Forgot your password?
typodupeerror
Mozilla Security IT

Firefox 3.6 Locks Out Rogue Add-ons 265

Posted by CmdrTaco
from the and-stay-out dept.
CWmike writes "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. Dubbed 'component directory lockdown,' the feature will bar access to Firefox's 'components' directory, where most of the browser's own code is stored. Mozilla has billed the move as a way to boost the stability of its browser. 'We're doing this for stability and user control [reasons],' said Johnathan Nightingale, manager of the Firefox front-end development team. 'Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users ... Now that those components will be packaged like regular add-ons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems.'"
This discussion has been archived. No new comments can be posted.

Firefox 3.6 Locks Out Rogue Add-ons

Comments Filter:
  • .NET Anyone? (Score:5, Insightful)

    by Daengbo (523424) <.moc.liamg. .ta. .obgnead.> on Wednesday November 18, 2009 @11:18AM (#30143838) Homepage Journal

    Last February, and again in May, Firefox users complained when they found that Microsoft had pushed the .Net Framework Assistant add-on and the Windows Presentation Foundation (WPF) plug-in to their browsers as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update.

    That's the first thing I thought of when I read the summary.

  • User perspective (Score:5, Insightful)

    by omfglearntoplay (1163771) on Wednesday November 18, 2009 @11:19AM (#30143860)

    From a user perspective, this sounds like a good move. Stability problems in Firefox always seems to stem from add-ons or extensions. Lock that crap down, and make the devs code the right way.

  • Re:.NET Anyone? (Score:4, Insightful)

    by NoYob (1630681) on Wednesday November 18, 2009 @11:21AM (#30143914)
    The first thing I thought of was those Yahoo! toolbars that folks love to slip into every browser.
  • by socsoc (1116769) on Wednesday November 18, 2009 @11:26AM (#30144002)
    Hopefully it's gonna lock out add-ons that weren't initiated from within the browser with explicit intention from the user. The MS .NET stuff and the browser addons that get automatically (if you're not paying close attention, which my users never are) added from Adobe Reader, Java, CCleaner, etc.
  • by vertinox (846076) on Wednesday November 18, 2009 @11:29AM (#30144034)

    So what would be the effect on Add-on development? Would it make it more difficult to develop them? Would it constrain the Add-on developers?

    Its the same reason why IE made it easier to develop web pages by tolerating broken HTML code.

    People were using unintended features to make their work easier, but then when the unintended feature was removed then it breaks a lot of things.

    In that respect, the developers should have wrote to spec in the first place rather than taking advantage of loopholes because it might get fixed one day.

  • by BitZtream (692029) on Wednesday November 18, 2009 @11:34AM (#30144140)

    Works great, till you have someone like myself, who just specifies that my components are compatible with Firefox 2.* to 10.* so I don't have to worry about a new version claiming my plugin isn't compatible even though it is, which has happened enough in the past that I just don't care anymore.

    Am I wrong? Yes. Is Mozilla wrong? Yes, you never trust the external code to tell you the truth, basic programming 101.

  • by socsoc (1116769) on Wednesday November 18, 2009 @11:36AM (#30144154)

    I am a halfway knowledgeable user that uses adblock, noscript, betterprivacy, use privately encrypted TOR when about (Iron Key) and only allow certain cookies.

    Do you really feel this is necessary? Sounds like you are jumping through a lot of hoops and degrading your browsing at the expense of a tin-foil hat.

  • Re:.NET Anyone? (Score:1, Insightful)

    by Anonymous Coward on Wednesday November 18, 2009 @11:40AM (#30144226)

    If it wants to install something totally unrelated it is a sure sign that you shouldn't use this software.

    In that context, I search a PDF reader for Windows with print capability.
    Acrobat: See above
    Foxit: See above
    Sumatra: Converts to image for printing -> SLOW

  • by Todd Knarr (15451) on Wednesday November 18, 2009 @11:50AM (#30144382) Homepage

    I notice this doesn't extend to plug-ins and extensions found via the various plugins directories and registry keys. If it were me, I'd extend this feature to include saving a list in a locked-down location of all known extensions/add-ons found via the plugin directories and via registry keys. Every time the browser started, if it found a plugin or extension being loaded via the registry or a plugin directory that wasn't on the list, it'd notify the user what the plugin was and ask whether they wanted it enabled or not. That way nothing can get added to the browser without the user knowing and approving of the change.

    Down in the advanced options I'd add a setting to give expert users the additional option of removing the plugin by either removing it's files from the plugins directory it was found in or removing it's registry keys depending on how it was found.

  • by Anonymous Coward on Wednesday November 18, 2009 @11:51AM (#30144400)

    It was supposed to be a stripped down browser, instead of the bloat of the full Mozilla. And, when they started, they were close. But now they seem to be heading back in the other direction.

  • by carp3_noct3m (1185697) <slashdot@nOSpam.warriors-shade.net> on Wednesday November 18, 2009 @11:54AM (#30144440)
    Like I said, I only use the TOR on my ironkey when I'm say at class on an open wifi signal. The cookie thing is annoying as hell at first, but, as well as with noscript, once you have gone to the majority of the sites you frequent, its not an issue anymore.
  • by TheReaperD (937405) on Wednesday November 18, 2009 @11:54AM (#30144458)

    Do you really feel this is necessary? Sounds like you are jumping through a lot of hoops and degrading your browsing at the expense of a tin-foil hat.

    If you are doing anything of importance with your browser, yes. If all you do is surf the web all day, then usually, no.

    If you work with online banking, do other forms of commerce online, then you need to treat your web browser like your bank should because it is, by extension, your bank. If any form of VPN connections are used to your work, then you need to treat your computer as a work computer and secure it appropriately. Also, if you surf for porn, you really need to use this as the most nasty exploits are routinely found on these sites. Since a majority of people do the first and/or third they now go in the category of needing to secure their browsers.

  • by socsoc (1116769) on Wednesday November 18, 2009 @11:57AM (#30144500)

    I disagree with the "proper way." I do not use .NET and have no wish for that to be in a competitor's browser. To me the proper way is for me seek out a download, preferably through an XPI, but definitely not through Windows/Microsoft Update.

    Although I thought I read it, I didn't see the link to the second page to TFA, so thanks for redirecting me back to it.

  • by ImYourVirus (1443523) on Wednesday November 18, 2009 @11:58AM (#30144512)
    If it followed the rules, it would have asked instead of just installing it, quit spewing this shit of 'they did it the right way' obviously not if the user was unaware it was happening and thus didn't want it installed.
  • by JustNiz (692889) on Wednesday November 18, 2009 @12:01PM (#30144566)

    The acutal problem is that firefox blindly loads whatever is in that directory.
    Locking the directory is a hack of a solution that others, especially Microsoft will easily find a way around. The proper answer is that Firefox needs to compare components it finds by their signature (checksum and name combo or whatever) with a secure list of components it is authorised by the user to load, before it loads them.
    The other fix firefox needs is to deny installed extensions the ability to prevent the user from uninstalling them (like Microsoft's .NET framework firefox extension did).

  • Re:.NET Anyone? (Score:3, Insightful)

    by Anonymous Coward on Wednesday November 18, 2009 @12:11PM (#30144712)

    I'm sick of getting my browser hijacked every time I install a program.

    Maybe you should stop installing malicious software, then.

    There's a perfectly good reason why these apps need to look in multiple locations: different users have different setups.

    It's all well and good to have "one location", until that one location on one person's machine is an administrator-only location that non-privileged users can't edit, meaning they have no ability to customize their use of the software. I don't give a crap what people install on their machines under their accounts because they're running with few privileges and can only mess up their own setup. I don't want to have to start manually tweaking permissions on some shared add-ons folder every time somebody wants a new tool added to their instances of Firefox.

    Just because you choose to keep installing viruses and junkware that messes up your machine doesn't mean the rest of us should have to suffer through endless security configuration headaches.

  • Re:.NET Anyone? (Score:5, Insightful)

    by trevdak (797540) on Wednesday November 18, 2009 @12:34PM (#30145078) Homepage
    Regardless, there should've been a prompt to ask if you wanted to install it, and there damn well should be a working uninstall button.
  • by LordSnooty (853791) on Wednesday November 18, 2009 @12:37PM (#30145116)
    Take source, rewrite source, build.
  • Re:.NET Anyone? (Score:5, Insightful)

    by mqduck (232646) <mqduck@@@mqduck...net> on Wednesday November 18, 2009 @12:37PM (#30145118)

    the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox change will make it much harder for us to reach our users.

    I fail to see the downside for anybody but you, and you make it sound like you clearly deserve it.

  • Re:Open source (Score:2, Insightful)

    by maxwell demon (590494) on Wednesday November 18, 2009 @12:43PM (#30145184) Journal

    They don't disable installing the plugins, they disable installing them the wrong way.
    And of course, you can always get the Firefox source and disable the check, if you really want.

  • by fluffy99 (870997) on Wednesday November 18, 2009 @12:44PM (#30145194)

    From a user perspective, this sounds like a good move. Stability problems in Firefox always seems to stem from add-ons or extensions. Lock that crap down, and make the devs code the right way.

    Correction - stability problems in Firefox have always been blamed on add-ons or extensions. Of course the developers always became deaf when people having issues with no plug-ins installed.

  • by Reapman (740286) on Wednesday November 18, 2009 @12:46PM (#30145204)

    Tired of reading these sorts of comments. Sure there's some "bloat", but what that bloat is varies by opinion. I've read where supporting CSS is "bloat". Graphics are "bloat". tabs are "bloat". RSS. etc.

    My understanding (and please tell me if I'm wrong) is the point of Firefox was to supply a WEB BROWSER. Back then when you downloaded it you also got an email program, news reader, wysiwyg website builder, etc. Firefox was JUST a browser. Still is.

    If you REALLY want where everything is an option go build it yourself. Have something where you choose which renderer you want (Moz's, Webkit, etc), whether or not to have tabs, allow plugins, command line version, etc. Hit next a few times and presto your very own browser.

  • by anasciiman (528060) on Wednesday November 18, 2009 @12:47PM (#30145236) Homepage

    The code is available and forkable. Why not fix it to your liking and then submit patches?

  • by gbjbaanb (229885) on Wednesday November 18, 2009 @01:00PM (#30145456)

    but it isn't a .NET addon. Its a Firefox addon.

    So you should be perfectly able to install any .NET update from WU safe in the knowledge that it is not affecting your non-.NET applications, like Firefox.

  • Re:.NET Anyone? (Score:5, Insightful)

    by Miamicanes (730264) on Wednesday November 18, 2009 @01:03PM (#30145498)

    > What do you mean? As far as I know, in all the instances where a toolbar is bundled with some other
    > software, the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar
    > is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox
    > change will make it much harder for us to reach our users.

    Q. What's the difference between a 'trojan' and 'malware'?

    A. Malware has a EULA.

    I can't even *begin* to emphasize how badly it pisses me off when some app tries to sneak BHOs and plugins into their installer... almost always in ways that someone in a hurry to install the app that's actually *desired* will overlook. I flat-out refuse to ever use Yahoo and Google's toolbars, *precisely* because they have so many people trying to ram them down my throat and trick me into installing them.

  • Re:.NET Anyone? (Score:5, Insightful)

    by andi75 (84413) on Wednesday November 18, 2009 @01:34PM (#30145948) Homepage

    If it's "mentioned in the EULA" it might as well be "on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'". About the same amount of people will be able to read & understand it.

  • by RiotingPacifist (1228016) on Wednesday November 18, 2009 @01:57PM (#30146284)

    Because --safe-mode is too much?

    To get help all I've ever had to do is run the program in --safe-mode and see if the bug is still there (often it's not), personally i like keeping a blank profile and launching it with --no-remote anyway, but --safe-mode isn't that much to ask, given they are normally caused by addons

  • Re:.NET Anyone? (Score:3, Insightful)

    by Catiline (186878) <akrumbach@gmail.com> on Wednesday November 18, 2009 @04:49PM (#30148404) Homepage Journal

    In my opinion, the missing uninstall button is a Firefox problem. How could they let you install software and list it as is installed software, but provide no method to uninstall?

    Simple. Go to your FF address bar and type file:///C: then click on Program Files. You will be faced with a long list of software that FF is claiming is installed on your system, but can't just uninstall.

    What a textbook example of a strawman argument! Firefox was not intended to manage software installed to "C:\Program Files\" and presumably was not used to install any of these programs (Firefox itself excepted). What the GP is complaining about is the ability of add-ins for Firefox to disable the internal Firefox un-installation command. If you had followed the previous [slashdot.org] stories [slashdot.org], you'd know that already.

    Maybe you also think that all the viruses and rootkits and trojans Windows gets from the web is a Firefox problem too?

    When a virus, rootkit, trojan or other form of malware gets installed due to a flaw in the design of Firefox, then that flaw is a problem Firefox should address. However, this is such a small percentage of the above listed programs that your question can be answered "no" with reasonable levels of honesty.

  • by Anonymous Coward on Wednesday November 18, 2009 @08:02PM (#30150920)

    Few things annoy me more than having a piece of software I install on my PC start fscking with other programs from other vendors. I found out some malicious program slipped a MS DRM plugin into my Firefox on my XP netbook (ALL DRM is malicious). I have to use Windows on the netbook for accessibility purposes because the magnifiers for Linux perform terribly on the thing. That doesn't give MS the right to infect my browser as part of their crusade to control the Internet.

    So, in a world where we can't even trust the proprietary OS that we disabled folks are forced to run, thanks for taking steps to protect us from it, Mozilla.

  • Re:WHAT!!??!! (Score:2, Insightful)

    by Runaway1956 (1322357) * on Thursday November 19, 2009 @12:15PM (#30157846) Homepage Journal

    Wait - you think that an ex-cheerleader and ex-beauty queen is qualified to be POTUS? A woman who was caught up in scandal while serving PART of a term as governor? The same woman who QUIT HER JOB as governor, so she would have time to write a book? THAT Sara Palin? PUH-LEASE!!!!

    Be honest - Palin's strongest point is her looks, and her second strongest is her faith in God. What else can she bring to the (arguably) most powerful office in the world? Please, don't ask me to vote for her cup size. I'm as lecherous as any 50 year old, but those mams won't do us any good at all when the shit hits the fan.

White dwarf seeks red giant for binary relationship.

Working...