No confirmation for add-on installation




10 years ago
10 years ago


(Reporter: brettwjohnson, Unassigned)


1.9.0 Branch
Windows XP

Firefox Tracking Flags

(Not tracked)



(3 attachments)



10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008070208 Firefox/3.0.1

Although I have the TOOLS-OPTION-SeCURITY "Warn me when sites try to install add-ons"  the addon window came up and told me a new addon had been installed.

No dialogue was presented to request confirmation and no detail was presented on what add-on was installed.

Reproducible: Always

Steps to Reproduce:

Comment 1

10 years ago
This message generally comes up after you install an add-on and restart the browser. So if you installed an add-on in your previous Firefox session, then continued using the browser, closed it and started it again only now - that's when this add-on would actually be installed, and the message would also show up only at that point. If that's not what happened for you, giving us the list of add-ons you have installed (Tools / Add-ons) would be a starting point.

Comment 2

10 years ago
I do not believe I installed any add-ons in a previous browser session.

I *did* however run Microsoft Update just prior to this.  I also updated Firefox recently, but don't recall how recently.  Might have been today, might not.

Extensions - none
Themes - default only
Plug-ins (top to bottom) (no way to get a text list, I can cut & paste?)
Adobe Acrobat
Java Platform SE
Microsoft DRM
Mozilla Default Plug-in
Windows Media Player Plug-in DLL

Interestingly enough the last time I looked Flash Player was listed (disabled), now it no longer shows up.  Is this more Flash Player malware bypassing the ability of the browser to lock it out?  As a test I went to (a flash enabled site).  Sure enough everything displays, so Flash Player is loaded, but Firefox is not listing it as an add-on - apparently bypassing the browser control.  Either it's malware or it's using a private API?

I will add from a security perspective, IMHO the default for updating add-ons should be FALSE.  I *always* uncheck these, but periodically after an update the auto update gets re-enabled.

Comment 3

10 years ago
Did the initial dialog tell you what new add-on had just been installed?

Comment 4

10 years ago
No.  IIRC the window had a line at the top saying "A new add-on has been installed.  X"  Below that there was nothing listed.


10 years ago
Summary: No confirmation for add-on → No confirmation for add-on installation

Comment 5

10 years ago
Does somebody know whether this window is also shown for installations outside of Firefox? E.g. if an add-on is installed via Windows registry or by unpacking the add-on to the extensions directory "manually". Would be one possible explanation - malware already active on computer and using the "hidden" flag to hide its extensions.
It is shown for all new add-on installs, even by third party applications. There are also a couple of problem cases which I haven't been able to properly identify where it pops up on its own. I have a suspicion of what this one is about though.

Brett, Please can you attach copies of extensions.log, extensions.ini, extensions.cache and extensions.rdf from your profile folder to this bug report. If some of them don't exist let me know.
Component: Security → Add-ons Manager
Product: Firefox → Toolkit
QA Contact: firefox → extension.manager
Version: unspecified → 1.9.0 Branch

Comment 7

10 years ago
Created attachment 332646 [details]
extensions.ini file for debug

Comment 8

10 years ago
Created attachment 332647 [details]
extension.cache for debug

Comment 9

10 years ago
Created attachment 332648 [details]
extension.rdf for debug

Comment 10

10 years ago
Folder path:
C:\Documents and Settings\Brett W. Johnson\Application Data\Mozilla\Firefox\Profiles\fsk8z27s.default\


Had to unhide all the system files, since MS doesn't believe users should see this stuff.

I will attach these files.
Attachment #332646 - Attachment description: extension file for debug → extensions.ini file for debug
Attachment #332646 - Attachment mime type: application/octet-stream → text/plain
Attachment #332647 - Attachment mime type: application/octet-stream → text/plain
Ok this is bug 439681, The Java runtime installs a hidden java console extension.
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 439681
You need to log in before you can comment on or make changes to this bug.