Consider blocklisting the Google Update plug-in




7 years ago
2 years ago


(Reporter: bz, Assigned: shaver)


Firefox Tracking Flags

(Not tracked)


From #developers today (snipped irrelevant bits, nicks elided):

<AAA> How exactly is Google Chrome able to install in b10 and run an 
      executable without asking my permission?
<BBB> AAA: Google Update plugin
<BBB> they install that whenever you install any google desktop software
<BBB> gives them 1-click installs via firefox
<AAA> BBB: Argh! You're right, that's installed.
<BBB> scares the hell out of me to think we're one google bug away from a
      zero-day code execution
<AAA> MWuhaha, and by default it makes it your default browser on update too,
<BBB> bz: AFAICT they install the plugin without asking you
<AAA> It's kind of cool though right? You install another browser, and -just
      in case-, somebody moves away from your product again and moves back to
      firefox, you install a plugin there, to move them back to your
      browser :-)

Since this plug-in is explicitly bypassing security features we have (e.g. the fact that we never auto-launch executables) and is installed without user consent, I think we should strongly consider blocklisting it.

If the part about it auto-switching the default browser is true, we should even more strongly consider blocklisting it.  Can we verify whether that's true?

I'm not sure whether I should file this bug here, or in Core:Plug-ins or in firefox:extcompat.  If someone knows, please move as needed.
Let me talk to Google about this.
Assignee: nobody → shaver
Summary: Consider blocklisting the Google Update plug-ing → Consider blocklisting the Google Update plug-in
Closing old blocklist bugs. Please reopen if the problem still exists.
Last Resolved: 5 years ago
Resolution: --- → WONTFIX

Comment 3

5 years ago
Please reopen. Google Chrome 27.0.1453.110 m installed Google Update in my Firefox 21.0 (= all current versions, on Windows XP, user is admin).
Is this a plugin or an extension being installed?
Resolution: WONTFIX → ---

Comment 5

5 years ago
A plugin.

Comment 6

5 years ago
It is also installed on my Windows 7 at work and I think if I disable it, it becomes enabled again after a while, but I’m not entirely sure.

Comment 7

5 years ago
I don't think we need to blocklist this. Disabled-by-default plugins are coming hopefully in 24, and we don't have evidence that this is actually malicious, just kinda icky.
Sounds good to me. Even if we tried to pursue this, it would take months to actually happen. 24 will probably come sooner than that.
Last Resolved: 5 years ago5 years ago
Resolution: --- → WONTFIX

Comment 9

4 years ago
May I suggest a re-open of this? This happened today using up to date browsers. 

Based on the policies at:

It appears this should be a candidate for "Click-to-Run" as the user did not intend to install this, and was not prompted or notified it would be installed. Given Firefox has no trivial method to uninstall plugins (like there is for Extensions) this should be made Click-to-Run.

Comment 10

4 years ago
After some delay, click-to-activate is on by default in Firefox 30 and this plugin is not in the whitelist.
Product: → Toolkit
You need to log in before you can comment on or make changes to this bug.