Mozilla Retracts Malware Accusations Against Firefox Extension

Mozilla announced that one of the experimental extensions named as being infected in a recent AMO security advisory was in fact clean. A more thorough investigation revealed that detection of malware in version 4.0 of Sothink Video Downloader was a false positive.

Last week, Mozilla's Add-ons Team issued a security advisory on its blog, warning users that two experimental add-ons were found to contain malware and were removed from the addons.mozilla.org (AMO) repository. The team calculated that together, the two had over 4,600 downloads.

One of the add-ons in question, called Sothink Web Video Downloader, or more exactly, its 4.0 version, was supposed to be infected with a computer trojan called Win32.LdPinch. This particular version was up for download between February 2008 and May 2008, and was snatched 4,000 times.

“Since that disclosure, we’ve worked with security experts and add-on developers to determine that the suspected trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware," the AMO team notes in an update. Meanwhile, it confirmed that the second add-on, called Master Filer, was indeed infected with Win32.Bifrose.

The add-ons repository entry for Sothink Video Downloader has been restored and apologies went out to the extension's developers, China-based SourceTec Software. However, Graham Cluley, senior technology consultant at Sophos, feels that this should have been handled differently.

“Of course, you have to feel sorry for the developers of Sothink Video Downloader whose reputation could have been harmed by an incorrect claim of malware infection like this. I don't think that Mozilla was wrong to withdraw the add-on from availability while its status was under question, but I do think they should have double-checked before publicly labelling it 'malware'," he writes on his blog.

Mozilla thanks security researchers from antivirus giant McAfee for providing information about the infections, but it is not clear whether any McAfee products are used in the normal extension vetting process. The AMO team suggested that until this incident, they were using a single “scanning tool," but they have since added more.