Mozilla Retracts Add-On Malware Accusation
The Firefox developer revealed it had mistakenly identified an add-on to its popular browser as malware. Version 4.0 of the Sothink Video Downloader does not contain a Trojan.
Sometimes you get it right, and sometimes, well, you don't.
Mozilla last week said it had identified malware in two Firefox add-ons and pulled both from its Add-Ons Mozilla (AMO) Web site. The affected add-ons were identified as the Master Filer extension and Version 4.0 of Sothink Video Downloader
This week, Mozilla is backtracking a bit with the disclosure that it was wrong about labeling one of those, Version 4.0 of Sothink Video Downloader, as having a Trojan in it.
"We've worked with security experts and add-on developers to determine that the suspected Trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware," Mozilla stated in a blog post.
However, Mozilla isn't changing its position on the other of the two add-ons that it singled out last week.
"The same investigation also confirmed that the Master Filer extension included a valid instance of a Trojan," Mozilla said in the post.
Mozilla said that security vendor McAfee had a hand in helping it determine that the Video Downloader did not in fact include a Trojan.
"McAfee volunteered to help us in response to our initial announcement regarding the security threat," Nick Nguyen, director of add-ons at Mozilla, told InternetNews.com. "This assistance was separate from the automated antivirus scanning we have employed on addons.mozilla.org."
Mozilla also said that it is now taking a number of step to ensure that false positives are not an issue in the future.
"We've increased the number of [antivirus] packages used from one to three and we are in the process of updating our add-on review policies as well," Nguyen said.
Comments from the public on the Mozilla blog post admitting the false positive were somewhat less than complimentary to the open source browser vendor, however.
"It is irresponsible of Mozilla to allow non-Mozilla-approved plug-ins to even exist," one anonymous commenter wrote. "At the very least, those non-Mozilla-approved plugins should be with displayed a STERN warning -- Mozilla has not tested this plugin for vulnerabilities -- Use at your own RISK."
Both the Master Filer extension and Version 4.0 of Sothink Video Downloader were labeled on the AMO site as being experimental add-ons.
"Average users should not be installing untrusted, unreviewed, 'experimental' addons," Mozilla developer Daniel Veditz countered on the Mozilla blog. "And this incident does point out that the site is not at all clear that the intended audience for unreviewed addons (hard-core testers and experimenters) is very, very different than the general add-ons user."
Still, Mozilla is working in other ways to single out add-ons appropriate for general-interest users. For instance, Mozilla today is now launching a new effort to help promote what they refer to as "recommended" add-ons for Firefox.
The recommended add-ons will appear on the first-run page of a new Firefox 3.6 installation providing users with a list of recommended add-ons initially including the StumbleUpon social bookmarking add-on and ReminderFox task list add-on.
Update adds comments from Mozilla.