Closed Bug 262762 Opened 20 years ago Closed 16 years ago

Method to keep adware and malicious extensions and plugins from being added without user's knowledge

Categories

(Core :: Security, enhancement)

Product:
Core
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 346960

People

(Reporter: netdragon, Assigned: dveditz)

References

Details

At the time of writing, an installation program can place additional browser
plugins in the plugins directory without the user being aware of it. This could
install handlers for file types that allow malicious behavior. Mozilla can keep
a register of existing plugins, such as java plugins, and warn a user if a new
one has been added. This register should not be accessible to outside
applications (should use a user-held key for encryption or some other method).
So I don't get flamed, I realize extensions and plugins are different. I made
this one bug since the same lockdown method might be used for both.

This could also be applied to extensions that were installed by a 3rd party
application by copying their files to the profile directory. With Firefox's
market share increasing, it will increasingly become a target for spyware and
browser hijackers. See also http://forums.mozillazine.org/viewtopic.php?t=39266

The perfect scenario for extensions is to make it so they could only be
installed with the help of Mozilla and thus the user would be prompted. This
scenario is probably unrealistic.

There is no sure-fire way to block adware who has access to the same disk and
our source code from getting in. Through deterrents, and working with makers of
programs like Norton Security and Adaware, we should be able to get the number
of adware programs that put the effort in to get through the deterrents to a
manageable number. That's the best we can probably hope to accomplish when these
programs would already be installed and have access to the same system. Beyond
that, it'd be some cat and mouse game we'd invariably lose. Deterrents, though,
are probably worth the effort.

I think a good start in solving the issue of extensions being inserted without
our knowledge is simply to have a way to view ALL extensions that are installed
and loaded, such that a user can eyeball whether there is a malicious extension
installed. They would see malicious plugins in about:plugins, if most users knew
about it.

Bug 16489 is about password protection for the profile. I don't know if this is
a good route to travel down. Any means of key encrypting a list of plugins and
extensions would require either a password upon startup (inhibiting usage), or
for the user to be expected to run a check every so often, along with a password
required when installing extensions.

I'm aware that currently security extensions are not seen by the users. This
needs to change, because malicious extensions could utilize this method to
remain invisible to the user. If you want to make them not ugly up the
extensions dialog, they could be placed at the end of the list, with a divider
in between.

All this being said, there is still no way to guarantee that, as Callek said,
applications couldn't hack into the device context for the Window through the
Windows API, or modify the chrome folder.
Summary: Warn me on insertion of new plugins → Method to keep adware and malicious extensions and plugins from being added without our knowledge
Blocks: 219180
Summary: Method to keep adware and malicious extensions and plugins from being added without our knowledge → Method to keep adware and malicious extensions and plugins from being added without user's knowledge
Couldn't the spyware installer just patch out the protection in the Mozilla
executable and then do whatever it likes?
There is no foolproof protection, but anything that would do that is more than
spyware, it's a trojan. The only way to combat that would be to have the
executables register their MD5SUM to a key-encrypted file when first run, and
give the user a tool to check to see if the MD5SUM changed. The user would know
the key, because it'd be in his head, and spyware cannot read minds (yet). This
could actually be made as an extension in and of itself.
This will never work. If the md5sum changes, then what? You're hoping that the extension is still working... but if malware patched the executable it also patched the extension (or wherever the md5sum-validating code was).
What if each browser is given a unique key on install (stored in the app folder where hopefully only root/sysadmin has write priv), and extensions installed through the browser are signed after the user validates the install.

When starting the browser if an unsigned, or incorrectly signed, extension is found, the user is notified/warned, and can choose to delete, or sign, or whatever.

This would be done in the main browser code, not modifiable through anything in the profile directories.  Hopefully the main browser code can be kept somewhere only root/sysadmin can modify.

Just a thought,

lee
Blocks: 346960
No longer blocks: 219180
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.