If you use a computer, and worry about its security, you should
subscribe to the SANS
diary, which keeps you up to date with the networks big
security issues.
Today the news is Mozilla
Firefox bug ID 432406: Virus found in Vietnamese language
pack
It looks like
- The person who builds the language pack's network was
compromised with a win32 virus that patches advertisment JS into
.xhtml files.
- The virus patched the help files for the language pack
- Which was upload in February
- This was before the virus scanners recognised the malware
(always the problem), so the file passed the initial security
checks
- And not found until May, when a rescan of the repository caught
it
As it takes Mozilla more than a 1 week to scan the repository,
they aren't in a position to detect malware that creeps in ahead of
the signatures being updated.
This is pretty scary. It shows that you cant trust .xpi files,
even from mozilla.org but I doubt most PC virus scanners look in
them. It also shows that the security of OSS products is limited to
its weakest link: the security of the computers of the people who
make the contributions. Which means that you are pretty vulnerable,
as a lot of machines are a mess out there, especially windows ones,
where the default low-energy state is 0wned.
When you think that the whole OSS platform is based on an
explicit trust of the repositories and the source, that's very
scary.
The virus scanning process needs to be improved. A month?
Someone needs to copy all the files up to HDFS and then run the
scanner as a Hadoop Map/Reduce algorithm...make each signature scan
a single map and stream the tasks past the files.
http://www.sophos.com/pressoffice/news/articles/2002/06/va_nimda_korea.html
"Microsoft has confirmed that it accidentally distributed to developers a copy of the W32/Nimda virus in Korean versions of its Visual Studio.net package."
http://itheresies.blogspot.com/2004_10_01_archive.html