User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1 IANAH (H for hacker), but there seems to be an opportunity for hacking in the extension mechanism: I can only install software from "allowed sites", but what if some virus/malware has changes my HOSTS file, or someone else has polluted my DNS? update.mozilla.org (or any other "allowed" site) can be referred to any other ip address. There are many possible solutions (I have a few ideas) - but please verify my concerns before. I'm checking the "security" box in the hope to get quick [in]validation quietly. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Before anyone comments on it, I just what to say that the main problem with this bug is that it gives, in a way, a false sense of security - something like: "I only have trusted sites on my list, I am safe".
What's the concrete problem? update.mozilla.org is just a normal website (or not?), with special privilege to *propose* installations. The user still gets the scary confirmation dialog. The whitelist was just an additional layer of protection. The above is not true, if Firefox makes some other assumption in the code and implicitly trusts update.mozilla.org. In that case, you would be right, but the hole would be pretty obvious to anybody who knows the slightest bit about security (so no need to hide the bug). But I hope that's not the case, because I hope the Firefox guys know enough about security to not trust http. If anybody knows for sure, either way, please say so.
This is a valid concern that we have already addressed: Access update.mozilla.org (umo) through https and you can be sure you are talking to the real deal. Firefox bases its built-in update checks on information it gets from umo, but it communicates over SSL, and if updates are available it sends you to the SSL version of umo. Ditto if you open the extension dialog and click on the "Get more extensions" link. If you are surfing on your own and visit the unsecure version of umo then you are running the same risks millions of people do getting software from http://download.com.com. DNS spoofing is rare, but Firefox has done what it can to avoid even that problem by using SSL. [You can, in fact, install software from any site. Just as you can download an executable and run it, you can download a .xpi from any site and drop it onto a browser window to run it. Both actions incur exactly the same risks.]