How trustworthy are Mozilla’s “malware checks” on Firefox add-ons? Sothink Web Video Downloader now declared “false positive”.

On Saturday I posted about how recently Mozilla declared two experimental Firefox add-ons as malware. Now Mozilla is claiming that the malware reading on v4.0 of Sothink Web Video Downloader was actually a false positive. (Master Filer extension is still declared as malware.)

For a moment, lets ignore the fact that Mozilla was only using “one malware detection tool” to screen add-ons before last week. Instead, lets focus on the fact how Mozilla – more or less – publicly condemned an otherwise respected software development firm without conducting a proper investigation. After reading their most recent post on the matter which explains how McAfee “helped Mozilla understand the threat better” (hence the now changed verdict), it looks like prior to McAfee’s intervention, Mozilla simply scanned the add-ons and declared them bad. If this was me trying to keep my personal computer safe, a simple scan would suffice. However, this is a company that has a reach of millions of users. I, for one, expect Mozilla to conduct a proper investigation before condemning someone else in public (especially when it means that that someone will lose many customers after Mozilla’s verdict has been revealed). Whoever was irresponsible enough to approve the first blog post without proper investigation should be held accountable.

In another scenario, lets give Mozilla the benefit of the doubt and say they did conduct an investigation (an investigation that involved more than just simply scanning the add-ons in question with an anti-malware tool) before making the first blog post. If this was the case, whoever conducted this investigation should be fired because I certainly don’t want someone with these type of threat detecting skills – or lack thereof – protecting my browser in any shape, form, or fashion.

Dare I ask if SourceTec Software was based in the Americas or Western Europe (i.e. they could easily sue Mozilla for libel) would Mozilla have acted a bit more cautiously? I shall hope the origins of SourceTec did not matter, but one must wonder. What Mozilla should have done is waited for a proper investigation to be conducted – such as they did in conjunction with McAfee – before making any public noise on the issue.

Now lets go back to the fact that Mozilla was, prior to last week, only using “one malware detection tool” in its pat-down of add-ons. I understand the fact that experimental add-ons may not be screened by Mozilla, so this point of mine is not necessarily directly related to the malware add-ons issue on hand. Rather I just want to express my sheer horror at how Mozilla put all their confidence in one tool as opposed to diversifying their protection methods. Even on my personal computer I use more than one method of anti-malware protection (and encourage everyone else to do the same); and if anything goes wrong on my computer, it will only effect me… not (potentially) thousands of other people. On the other hand, an AMO fail could result in (potentially) thousands of users being infected. What in the world was Mozilla thinking? I realize the fact that more screening means higher costs; but come on – somethings are worth spending that extra cash on (just look around for examples of what resulted thanks to cost-skimping strategies implemented by automakers). Thankfully, though, Mozilla now uses “two additional malware detection tools”; I don’t know if three tools are enough but three sure are better than one.

All in all, I feel very strongly that this whole episode has been a prime example of managerial, procedural, and technical failures at multiple levels of Mozilla HQ. Let me make clear I am not really blasting Mozilla for the false positive reading; false positives are just a necessary evil to anti-malware tools. Rather, I am disappointed how this was handled – from start to finish.


Related Posts