I don't imagine this should affect Linux...
Certainly on my (default) FF installation all the .js files of this type are only root writable
Miscreants have developed a strain of malware that makes sure website passwords are recorded by a victim's browser. Saving website logic credentials is a user controlled option in all browsers, often enabled by default. But the practice is frowned upon by security researchers, who point to the risk that passwords left in …
Note that things like NoScript and NoFlash seem to be written in Javascript. If you turn off Javascript they don't operate at all.
Note also that you have at least 2 user-writeable .js files in ~/.mozilla/firefox/<funny-name>/ One, "prefs.js" is clearly run on startup. What happens if malware figures out how to write that file? You can probably make it non-writeable, but any config changes (such as turning Javascript on or off!) will need to rewrite the file.
It is also my impression that much of the configuration interface of Firefox is written in Javascript. That implies that Firefox will run internal Javascript even if you have disabled Javascript.
This post has been deleted by its author
> So how is nsLoginManagerPrompter.js modified under Windows - is it
> only people running as admin ? The article doesn't make it clear.
Well firefox.exe runs as the logged-in user, and by default unprivileged users only have read/exec privs on the Program Files directory tree. So short of finding some sneaky way to subvert a privileged service (Windows equivalent of daemon), it's hard to see how this could work without admin rights.
The more interesting part of question - which neither El Reg nor Webroot answer - is how FF is tricked into modifying this file even if the user does have write access to it. Presumably it's not an arbitrary file overwrite vuln or the trojan would be doing much worse mischief. I can't find any relevant mention of nsLoginManagerPrompter.js on bugzilla.mozilla.org, so I guess either the Mozilla team are quietly fixing this or the whole thing is bogus.
Certainly. I'm more concerned about virii that rename regedit.exe and the like, and put themselves in its place and simply do their "make sure the computer is still infected" game then continue you on to the exe you were actually looking for....
That a virii tells FF to save your passwords (a noticable thing, albeit subtile) isn't as concerning (see "transparent" virii type above, coupled with a keylogger).
It's not the Latin plural of 'virus' (because 'virus' in Latin is an uncountable noun and has no plural).
It's not the English plural which is 'viruses'.
It's apparently not even a plural, since you are using it with an indefinite article.
Perhaps its a subtle hint that I really should not read Reg reader comments before I've had my morning coffee.
How do you actually get 'infected', is there a working demo online where I can get infected by clicking on a URL ?
> "Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password," Webroot researcher Andrew Brandt explains. "After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user."
This post has been deleted by its author
Hint: use two accounts, one limited. Use the admin account only to install stuff and the limited account for everyday use. That usually keeps 90% of nasties out.
And before you whine about applications that requires administrative abilities, there's always "run as".
Tux. Because Linux forces safe computing onto you.
that having .85% of Net users operating safely is phenomenal.
And, only "letting in" 10% of "nasties" is just marvelous.
Faux_root to the rescue.
Linux - because .85% of net exposure limits vulnerability.
Except for those distros that refuse to provide Firefox updates in a timely fashion who also have "branded" Firefox, supposing that more important than providing timely updates. Devs too busy working on the important stuff like "shaky" windows and the like.
Love that Slack!
...and it's worth unpacking. One answer is "Redmond Stupid". But that's not, I think, actually it. Look at the corporate offerings - domains are expected to be the norm, and the only accounts which are automatically in the Administrators group are Administrator and Domain Admins. Not all the domain user accounts. Yes, lots of places stick Domain Users or (God help us) "Authenticated Users" into the group, but that's because they're run by lazy idiots. Leave the defaults set by MS, and domain users will only have standard user rights and permissions.
Home machines are really the issue, and there it's historical. XP Home may have evolved from NT4.0 Workstation, but it replaced Win 9x/ME, which did not have this concept of computer administrators and users, evolving ultimately from a single user isolated computer OS model - MS-DOS. Microsoft have, I think, been too scared to force the concept onto the great unwashed. Therefore the installer creates one account by default, and it's an administrator. This gives the user the access he was "used" to under older OSes, without confusing him with the concept of multiple accounts (most home user PCs log in automatically and have no password on the one account anyway).
From what I know of Microsoft, there's probably been a battle on at Redmond ever since 2001, between the engineers wanting Windows to create two accounts, insist on a password for the Administrator account, and recommending the user use the limited user account, and the marketing people insisting this was too complicated and would lose them market share - of course, the latter group is aided and abetted by application developers who actually write stuff that expects write access to HKLM, %programfiles% and %allusersprofile% just to run. Corporate shops can fix these stupid apps; home users usually can't. Nevertheless, these are getting fewer and I find very few people compain now when I set them up securely.
This post has been deleted by its author