Firefox Will Add a New Drive-by-Download Protection

Mozilla will add a new security feature to Firefox in October that will make it harder for malicious web pages to initiate automatic downloads and plant malware-laced files on a user's computer. From a report: Called a drive-by download, this type of attack has been around for two decades and usually takes place when users visit a website that contains malicious code placed there by an attacker. The role of the malicious code is to abuse legitimate features in browsers and web standards to initiate an automatic file download or download prompt, in the hopes of tricking the user into running a malicious file. There are multiple forms of drive-by downloads, depending on the browser feature attackers decide to use. Browsers like Chrome, Firefox, and Internet Explorer have, across the years, gradually deployed various forms of protections against automatic drive-by downloads, but 100% protection can't be fully achieved because browser makers can't fully block legitimate web features and also because of the shifting landscape of web attacks, with attackers always finding a new hole to poke at.

We need to be protected from browser makers

[xack]

The new Firefox android is so bad it basically killed it, and Mozilla fucked around so much that they had to have massive lay offs. I’m fed up of all the “helpful” features browsers try to add and Mozilla even gives cheesey “presents” in to the toolbar now.

Re:

[gbjbaanb]

They released it too early. They know the problems with the UI and are fixing them - the beta version has a list of stuff they know are bad and are on their "get done" list.

and they're all the stupid thing that it should never have been released without. Like opening a new tab every time you click a homepage link.

I still rate firefox, but the management need a good kick up the arse, and out the door.

Re:

[Sooner Boomer]

The new Firefox android is so bad it basically killed it

Indeed! Fuck Firefox. You've made yourself useless to me on tablets and phones! At some point, waaayyy in the future, I *might* consider going back, IF they revert/restore previous features. For now it's (shudder!) Chrome.

Re:

[AmiMoJo]

The next version of Firefox Android will enable all add-ons again, but like the old version the majority won't work properly because of broken UIs. Most add-ons have UIs for desktop Firefox which don't work on mobile.

Neat but

[DarkRookie2]

The old add ons are still broken, so still not switching back.

Me, also. Hidden reasons Firefox was changed?

[Futurepower(R)]

Is there a Session Manager add-on for the new Firefox?

I also like Snap Links Plus. I haven't found something like that for the new Firefox. And Ghostery.

And there are other add-ons I need. Firefox management seems very insufficient.

We need a browser law that says browser providers must make clear how the browser works, there must be no hidden operations.

We need a browser law? An example.

[Futurepower(R)]

Example: I installed Google Chrome browser a long time ago, and it installed 3 system services. Google wanted to arrange that the company had complete control over my computer! I un-installed Chrome immediately.

Someone on Slashdot said that Google is still doing that.

It seems to me that Google CEO Sundar Pichai should be replaced with someone more kind and open and honest and caring.

One Feature to Rule Them All

[hcs_$reboot]

The first browser that automatically makes subtitles of any movie, in the language of your choice, is the winner (speech recognition + AI)

Re:

[MrL0G1C]

Is it ok if it also listens to your mic and uses the AI to transcribe everything you say.... for voice control ;-)

Fixing bugs as a feature

[xonen]

but 100% protection can't be fully achieved because browser makers can't fully block legitimate web features and also because of the shifting landscape of web attacks, with attackers always finding a new hole to poke at

So fixing bugs is now marketed as an 'additional protection' feature.

If only there was a browser maker that could throw hundreds of millions on development and choose which features to and not to implement because of security or other concerns because they have their in-house developed rendering engine and UI...

blah

[oneiros27]

I've had users for years complaining about having to click hundreds of links to download. (a search engine for physics data).

As I wanted to actually have a reliable method of 'click one button to download lots of links', I had played around with how to get around some of the limits in javascript. (things like waiting a half second between triggering each download, etc.).

Anyone know of any tools that work well for when it's an actual intentional download, and not just a driveby? I remember I tried playing

Bulk-download can be done

[davidwr]

Anyone know of any tools that work well for when it's an actual intentional download, and not just a driveby?

For something like a search engine where the people running the search engine WANT to make it easy to bulk-download the results, it should be easy:

Either provide a "store"-like experience where the user could "add some/all results to cart" for bulk-download after he has his "cart" the way he wants it, or provide a way to export the resulting URLs to a file and provide a one-button tool that would download all the links in a file. I'm thinking maybe a shell script that calls geturl or something equivalent.

I

Re:

[ls671]

Exactly, implement it server side, not in the browser in javascript like most developers are trying to do nowadays for almost everything. Build a zip file on the fly or whatever is needed but simply do it server side. Javascript hacks may stop working any day a browser update is released.

I still implement most of the functionality server side with minimal use of javascript. It makes much more robust applications. I don't understand why developers make their applications dependent on browser implementations

Re:

[ErikKnepfler]

>As I wanted to actually have a reliable method of 'click one button to download lots of links' This is ghetto but: You could find some goofy multi-clipboard manager, or clipboard history tool. Ideally something that stores the copied stuff in some kind of plain text file. Then you'd just copy all the links you want and let them pile up. Then just write a simple curl-based downloader script that reads the clipboard history and downloads anything matching certain criteria, like your physics site. Coul

Re:

[PPH]

'click one button to download lots of links'

Did you mean files rather than links. Because the result of downloading hundreds of links (to web pages) is hundreds of tabs. If what you meant is files, then there is tar | gzip (I'm certain a logical equivalent exists for more primitive systems). The files can either be pre-packed on the server if they are typically always downloaded together. Or a simple Perl server side script can feed them to the tar | gzip pipe on the fly based on user selection.

Re:

[stabiesoft]

Not sure exactly what your environment is, but seems like an application for a script using curl. The idea of a browser downloading/uploading a specific file without express consent by the user seems a recipe for disaster. Just seems that you should use the right tool for the right application, ie scripts->curl.

Re:

[thegreatbob]

I keep an old copy of FF 48 ESR exclusively for debugging my own minuscule JavaScript productionsin FireBug, and DownThemAll - if the site is too 'new' to run in this older FF version, DTA probably isn't going to help all that much anyways. FF 52 ESR would also work.

Re:

[MrL0G1C]

Waterfox + DownThemAll (if you can find it).... https://addons.thunderbird.net... [thunderbird.net]

Re:

[MrL0G1C]

Actually there's Firefox and Chrome versions too.

Cool, now can we please fix this other problem?

[DontBeAMoran]

What about drive-by arguments? [youtube.com]

Re:

[tinkerton]

Or drive-by-wire?

Sure they can block legitimate features

[davidwr]

because browser makers can't fully block legitimate web features

If by "legitimate features" you mean features that were created for an initially used for legitimate purposes? Sure web browsers can block them, and they have, for good reason: At some point, the danger to users or more likely to the web browser vendor's bottom line or public reputation outweighed the benefit of maintaining them.

Flash Player, goodbye, or goodbye soon.
Older plugin APIs, goodbye, or goodbye soon.
Even some useful-at-one-time HTML 1.0 features are now unofficially or officially deprecated or

Does this include ...

[PPH]

... getting rid of that annoying nag popup asking me to update Firefox?

Re:

[kackle]

+1 Indeed.

Another Solution

[Retired ICS]

To a problem that does not exist. The only time I have ever seen a "drive by download" is when using Microsoft Internet Exploder.

Perhaps someone should explain the concept of a "drive by download" because (except for very badly designed hunks of shit such as come from Microsoft and presumably Google) I have never experienced a browser "receiving" a file that it did not ask for.

Maybe Mozilla should rethink

[oldgraybeard]

OK so Mozilla will now make doing normal stuff, harder to do, with more hoops to jump through to protect the un protectable users.
You can't totally protect someone from their ignorance unless YOU violate their freedom and rights. Along with free speech, the right to be dumb is an absolute necessity.

While I am ranting! If un requested downloads is such a problem, here is my question for everyone.

Why do most web site run scripts from dozens of different places. Is that not a security risk. Each time I us

How about A switch?

[c-A-d]

How about a download switch. Turn it on, and downloads are permitted. Turn it off, and all downloads are blocked.