Closed Bug 630248 Opened 13 years ago Closed 11 years ago

Consider blocklisting the Google Update plug-in

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bzbarsky, Assigned: shaver)

Details

From #developers today (snipped irrelevant bits, nicks elided):

<AAA> How exactly is Google Chrome able to install in b10 and run an 
      executable without asking my permission?
<BBB> AAA: Google Update plugin
<BBB> they install that whenever you install any google desktop software
<BBB> gives them 1-click installs via firefox
<AAA> BBB: Argh! You're right, that's installed.
<BBB> scares the hell out of me to think we're one google bug away from a
      zero-day code execution
<AAA> MWuhaha, and by default it makes it your default browser on update too,
      haha
<BBB> bz: AFAICT they install the plugin without asking you
<AAA> It's kind of cool though right? You install another browser, and -just
      in case-, somebody moves away from your product again and moves back to
      firefox, you install a plugin there, to move them back to your
      browser :-)

Since this plug-in is explicitly bypassing security features we have (e.g. the fact that we never auto-launch executables) and is installed without user consent, I think we should strongly consider blocklisting it.

If the part about it auto-switching the default browser is true, we should even more strongly consider blocklisting it.  Can we verify whether that's true?

I'm not sure whether I should file this bug here, or in Core:Plug-ins or in firefox:extcompat.  If someone knows, please move as needed.
Let me talk to Google about this.
Assignee: nobody → shaver
Summary: Consider blocklisting the Google Update plug-ing → Consider blocklisting the Google Update plug-in
Closing old blocklist bugs. Please reopen if the problem still exists.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Please reopen. Google Chrome 27.0.1453.110 m installed Google Update 1.3.21.145 in my Firefox 21.0 (= all current versions, on Windows XP, user is admin).
Is this a plugin or an extension being installed?
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
A plugin.
It is also installed on my Windows 7 at work and I think if I disable it, it becomes enabled again after a while, but I’m not entirely sure.
I don't think we need to blocklist this. Disabled-by-default plugins are coming hopefully in 24, and we don't have evidence that this is actually malicious, just kinda icky.
Sounds good to me. Even if we tried to pursue this, it would take months to actually happen. 24 will probably come sooner than that.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → WONTFIX
May I suggest a re-open of this? This happened today using up to date browsers. 

Based on the policies at:

https://wiki.mozilla.org/Blocklisting

It appears this should be a candidate for "Click-to-Run" as the user did not intend to install this, and was not prompted or notified it would be installed. Given Firefox has no trivial method to uninstall plugins (like there is for Extensions) this should be made Click-to-Run.
After some delay, click-to-activate is on by default in Firefox 30 and this plugin is not in the whitelist.
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.