Closed Bug 495830 Opened 12 years ago Closed 12 years ago

Mozilla should report add-ons not installed by the user


(Firefox :: Security, defect)

Windows Vista
Not set





(Reporter: david.kelk, Unassigned)


User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2009042316 Firefox/3.0.10 (.NET CLR 4.0.20506)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2009042316 Firefox/3.0.10 (.NET CLR 4.0.20506)

Related to bug 446139:

Applications can be added to Mozilla/Firefox as part of (any) program installation.  The user has no control over this as it's done silently during the larger install.
(446139 specifically talks about the .NET Framework Assistant.)

Firefox should report to the user any add-ons that are installed without their explicit consent.  Post #8 in 446139 gives a reason why.  (Full paragraph quoted
for context.):

"While the add-on is enabled though it is able to make changes that can still be
in effect after the add-on is disabled. It could set cookies for example that
continue to be sent, it could also change core preferences that affect how
Firefox operates. This however is no different to what would happen if the
add-on were uninstalled, those cookies/prefs would still be there so I don't
think it really has much bearing on this bug."

By alerting the user to this unauthorized/drive-by addition, they have the
option to learn more about it and disable/uninstall it if they so choose.

This is different from 446139 because the suggestion is to alert users only.  Uninstalling, as is pointed out in 446139, isn't as easy as it sounds.

Reproducible: Always

Steps to Reproduce:
1.  Install some release of .NET earlier than .NET Framework 3.5 SP1
2.  Open "Tools -> Addons" click the extensions tab
3.  Observe the Microsoft .NET Framework Assistant was silently installed without
your consent or you even being alerted
Actual Results:  
Add-ons can be installed without my knowledge and consent.  I'm not even warned it's happening.

Expected Results:  
I believe Mozilla should warn me that add-ons/plugins have been added without my consent.  Even if Mozilla can't/shouldn't do anything about it, I should know so I can learn what it/they do and remove it if I so choose.

Could trojans or something exploit this?  (I'm not sure.)
Closed: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 476430
You need to log in before you can comment on or make changes to this bug.