Firefox Auto Download Security Flaw
So, picture this: Someone on your windows live messenger contact list gets a virus. That virus then goes on to hijack their windows live messenger account and sends everyone on the contact list a link to the same virus, thus spreading it around. So, you accidentally click on the link (I was distracted), and open pops Firefox asking whether you would like to save the file or cancel. Obviously realising what had happened I clicked cancel, sure i’d dismissed it and it hadn’t so much as touched my hard drive. But, sure enough, a few seconds later Windows Live OneCare popped up and told me that it had quarantined a trojan - the same trojan I just told firefox to ignore.
WTF? So does Firefox download stuff for you now? So it turns out it does. When I looked in the OneCare quarantine it displayed the path that the virus was found in. So, I was a bit worried when it turned out that the file was found in the Firefox cache folder. Interesting.
Reader Comments
5 responses so far
1Richard Conteh 
2Alan 
3Richard Conteh 
4Alan 
5Richard Conteh
Leave a commentWhen a file is clicked then it ready’s the file to be downloaded and downloads in the background to your cache. If you accept to save then you can choose where it saves to but if not then it will stay in the cache until you delete the cache. Try it now, if you click to download a file then wait how long you would expect it to take to finish without clicking save then once it has completely cached press ave and BAM! Instantly there. As soon as you click to download a file it immediately begins to cache. Thats why, you had the save dialog open long enough for it to have cached completely otherwise it would have not been cached as it would not have been complete :) and thats how it works ;) Hope this helps.
Yeah, but firefox isn’t giving me a choice when I hit a downloadable file link - in this case on a virus. It just starts downloading it to my pc whether I actually want it or not. If Windows Live OneCare found some malicious code in there, it’s obviously downloading the harmful file when you haven’t permitted it to. Not good.
Worst case scenario your virus protection or some sort of protection would have kicked in?
What about the people who don’t have virus protection? It’s really not good to have stuff like that on your hard drive in the first place for anybody - what if virus protection doesn’t kick in?
It’s just unnecessary.
True