jscher2000 said

Before the download (64b) and invoking it, I quickly made a copy of the Mozilla Firefox folder rather than rename it out of the way. I did this because I thought it was safer for my settings than if Firefox install started creating a brand new instance (with all the registry and other ancillary data brand new).

Well, I have confirmed Firefox cannot fix itself. I believe after I asked it to restore previous session , in that process Firefox opened a tab to the following link (hopefully I've crippled the link for this discussion with the xxx> ... <xxxx):

xxx>http://<xxx www.terraclicks.com/watch?key=15e7e9cd7763190d4137b576ec04c21b&psid=587315.11754.US.25.12.1 </p>

Anyway, this thing redirected two more times ultimately asking me to install a more up to date version of Adobe. I quickly bailed out of the tab ... but who knows what was left behind.

So, next I'll try your instructions more explicitly ... but I sure don't view this as acceptable update behavior.

/Todd

withglee said

Because I remember be directed to manually update Firefox (which I am now being told Mozilla will never ask me to do).=

The way desktop Firefox on Windows, Mac OSX, Linux does internal updates (with a .mar file) has not really changed much since Firefox 1.5 days back in 2003 and has always been safe since with no proven case of getting a bogus update or malware this way. The official builds of Firefox downloads from mozilla.org or www.mozilla.org/firefox/all/ has always be clean. Though some antivirus clients still occasionally have false positives with the small online stub installer even though it has been in use since Fx 18.0 but not with the full offline setup for Windows.

The fact that they target only some Windows users and not Firefox users on Mac OSX and Linux also shows they are not targeting all Firefox users.

Since these scammers also target Chrome users on Windows I have been hoping that Google would their resources help to take this whole thing down. A old still active thread on the fake urgent Chrome update page though you may need to refresh once or twice to see the current replies. https://productforums.google.com/forum/#!topic/chrome/HcXgFFaO9WU

withglee said

I believe after I asked it to restore previous session , in that process Firefox opened a tab to the following link (hopefully I've crippled the link for this discussion...

Hi Todd, if there are bad tabs in your session history, instead of using History > Restore Previous Session, try typing or pasting about:sessionrestore into the address bar and pressing Enter to load a page that lets you choose specific tabs to allow and disallow. Normally that page is only displayed after a bad crash and problems resuming automatically, but you might be able to use it in your scenario.

jscher2000 said

withglee said

I believe after I asked it to restore previous session , in that process Firefox opened a tab to the following link (hopefully I've crippled the link for this discussion...

Hi Todd, if there are bad tabs in your session history, instead of using History > Restore Previous Session, try typing or pasting about:sessionrestore into the address bar and pressing Enter to load a page that lets you choose specific tabs to allow and disallow. Normally that page is only displayed after a bad crash and problems resuming automatically, but you might be able to use it in your scenario.

I'm familiar with the process. I'm given the option to selectively restore tabs when I come back from the "well this is embarrassing" recovery. Seems kind of silly that "restore previous session" doesn't do that too. It's just one more click. Regardless, I can guarantee you, there were no bad tabs being restored.