495967 - Unfair software vendors (like Microsoft) could silently install extensions without user permission

Status: RESOLVED DUPLICATE of bug 476430

(Firefox :: Security, enhancement)

Description

[Radist]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

Microsoft .NET Framework 3.5 Service Pack 1 silently installed "Microsoft .NET Framework Assistant" extension via registry. Generally, it's not a good practice and also it's a large security hole.
Of course, such way could be useful for administrative installation but a some way of moderating such silent installations should be proposed to end-users who doesn't need such installations.

Reproducible: Always

Steps to Reproduce:
1. Install Firefox, run it once (to create profile) and close.

2.a. Install "Microsoft .NET Framework 3.5 Service Pack 1"
<<< or alternatively >>>
2.b.1. Download *.xpi file for any firefox extension (which could be installed normally) and extract it content into any folder, remember the path where it was installed.
2.b.2. Open registry editor, navigate to HKLM\Software\Mozilla\Firefox\Extensions (create if it doesn't exists) and create the string parameter "your extension name" with value "full\path\to\folder\where\xpi\was\extracted".

3. Run Firefox and open extensions list
Actual Results:  
"Microsoft .NET Framework Assistant" is installed and could not be simply uninstalled.

Expected Results:  
Request for installing "Microsoft .NET Framework Assistant" (at least for those who has write access to HKLM\Software\Mozilla\Firefox\Extensions).

Comment 1

[Wladimir Palant]

This is a duplicate of bug 476430 I think.

Comment 2

[Radist]

oops, sorry