Closed Bug 818272 Opened 8 years ago Closed 8 years ago

Click on Webpage downloads and RUNS Google Chrome Installer

Categories

(Firefox :: General, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 454769

People

(Reporter: rob1weld, Unassigned)

References

()

Details

I enjoy Firefox and would not be without but I DO use other Browsers too.

On Webpage https://www.google.com/intl/en/chrome/browser/ there is a [Download] Button (which incorrectly says "For Linux (Debian/Ubuntu/Fedora/openSUSE)") when I try to download Google's Chrome Browser INSTALLER (and think I would SAVE a File).

The BUG (Security Issue) is that when I click on the Webpage's [Download] Button the Web-Installer downloads AND RUNS itself (worse is that the Web-Installer then makes it's OWN download Request and downloads ANOTHER Program which it then Autoruns).


The complaint is NOT that I am not getting the END RESULT that I desire and I CAN see what is going on.

The Security Issue is that I clicked on a Link on the Webpage and a Program was downloaded and ran on my Computer (without the opportunity to save the File and possibly Scan for Viruses (not that it would have resulted in anything)) AND that if I went to a "Hostile" Website they COULD force my Computer to download AND RUN any Program they wanted.


Why is that permitted (presumably in ALL cases, I do NOT mind Google doing that but worry about other Websites doing that).

Thanks.
Group: core-security
Do you have the "Google Update Plugin" installed (check Tools->Add-ons->Plugins)? That plugin is used to enable stuff like this, IIRC.
(In reply to :Gavin Sharp (use gavin@gavinsharp.com for email) from comment #1)
> Do you have the "Google Update Plugin" installed (check
> Tools->Add-ons->Plugins)? That plugin is used to enable stuff like this,
> IIRC.

Yes, the Plugin is installed.

There is an interesting Artivle about it here: http://www.ghacks.net/2012/07/17/current-version-of-the-google-update-plugin-how-to-remove/


My "Security Concern" remains:

1. Do we want Programs ran by the User to install "hostile" Plugins that interfere with the EXPECTED NORMAL operation of the Firefox Browser (without either US or Google warning the User) ?

2. Does this Plugin have Bugs or exploits that we want to be a part of harboring (can OTHER Websites use the Plugin) ?

3. Can Programs ran by the User simply "hack" the Firefox Browser without OUR Browser uttering a peep about it (many Programs check their integrity before running) ?

Probably the answer is "Yes", but it should be "NO".



We should check for NEW Plugins and warn the User (like Aurora (usually) does). A simple checksum _could_ work.

This Plugin does not support the concept of "free and open web" but more of monopolization and dictatorship.

Firefox (and most other Broswers AFAIK) do not install such a so-called "helper" Application AND it serves NO PURPOSE (you can download ChromeSetup.exe WITHOUT the Plugin and CHOOSE to run it IF and WHEN you want).



We ought to DISABLE this Plugin by default UNLESS the User specifically enables it in Tools->Add-ons->Plugins, then it is THEIR responsibility and NOT ours.


It is not only the principle of this issue but the security threat posed and the lack of necessity for such an intrusion. We should have no part of it and make (at least simple) efforts to avoid THIS and ANY OTHER similar Browser Hijacking.


I suggest my Security Complaint could be most easily resolved by simply Blacklisting this Plugin for "Disabled by Default". That MAY be sufficient due diligence on OUR part. Anyone wanting to make addition efforts to go a step (or two) further is also welcome. A proper? check like Aurora does (with a BIGGER warning) would be better.
The best solution is to not install software from a source that you can not thrust.
I don't have this plugin on my system
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 454769
(In reply to Matthias Versen (Matti) from comment #3)
> The best solution is to not install software from a source that you can not
> thrust.
> I don't have this plugin on my system
> 
> *** This bug has been marked as a duplicate of bug 454769 ***

I agree with the Dupe, I DID search first. 

I was clear in my FIRST Post whether or not I THOUGHT they were tHrustworthy.

The Security Issue is ALSO that ANY OTHER Program can DO THIS, or MIGHT be able to exploit the Plugin.


Thanks for spotting that Matti.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
>The Security Issue is ALSO that ANY OTHER Program can DO THIS, or MIGHT be able to >exploit the Plugin.

Any other program that you allow to run on your system can do malicious things on your system. 

>I agree with the Dupe
why have you reopened this bug report ?
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 454769
You need to log in before you can comment on or make changes to this bug.