From #developers today (snipped irrelevant bits, nicks elided): <AAA> How exactly is Google Chrome able to install in b10 and run an executable without asking my permission? <BBB> AAA: Google Update plugin <BBB> they install that whenever you install any google desktop software <BBB> gives them 1-click installs via firefox <AAA> BBB: Argh! You're right, that's installed. <BBB> scares the hell out of me to think we're one google bug away from a zero-day code execution <AAA> MWuhaha, and by default it makes it your default browser on update too, haha <BBB> bz: AFAICT they install the plugin without asking you <AAA> It's kind of cool though right? You install another browser, and -just in case-, somebody moves away from your product again and moves back to firefox, you install a plugin there, to move them back to your browser :-) Since this plug-in is explicitly bypassing security features we have (e.g. the fact that we never auto-launch executables) and is installed without user consent, I think we should strongly consider blocklisting it. If the part about it auto-switching the default browser is true, we should even more strongly consider blocklisting it. Can we verify whether that's true? I'm not sure whether I should file this bug here, or in Core:Plug-ins or in firefox:extcompat. If someone knows, please move as needed.
Let me talk to Google about this.
7 years ago
Closing old blocklist bugs. Please reopen if the problem still exists.
Please reopen. Google Chrome 27.0.1453.110 m installed Google Update 220.127.116.11 in my Firefox 21.0 (= all current versions, on Windows XP, user is admin).
Is this a plugin or an extension being installed?
It is also installed on my Windows 7 at work and I think if I disable it, it becomes enabled again after a while, but I’m not entirely sure.
I don't think we need to blocklist this. Disabled-by-default plugins are coming hopefully in 24, and we don't have evidence that this is actually malicious, just kinda icky.
Sounds good to me. Even if we tried to pursue this, it would take months to actually happen. 24 will probably come sooner than that.
May I suggest a re-open of this? This happened today using up to date browsers. Based on the policies at: https://wiki.mozilla.org/Blocklisting It appears this should be a candidate for "Click-to-Run" as the user did not intend to install this, and was not prompted or notified it would be installed. Given Firefox has no trivial method to uninstall plugins (like there is for Extensions) this should be made Click-to-Run.
After some delay, click-to-activate is on by default in Firefox 30 and this plugin is not in the whitelist.