Closed Bug 1290141 Opened 9 years ago Closed 9 years ago

Youtube Unblocker can be installed after installing the system add-on

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Version:
44 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: vtamas, Unassigned)

References

Details

Attachments

(2 files)

addons.zip
249.51 KB, application/x-zip-compressed
Details
Screenshot with the issue
32.21 KB, image/png
Details
Attached file addons.zip
[Affected versions]: Firefox 44 (20160123151951) [Affected platforms]: Windows 10 64-bit (VM) Ubuntu 14.04 32-bit (VM) Mac 10.10 (VM) [Steps to reproduce]: 1.Launch Firefox with clean profile. 2.Navigate to about:config and set the following prefs to false xpinstall.signatures.required and extensions.blocklist.enabled. 3.Go to Addons Manager and install first the system add-on. 4.After that install the malware Youtube Unblocker add-on. [Expected results]: The system add-on does not allow Youtube Unblocker to be installed. [Actual results]: - Youtube Unblocker add-on is successfully installed and it is not disabled. - The add-on is disabled only after a browser restart. [Additional notes]: - I’ve attached both add-ons in the archive.
boy, so many questions... - why test in Firefox 44? - why did you turn off signature checking and the blocklist, since those are in part designed to prevent the results you don't like? - What do you mean by "system add-on"? We have a feature in Firefox called "system add-ons" (hidden in about:addons, but visible in about:support) but that doesn't seem to be what you mean because I don't believe it existed in Firefox 44.
Flags: needinfo?(vasilica.mihasca)
Flags: needinfo?(vasilica.mihasca)
We are testing the remediation add-on for the Youtube Unblocker. For more details please see Bug 1258565. - Firefox 44 is the first version for which was deployed this system add-on - Signature checking was turned off in order to install the remediation add-on which is not signed yet, and the blocklist was switched off in order to install the malware add-on - By system add-on I was not referring to that feature, the remediation add-on is also called as system add-on
Please note that if the watcher.xpi add-on is installed then when the malware remediation add-on disables the Youtube Unblocker add-on, it can be re-enabled afterwards by the user, and a new add-on appears to be downloaded in the Extensions section in the Add-ons Manager. STR: 1. Launch Firefox 44 2. In about:config disable the preferences: xpinstall.signatures.required extensions.blocklist.enabled 3. Install the malware remediation add-on 4. Install the YouTube Unblocker add-on 5. Install the malware through the watcher.xpi 6. Restart Firefox 44 and check the Extensions in Add-ons Manager Expected: The YouTube Unblocker should be disabled without the possibility of being re-enabled. No other add-on should be installed. Actual results: The YouTube Unblocker is disabled but the Enable button is also displayed in the Add-ons Manager and can be re-enabled if the user chooses to. A new add-on is displayed for a short period of time having the status: Downloaded. Please see the screenshot for more details and please let me know if I should file a new issue for this behavior.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: toolkit-core-security → core-security-release
This bug was marked as Resolved Fixed, BUT several issues are still seen when following the scenario from the Description. For instance: [Steps to reproduce]: 1.Launch Firefox with clean profile. 2.Navigate to about:config and set the following prefs to false xpinstall.signatures.required and extensions.blocklist.enabled. 3.Go to Addons Manager and install first the system add-on (I used a signed version) 4.After that install the malware Youtube Unblocker add-on. 5. Restart Firefox (Shift + F2 -> restart) 6. Restart Firefox again After first restarting Firefox in step 5 the secmodd.db file is still present in the profile folder. The secmodd.file is removed only after the restart from step 6. After step 5 the YouTube Unblocker add-on can be re-enabled (the Enable button is available in the Add-ons Manager). Kris, is this expected in any way?
Flags: needinfo?(kmaglione+bmo)
After the initial issue being fixed, I can still reproduce this using the above scenario in FF44.0.1 DE-build (Windows 10 x64) Please see the screenshot: http://screencast.com/t/t2cBMMUKJ NOTE: - the malware can be enabled, even if it appears to be inactive (false) in about:support http://screencast.com/t/i2h73NpuM
I believe that issue should have been fixed by the latest update of the system add-on. Newer versions of the malware watcher add-ons are unsigned, which had an unexpected effect on our code that attempts to prevent the malware from interfering with the blocklist update.
Flags: needinfo?(kmaglione+bmo)
The malware Youtube Unblocker add-on is successfully installed on Firefox 44 even the remediation add-on was already installed using the Timer Fire add-on. The malicious add-on is disabled after about 10 minutes. This behaviour is not encountered on Firefox 45.0.2 where the malware add-on is not allowed to be installed and the “Youtube Unblocker could not be installed because it has a high risk of causing stability or security problems” doorhanger is automatically displayed. Tested under Ubuntu 14.04 32-bit VM. Any thoughts about these discrepancies?
Flags: needinfo?(kmaglione+bmo)
Flags: needinfo?(kmaglione+bmo)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: