Epidemic Of Firefox Spyware Infecting Computers Worldwide!

March 8, 2008 – 3:57 PM

Quick! Run for the hills! Firefox spyware is running rampant and infecting every computer in sight!


Sometimes I just want to bang my head on the desk and keep doing it until the desk surrenders unconditionally. If you were to believe several online news sites, there is an epidemic of spyware infecting Internet Explorer by way of Firefox. If you were also to believe that these accounts were written by competant journalists who have checked their facts, you would be wrong on both counts.

The situation to which these people are “reporting” (to use the term loosely) is about a malware installer using Sun’s Java runtime environment. Let me explain what Java is.

Java is similar to Microsoft’s .Net environment. It is a programming language which requires the user to have the “runtime environment” files installed on the computer. It also is similar to the Visual Basic runtime environment. You have to have Windows Scripting Host installed for visual basic files to run. For .Net or Java programs to operate, you have to have the proper files for those programming environments installed.

All current graphical web browsers include support for a Java “plug-in”. What that does is allow small Java programs, or applets, to be run inside of a web browser window. You can do some pretty cool things with java applets. These applets are being run by the Java environment installed on the computer, not by the browser.

Normally, a Java applet runs in a “sandbox”, a protected area of computer memory that cannot interact with the rest of the system. Unlike ActiveX, a Java applet can’t install software without explicit permission because of this sandboxing. If a Java applet tries to access the system outside of its sandbox, a security alert will pop-up warning the user and asking if the user wishes to allow the action.

The Java applet causing the current ruckus installs a number of spyware and adware programs. However, before it can do that, a security prompt pops up. The pop-up is labeled “Warning – Security”. It warns that the “Publisher authenticity can not be verified”, that “the security certficate was issued by a company that is not trusted” and that “the security certificate has expired or is not yet valid”. Under no circumstance does this rogue Java applet install software without the user giving it permission to do that. And to be honest, you’d have to be pretty dense to click “Yes” to such a prompt arriving out of nowhere.

What is truly sad here is that the news sites I mentioned earlier are portraying this as a spyware targeting and infecting the Firefox web browser. These news sites are doing a grave disservice to their readers by misleading them. This is not a problem with Firefox or with any other web browser.

It is Java running this installer. In fact, Java is doing exactly what it was designed to do by popping up the security warning when the installer attempts to bypass the protected sandbox. This is the very reason the sandbox exists, to stop malicious software exactly like this. This is an extra layer of security beyond what you’d see with ActiveX. With ActiveX, you either let it run or not. With Java, you either let it run or not and it also warns you when the Java applet is trying to do something suspicious after it has started to run. Yes, this sandboxing can be bypassed if a flaw exists and is discovered. Be sure you keep your installation of Java up to date because Sun fixes these flaws when they are discovered.

Whether or not this is a problem with Java is debatable. Personally, I don’t see this installer as a problem. It can’t do anything unless the user ignores a very stern security warning. Still, people can debate this all they want.

My frustration with this is that people are calling it a problem with Firefox. That is patently untrue. Every single browser is going to pop up a similar warning when it encounters this particular Java applet. If this had been labeled a problem with all web browsers, it still would be untrue, but at least it would not slander a particular browser. The people publishing this libelous nonsense should be ashamed of themselves and should print a prominent correction.


You must be logged in to post a comment.