Firefox Auto Download Security Flaw

Published on the 4th of June 2008

So, picture this: Someone on your windows live messenger contact list gets a virus. That virus then goes on to hijack their windows live messenger account and sends everyone on the contact list a link to the same virus, thus spreading it around. So, you accidentally click on the link (I was distracted), and open pops Firefox asking whether you would like to save the file or cancel. Obviously realising what had happened I clicked cancel, sure i'd dismissed it and it hadn't so much as touched my hard drive. But, sure enough, a few seconds later Windows Live OneCare popped up and told me that it had quarantined a trojan - the same trojan I just told firefox to ignore.

WTF? So does Firefox download stuff for you now? So it turns out it does. When I looked in the OneCare quarantine it displayed the path that the virus was found in. So, I was a bit worried when it turned out that the file was found in the Firefox cache folder. Interesting.

© 2006 – 2014 Alan Edwardes / Source on GitHub