Closed Bug 402401 Opened 17 years ago Closed 13 years ago

Malicious web site resizes Firefox and calls alert(), making it seem as if Firefox has crashed and offering a sketchy "solution"

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: libash7, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-spoof, sec-low, Whiteboard: [notacrash])

Attachments

(1 file)

What Jesse imagines the site is doing
(deleted), text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9

mozilla browser crashes.  false "error message" appears asking me to download.  it says "error detected.  the page at http://fixthemnow.com says notice your system is not optimized and your computer...would you like to install fixthemnow.  when I again double-click on mozilla browser icon it appears only in a tiny window in the upper right of screen, then I must hit the enlarge square to have mozilla browser fill my screen (and start all over again from my home page).  this bug has appeared under different names such as Drivecleaner.

Reproducible: Always

Steps to Reproduce:
1.  It happens when I've opened the mozilla browser.  sometimes there is a delay and sometimes it is immediate like tonight.  
2.I have several tabs.  It might be that I am going between tabs.  not sure about this.
3.
Actual Results:  
entire mozilla browser crashes.  I lose any website I was on.  Error message appears asking me to click on it per information above, e.g. 'your system is not optimized...'  I ignore message and go to original mozilla icon on screen and again double-click to open.  It opens to a small window rather than filling the entire page and does not show me my homepage.  I then click on that tiny window with the square to enlarge the screen and only then does my homepage appear.  all websites I had been logged onto are no longer apparent, and I start from the beginning again.  "error detected" remains on my screen.  It crashes only that once and I do not put my mouse on the "error detected" which asks me to download something.   
When I've closed my computer shutting down all tabs on mozilla, and then turn on computer another time and open mozilla browser, message often says mozilla was never correctly shut down and option is offered do I want to continue as it was or start a new screen with mozilla.  this is even though I have properly closed out of the second opening of mozilla.  this happens because the bug improperly closed the first mozilla browser window.

Expected Results:  
The mozilla browser should not have crashed and I should not have to begin over again to open the browser.  When I shutdown the computer and go another time to open mozilla, I get the valid message saying that mozilla was never shut down properly and do I want to go back to how it was or to a new screen.

it is mozilla that crashes -- not the computer that crashes.  The error message asks me to go to their website and try their material, e.g. "would you like to install fixthemnow to optimize your computers performance for free,  and then I'm offered options yes or no.

this has appeared under different names such as drivecleaner.com  fixthemnow.com
Sounds like either:

(1) A site you're on is resizing and moving your browser window in order to make it *look* like Firefox has closed and a dialog has appeared.  (In the summary of this bug, you said "with mozilla icon".  Do you mean that the window icon for the "error message" is the Firefox icon?  If so, it's probably this.)  Going to Preferences > Content > JavaScript > Advanced and unchecking "Allow web pages to: move or resize browser windows" should prevent this form of misleading advertising from interfering with your browsing.

(2) Your computer has been infected with malicious software, and that malicious software is throwing up bogus dialogs (and perhaps even closing Firefox) in an attempt to get you to pay for its "solution".  There's not much Firefox can do about it once your computer is infected.  http://en.wikipedia.org/wiki/Spybot_-_Search_%26_Destroy might help.

If you figure out which it is, please tell me.  If it's (1), we totally need to fix bug 186708.
Does this happen immediately after you open Firefox?  If so, what is your home page?
Can you attach a screenshot of the fake crash message window?
>it says "error detected.  the page at http://fixthemnow.com says notice your
>system is not optimized and your computer...would you like to install
>fixthemnow.

"The page at ... says" is something Firefox puts in alert() messages from web pages.  So maybe the site is making the browser window tiny and then covering it with an alert()?  Sneaky!
http://www.siteadvisor.com/sites/drivecleaner.com/ points to 
http://www.drivecleaner.com/.freeware/?p=43&ax=1&ex=1&ed=2&aid=coasteye_rdt&lid=infy 
which does indeed resize the browser.  It shows a fake WinXP-looking window, dialog, *and* system tray notification bubble inside the browser content area.  Pretty nasty, but not exactly the same as what you described.
You can prevent sites like this from resizing your main browser window.
 - On the "Tools" menu click on the "Options..." item.
 - On the options dialog click on the "Content" icon
 - To the right of the Javascript checkbox click on "Advanced"
 - UN-check everything

If this is really causing a crash we need to know where so we can fix it. Please install the Quality Feedback Agent ("talkback") and submit the crash details, and then put the crash IDs here. Or put "bug 402401" in the QFA comment field so we can search for your crashes.

http://support.mozilla.com/kb/Quality+Feedback+Agent

A lot of the DriveCleaner family popups come from installed adware that piggy-backs on stuff installed from the internet. One of the recent ones installs a "nsBrowserOpt.dll" file that has become the most persistent crash problem we see. If you have that file on your system delete it (but it will probably keep coming back if you don't get rid of the underlying adware install).

That file is usually installed at
C:\Program Files\Mozilla Firefox\components\nsBrowserOpt.dll
Attached file What Jesse imagines the site is doing (deleted) — 
This resizes your browser window to be tiny, then covers it with an alert.  Tested on Mac.
The idea behind the "no smaller than 100x100" restriction was precisely to prevent people from hiding the window. It probably worked better in the old days of 800x600 displays.

Is it time to reconsider the lower bound, make it bigger? Unfortunately alerts can also be made bigger by the atacker to compensate so that might not help in practice. What about flipping the "allow move and resize" pref -- I've not run into any legit sites badly broken because I don't allow them to do that.
I agree that we should flip the "allow move and resize" pref (bug 186708).
(In reply to comment #5)
> http://www.siteadvisor.com/sites/drivecleaner.com/ points to 
> http://www.drivecleaner.com/.freeware/?p=43&ax=1&ex=1&ed=2&aid=coasteye_rdt&lid=infy 
> which does indeed resize the browser.  It shows a fake WinXP-looking window,
> dialog, *and* system tray notification bubble inside the browser content area. 
> Pretty nasty, but not exactly the same as what you described.

My Comment back:  You are right, the browser was resized.  I followed your directions so that it could not be resized, and now the bug has changed names and is freezing the screen.  I'll try and explain as clearly as I can.  

The bug has morphed to call itself Hard Drive Guard.com and is keeping me from going to any of my tabs.  It is showing up in my address bar as: http://harddriveguard.com/clean/?tmn=es5&eai=1yingsir&eli=ff2s_ao_4055_0_164  (I'm unable to read the rest and cannot highlight or copy it in the address bar.

In the bottom of my screen is a box with world mozilla icon and it says Error Detected-...

also showing on left hand side of screen is "transferring data from harddriveguard.com..."        though nothing seems actually to be transferring.

In the very top of my frozen screen in the first line possible is another mozilla red world icon "Error Detected - Mozilla Firefox"

  

I cannot go to my tabs
I cannot input anything into the address space
I cannot close out the tab

I am able to use my start menu and can go to wordpad, etc.

To use the web browser, I've gone to start menu and opened a second Mozilla Firefox.  The bug seems to attack only one browser at a time.  The second Mozill works and is not frozen.  That is how I accessed the Yahoo mail.

I notice that though I have six tabs on my home page, repeatedly one of them has a "problem loading" icon yellow triangle.  When I tab to that one, the address bar will show my chosen site so I don't have to retype the url and only hit "enter" for the site to come up without problem.  I don't know if it is related to the bug.  

However, on the browser which is frozen because of the bug, the tab I spoke about above is showing the proper url and it is the one next to it that says "error detected", so perhaps there is no relationship?

I'm going to try and include a screen shot of the frozen browser homepage.  (Appapparently, I cannot just copy and paste the screen shot here.) 
 
> 

 

 


(In reply to comment #7)
> You can prevent sites like this from resizing your main browser window.
>  - On the "Tools" menu click on the "Options..." item.
>  - On the options dialog click on the "Content" icon
>  - To the right of the Javascript checkbox click on "Advanced"
>  - UN-check everything
> 
> If this is really causing a crash we need to know where so we can fix it.
> Please install the Quality Feedback Agent ("talkback") and submit the crash
> details, and then put the crash IDs here. Or put "bug 402401" in the QFA
> comment field so we can search for your crashes.
> 
> http://support.mozilla.com/kb/Quality+Feedback+Agent
> 
> A lot of the DriveCleaner family popups come from installed adware that
> piggy-backs on stuff installed from the internet. One of the recent ones
> installs a "nsBrowserOpt.dll" file that has become the most persistent crash
> problem we see. If you have that file on your system delete it (but it will
> probably keep coming back if you don't get rid of the underlying adware
> install).
> 
> That file is usually installed at
> C:\Program Files\Mozilla Firefox\components\nsBrowserOpt.dll
> 

Reply:  I've searched for nsbrowseropt.dll, and it did not come up in my computer search, but it seems the most likely.  Can you further advise re finding this and getting rid of it?  Thx
Use the "Add an attachment" link in the bug report to upload a screenshot.  If it's only in your clipboard, turn it into a PNG by pasting it into MS Paint, selecting "Save As...", and selecting PNG from the type dropdown.
Not being able to use the browser UI while there's a modal dialog up is bug 59314 / bug 61098.  If you click "cancel" in the dialog, what happens -- does another one pop up immediately?
As per Jesse, I'm adding my recent encounter.

I loaded a few pages into new tabs, and a moment later I was taken aback as it seemed Firefox had crashed. I saw a dialog, which attempted to tell me I was infected with some form of malware. Obviously SOMETHING nefarious was going on, although it wasn't native malware, but javascript malware. I took a screenshot:
http://burntelectrons.org/img/evilad/screenshot0.jpg
For whatever reason I moved the dialog you see there, and Aha! There's Firefox!
http://burntelectrons.org/img/evilad/screenshot1.jpg
It's been resized and moved behind the dialog. So that you can read it, I reproduce it here:
http://burntelectrons.org/img/evilad/screenshot2.jpg

The only pages I had loaded were:
http://seekingalpha.com/article/53450-first-weekend-leopard-sales-on-par-with-initial-vista-sales?source=yahoo
http://architechnophilia.blogspot.com/2007/11/zero-house.html

So, one of those pages fired off some script which I was unable to find, which did all that, then sent me off to:
http://scanner2.malware-scan.com/5_swp/scan.php?tmn=mwatmp&aid=c0ffeeby&lid=hulli_ao_3958_0_10229_ao_&ex=1&ed=2&tmn=null&mt_info=3958_0_10229

Now, this is disturbing because it means that these types of scams are potentially filtering through ad networks on fairly legit sites, and could fool users browsing non-hostile sites. I assume it was probably via an ad because I can't find any nasties hidden in the more static content of the pages.
oh, jesse: In my case, I clicked cancel, and it took me to that page, I didn't click ok, but assume the same thing would have happened. I have been unable to reproduce, sadly.
Grey, The scanner2.malware pop up is coming from seekingalpha.com page.  It is easily duplicated.  The problem happens when you click on one of their articles, not any one in specific.  It is a Firefox specific problem, i have tried to reproduce with IE7 and Opera and it does not happen.  It is frustrating that this is happening from a legitimate site.  
Well1 I totally missed it. Glad someone looked closer than I had. :)
Product: Firefox → Toolkit
Component: Error Console → General
Product: Toolkit → Firefox
QA Contact: error.console → general
Blocks: eviltraps
Copied from the newsgroup:
Gijs Kruitbosch wrote:
> As a sidenote, it would be Nice, though presumably very hard, to have 
> the alert dialog not be modal with respect to the browser UI - just to 
> the website...

Yes! This makes a lot of sense to me, but I don't see why it should be so hard.  Currently the alert is a XUL window. Couldn't the nsIDOMWindow part temporarily supplant the tab's nsIDOMWindow in a modal fashion? Then the alert is physically attached to the page that creates it.
the problem with modality is described in various bugs, i'm pretty sure you've even read them.

in short javascript promises a certain definition of consistency involving 'connectedness'.

basically if window 1 opens window 2 and window 2 does something, then window 1 isn't allowed to 'change' while the script in window 2 is running, and vice versa. that modal alert from window 2 should actually prevent interaction with window 1 also. in cases where it doesn't, we're actually breaking the web.

ignoring that. javascript interacts with C/C++ code in a way that ends up being stack based, which means you can't simply ignore an alert until it's convenient.

if window 1 tosses up an alert and then window 2 tosses up an alert, clicking the alert from window 1 won't do anything until you dismiss the alert from window 2. the result here is that users get frustrated because their browser is broken.

hiding alerts from users might sound nice until you realize that you're leaving them with broken browsers which is actually worse.

this proposal is WONTFIX until we move the different tabs into different processes.
If all of the 'window' objects are within a single tab, all of the logic you outline is preserved. We know that because the modal alert derives from a time before tab browsing. So my comment 20 based in Gijs's suggestion stands: modality with respect to a tab/page is a good approach to this problem.

If mozilla does indeed move to different processes, then this will be the natural solution. Else we need a fix.
Depends on: 186708
Summary: mozilla crashes and an error message appears 'error detected' with mozilla icon → Malicious web site resizes Firefox and calls alert(), making it seem as if Firefox has crashed and offering a sketchy "solution"
Whiteboard: [sg:low] [notacrash]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Alerts are now content-modal since bug 59314 so this specific attack is no longer possible without the browser chrome being visible. A fix to bug 548777 would still be nice to have though.

Thanks for the report.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Resolution: INVALID → FIXED
Depends on: 565541, 59314
No longer depends on: 186708
Keywords: csec-spoof, sec-low
Whiteboard: [sg:low] [notacrash] → [notacrash]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: