extensions can still be installed silently

RESOLVED WONTFIX

Status

()

Firefox
Security
RESOLVED WONTFIX
6 years ago
6 years ago

People

(Reporter: logos, Unassigned)

Tracking

18 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130116073211

Steps to reproduce:

found that article:
http://www.h-online.com/open/news/item/Silent-installs-of-add-ons-still-possible-in-Firefox-1787297.html

and the source:
http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html
This is a known issue but it's an attack vector we don't currently plan to address. The 3rd party install notification is to give the user choice and control over legitimate programs who try to install adware/bloatware. For that kind of program violating programmatic norms of this sort can be addressed by public pressure or lawsuits (e.g. the lawsuit against Google for bypassing Safari's 3rd-party cookie controls).

If you have actual malware running on your system there's really no mechanism that can prevent tampering with user data. At least if we let them do this as the path of least resistance there's a chance it can be discovered -- for example anti-virus tools could watch for non-Firefox processes writing to this file, or the user will notice the add-on they know nothing about. It's also relatively easy to clean up if this is how the malware has hooked in.

Such malware could just as easily modify one of the existing addons and that would be much harder to detect or clean up. Or it could modify other parts of Firefox itself.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WONTFIX
Component: Untriaged → Security
You need to log in before you can comment on or make changes to this bug.