Search Support

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

Possible security flaw in Firefox 47.0.1 regarding orange "urgent update" screen ?

  • 10 uphendule
  • 6 zinale nkinga
  • 370 views
  • Igcine ukuphendulwa ngu marie15

more options

Many people seem to be reporting recently that they are getting an orange fake "Urgent Firefox Update" screen popping up and then a download box for firefox patch.exe or such. It is my impression that this may be a security flaw.

It tends to happen when I have several windows open with Facebook and newssites, and it happens very quickly so I can't be 100% sure what happens, but it is my impression that a new tab is created with the orange screen. It seems this happens without my clicking on anything, I may be just sitting there reading and suddenly this happens. I wonder if it is an exploit emanating from ads on these newssites that takes control of Firefox and gets it to make the new tab. If so this is very disturbing because I have my Firefox on quite secure settings, my Java is Never Activate, most of my plug-ins including Flash are Ask to Activate and I rarely do need to activate it. In addition, I am careful which websites I go to. I have Firefox up to date and on automatic update. Every time I start my computer I make sure Kaspersky has updated before I start browsing.

The exploit has happened 3 times in the past week including both yesterday and today. The first time, even though I did not click on the install dialog, Kaspersky detected a Dangerous Object being downloaded and quarantined it instantly. I then had Kaspersky delete it. It had downloaded to the AppData Local Temp folder. The second and third time, nothing happened immediately so I had time to look. I closed Firefox and it seemed that prevented those instances from downloading, as Kaspersky did not detect anything either instantly or after Full Scan.

I am wondering if this is a security flaw in Firefox and if I need to switch to Chrome. Any help would be appreciated In the meantime as I much prefer Firefox. I will limit my browsing to the most essential, avoid clicking on any links in Facebook and try to avoid newssites.

Isisombululo esikhethiwe

James said

It seems to be Ad based and only targeting useragents of Firefox on Windows as no Firefox users on Mac OSX or Linux have reported any of the fake urgent Firefox update/patch sites here or at mozillaZine. No point targeting Mac OSX or Linux Firefox UA's since those OS's does not use .exe anyways. If you have an Extension like uBlock. Adblock or NoScript then you may not encounter the ads. https://support.mozilla.org/en-US/forums/contributors/712056

Hi James, Thank you very much for your quick reply. I found a friend with similar setup (Firefox, Windows 10, Kaspersky) is using Adblock and has not had the attacks, so I will definitely install that. Do you think on top of Adblock Plus, NoScript would give additional protection to different types of exploits ? I understand it stops javascript exploits, which this might be, but since my friend has done well just with Adblock, I'm wondering if that covers the same ground and would just slow down Firefox. Thanks again !

Funda le mpendulo ngokuhambisana nalesi sihloko 👍 0

All Replies (10)

more options

If you get a pop-up message asking to update Firefox or plugins or scanning for malware then such a message is likely a scam and you should never respond to such an alert to avoid getting infected with malware.

  • Only update Firefox via "Help > About" or by downloading and installing Firefox from the Mozilla server and never via a pop-up or link on a web page.
  • plugins should only be updated via the plugin itself or by visiting the home page of the plugin.

You can find the full version of the current Firefox release (47.0.1) in all languages and all operating systems here:

See also:

more options

marie15 said

Many people seem to be reporting recently that they are getting an orange fake "Urgent Firefox Update" screen popping up and then a download box for firefox patch.exe or such. It is my impression that this may be a security flaw. I wonder if it is an exploit emanating from ads on these newssites that takes control of Firefox and gets it to make the new tab. I am wondering if this is a security flaw in Firefox and if I need to switch to Chrome.

It seems to be Ad based and only targeting useragents of Firefox on Windows as no Firefox users on Mac OSX or Linux have reported any of the fake urgent Firefox update/patch sites here or at mozillaZine. No point targeting Mac OSX or Linux Firefox UA's since those OS's does not use .exe anyways.

If you have an Extension like uBlock. Adblock or NoScript then you may not encounter the ads.

https://support.mozilla.org/en-US/forums/contributors/712056

Okulungisiwe ngu James

more options

Thanks for reporting this, but this is something Firefox itself can not really do much about.

If you actually see this again you could let us know the URL being used. for the .exe and the url of the newsite or whatever that it originated from

These are probably being taken down pretty quickly now. You can directly report the URL to virustotal.com yourself, that helps keep all the AV companies aware of the sites and threats.

more options

Isisombululo Esikhethiwe

James said

It seems to be Ad based and only targeting useragents of Firefox on Windows as no Firefox users on Mac OSX or Linux have reported any of the fake urgent Firefox update/patch sites here or at mozillaZine. No point targeting Mac OSX or Linux Firefox UA's since those OS's does not use .exe anyways. If you have an Extension like uBlock. Adblock or NoScript then you may not encounter the ads. https://support.mozilla.org/en-US/forums/contributors/712056

Hi James, Thank you very much for your quick reply. I found a friend with similar setup (Firefox, Windows 10, Kaspersky) is using Adblock and has not had the attacks, so I will definitely install that. Do you think on top of Adblock Plus, NoScript would give additional protection to different types of exploits ? I understand it stops javascript exploits, which this might be, but since my friend has done well just with Adblock, I'm wondering if that covers the same ground and would just slow down Firefox. Thanks again !

more options

Hi cor-el and john99, Thank you for your quick reply and explaining the issues. The link to the contributors discussion is very helpful indeed and shows this is a widespread exploit in ads on respected newssites like TV sites. It is also helpful to know this is nothing to do with Firefox. I will install adblock and maybe NoScript Security Suite. Thanks again,

more options

Where can I post possible causes, slash, how can I contribute to a possible resolution? The 'list' of web sites and the effects of having the phony patch loaded are not an issue to me.

I too open multiple tabs (right click) and had a legit tab replaced by the orange screen. Page back went to the legit page and my limited understanding of 'view source' revealed not too much. So I too think it is 'ad related' since those ads rotate/change each time U visit.

Have noticed one legit page had RSS Feed (page info.) Noticed my options had an extension of 'pocket' but the symbol was never on my screen. Did have an outdated version of Flash Video Downloader. Do have Comodo IceDragon on my Windows 7 machine.

On both I have Flash 'ask to activate.' Some ads use HTML5 (which I can not stop)

An aside. One poster mentioned Cincinnatibell.net and while it ran fine for me, how odd they have 4 'ad-choices' ads (and a contact-us page giving 404.) Now how can an ad louse up something? I have a theory

more options

cliff,

This fake update issue is being worked on by professionals coming it from various angles. Users can help by reporting the URL of where they are offered a fake update, Help > Report deceptive website ... to get that URL added to the SafeBrowsing blocklist. https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work https://en.wikipedia.org/wiki/Google_Safe_Browsing

more options

Tnx for quick response but WADR (?), reporting the URL's is not the answer. If "professionals" were working on the problem it would have been solved by now, especially because the problem has existed for a month. Kindly direct me to where I can contribute and/or view their research (of the cause, not the symtoms.)

more options

clifontheroad We have been recording some of these URLs but the are not proving very helpful, other than to show that the URLs change rapidly. They can be reported but that only give a temporary fix as a new site is probably up before they are blocked.

The files themselves may be reported. People have done that, but again these files may change, we have some evidence of that. It will be useful if you stumble across the file to report it to virustotal.com that will scan the file and say whether or not it is a new version.

There are suggestions that sometimes there is a time delay that triggers this, so it may not be easy to spot where it is coming from. It seems the experts are mainly interested in the actual ad it comes from as that is something we could then try to tackle.

It seems from a PM you sent that you may have captured some of the code used for the ads please feel free to post in the contributors thread. /forums/contributors/712056 If you have actually captured details of ads it may then be applicable to post into the open bug.

more options

cliffontheroad said

Where can I post possible causes, slash, how can I contribute to a possible resolution? The 'list' of web sites and the effects of having the phony patch loaded are not an issue to me. I too open multiple tabs (right click) and had a legit tab replaced by the orange screen. Page back went to the legit page and my limited understanding of 'view source' revealed not too much. So I too think it is 'ad related' since those ads rotate/change each time U visit.

Hi Cliff on the Road, Just FYI - on my Windows 10 PC, since I installed AdBlock Plus, I have not had the problem, whereas prior to that I had it 3 times in a week or so. My friend who has AdBlock Plus all along never had the problem. Thanks for mentioning the HTML5 videos. I am still thinking about installing NoScript as well since one always has to look ahead to future exploits rather than just fix the current one.