9/21/09

Be Careful With Those Firefox Extensions

People who know me from my consulting and teaching days, or who have read my web site from my consulting days, have read my blog. or have been in a class I taught, know that I am a pretty cautious guy when it comes to the Internet.

Today, via web mail, I was checking my personal (non-APL) email. I saw one of the messages was from Hallmark Postcards, saying I had a postcard from someone. Now, I already knew that it was spam, just from that information. What I should have done was just check the box next to it and click on "Report Spam." Instead I opened the message. No problem. I saw the URL for the card, so I "hovered" my mouse over it. It was "postcard.exe." Into the spam folder with you, sucker!

A few minutes later I got a call from someone in the IT department here at APL. One of our security devices indicated I tried to download that file. It blocked the download and reported it. Now, the Windows executable would have done nothing on my Mac, and recall I did not click on it to download it. What had happened?

I looked through the add-ons and extensions I had in Firefox. Sure enough, amidst the security-related add-ons, I also had added Interclue, "Your Personal Link Preview Multitool." It promises, "Before you click the link: Hover your mouse pointer over the link, and a Linkclue icon will appear. Rest your mouse on the icon, and up pops an enhanced summary of the linked page."

Hmmm. I don't think it actually tried (or tries) to download anything. I think that our security software saw this in the stream and triggered an alarm. (On the other hand, what does it mean to "preview" an executable? I'm not sure, and I didn't need Interclue enough to want to keep it. I uninstalled it and restarted Firefox.

Update
I heard from my co-worker in the IT department. He writes:
What our network systems saw is the following exchange between your host and the remote server
Request from your host:
GET /postcard.exe HTTP/1.1
Host: nn.nn.nn.nn
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Reply to the request:
HTTP/1.1 302 Moved Temporarily
Date: Mon, 21 Sep 2009 14:05:36 GMT
Connection: close
Via: HTTP/1.1 localhost.localdomain (Websense-Content_Gateway/7.1.2 [c s f
])
Location:
http://nn.nn.nn.nn/cgi-bin/blockpage.cgi?ws-session=3741857785
Content-Length: 0
This, of course, shows your host asking for postcard.exe and our Websense device referring your host to a block page thereby preventing the download. Your Firefox plug-in wants to provide a preview of the web page. To provide a preview, it apparently downloads the web page (or at least part of it). Otherwise, how would it know what the page looks like so it could provide a preview? It looks like a rather dangerous plug-in, one designed for a more friendly Internet.
I agree. Avoid this Firefox extension.

2 comments:

sethop said...

FWIW there's rather extensive security against internet threats built into interclue. It never downloads more than a fragment of any given binary - just enough to verify the type of file. And any html gets passed through a whitelisting security filter before it gets rendered into a preview. Scripts and CSS aren't downloaded at all. So in the presense of a threat it's generally much safer to preview a page or file using interclue than it is to actually click the link and let the browser do what it normally does, which is what the threat will have been designed to attack. There are no interclue-specific attacks that we have ever heard of, and the design should make it so hard to build one that nobody is likely to bother. There aren't a lot of firefox specific threats either, but it pays to stay updated just in case.

We'll be adjusting the next version of Interclue to do less automatic fetching, by the way, which should mean this sort of false alarm happens much less often.

--Seth (Interclue Geek in Chief)

Fred Avolio said...

Seth:

I appreciate the clarification and description.