Has the mozilla download site been hacked?
Our Ironport appliances are blocking downloads of Firefox with the following text being displayed.
This Page Cannot Be Displayed
Based on your corporate access policies, this web site ( http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/Firefox%20Setup%2014.0.1.exe ) has been blocked because it has been determined by Web Reputation Filters to be a security threat to your computer or the corporate network. This web site has been associated with malware/spyware.
Threat Type: othermalware Threat Reason: Domain reported and verified as serving malware.
If you have questions, please contact the UT Dallas Computer Help Desk at 972-883-2911 or ( assist@utdallas.edu ) and provide the codes shown below. If you believe this page has been misclassified, use the button below to report this misclassification. Notification codes: (1, MALWARE, othermalware, Domain reported and verified as serving malware., BLOCK-MALWARE, 0x029b41b8, 1342562888.252, AAAD6wAAAAAAAAAAGf8ACP8AAAD/AAAAAAAAAAAAAAE=, http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/Firefox%20Setup%2014.0.1.exe)
Chosen solution
And the Bug report is
Bug 775094 - Cisco's Ironport Web Security Appliance is blocking Firefox downloadsRead this answer in context 👍 1
All Replies (17)
Did you contact the UT Dallas Computer Help Desk ?
I am a Senior Information Security Analyst. We received a complaint from a user trying to download Firefox, and I am following up. Our security appliance is blocking Firefox downloads, because the appliance "believes" that the site is serving malware. That seemed like a problem that the Mozilla folks might care about.
What security appliance are you using? this is a possible vendor false positive.
cor-el, I'm at home now, so I can't test it. I'll test it in the morning.
Tylerdowner, they're Cisco Ironport Web Security Appliances. It's possible that it's a false positive, but you'll notice that the warning says "Threat Reason: Domain reported and verified as serving malware."
It would be pretty unusual for Cisco to block Mozilla without verifying the problem first and then claim that they have verified it.
Probably unrelated but
- My ESR update failed see, also /questions/932451 where someone reports a problem.
Maybe someone would like to follow up on that thread.
I deliberatly left it as unanswerd, as I have no solution.
In my case I would not be surprised to find I am being offered the 32 bit version instead of the 64 bit version, the ordinary download links failed previously for that reason. Of course that does not affect Windows users as they get 32 bit versions anyway.
Not concerned for myself, as I only use ESR for test/comparison purposes.
Please do not download from softpedia or any other website. Mozilla ftp sites, or official mirrors are the only pages that are guaranteed secure.
And that is the concern, Tylerdowner. Right now it looks like the Mozilla download links are also not secure. Can we get someone from Mozilla to check this out?
BTW, I sent the complainant the links that cor-el posted. I'll let you know if those worked. The link I posted about is still blocked.
Modified
The Mozilla mirrors are clean, there isn't any malware on them. however, you can file a bug on https://bugzilla.mozilla.org/ and our contacts can try to reach out to Cisco and see if we can't get this false positive removed.
Did that.
Chosen Solution
And the Bug report is
Bug 775094 - Cisco's Ironport Web Security Appliance is blocking Firefox downloads
Tylerdowner, unless you're willing to pay us for any infections caused by your site, then I apologize, but I will not take your word for this. I want Mozilla to do a proper investigation, just as we would with a similar complaint, and assure the community that there is not a problem and that this is, in fact, a false positive.
Hi utdpauls,
You could take Tylerdowner's suggestion and file a bug that will allow it to be investigated. I am sure you would be satisfied that a false positive will only be removed if it is agreed it is a false positive. This is a support forum for answering users support questions, rather than discussing site issues.
Also maybe you could point at instances where we can see these reports. do they include the ability for site owners to respond ?
Update Bug775094#c7 filed & under investigation
Paul, Thank you for reporting this to us. Mozilla's Operations Security takes reports like this seriously and will investigate, per standard procedure.
Joe Stevensen Operations Security Manager
Modified
Thanks, John99. I already filed a bug and the security team is investigating. And yes, I would be satisfied that it's a false positive if the security team tells me their investigation turned up nothing.
I posted a report initially. As you see by reading it, the users can click on a button and report what they believe to be a misclassification. I don't have any problem with users doing that, but as a security professional my investigation has to go a bit deeper than, "That can't be right."
The best sites in the world can be hacked. There's no such thing as an unhackable site or software (Larry Ellison, are you listening?), and I can't just assume that everything is fine.
Since the sec team is investigating now, I will mark this as solved.
We are seeing the same problem with our Cisco Web Security Appliance blocking the following site:
Is there an ETA on when this will be resolved/followed-up on?
See the bug posted above by John99.