Forgot your password?
typodupeerror
Mozilla Security IT

Firefox 3.6 Locks Out Rogue Add-ons 265

Posted by CmdrTaco
from the and-stay-out dept.
CWmike writes "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. Dubbed 'component directory lockdown,' the feature will bar access to Firefox's 'components' directory, where most of the browser's own code is stored. Mozilla has billed the move as a way to boost the stability of its browser. 'We're doing this for stability and user control [reasons],' said Johnathan Nightingale, manager of the Firefox front-end development team. 'Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users ... Now that those components will be packaged like regular add-ons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems.'"
This discussion has been archived. No new comments can be posted.

Firefox 3.6 Locks Out Rogue Add-ons

Comments Filter:
  • At my company I would like a stripped-down Firefox without features like awesome bar and other bloat. Is there a way to do this, easily?

    Also I have the SmartQ 7 and SmartQ 5 MIDs which are basedon the ARM processor. Thedefault browseris Midori... can I get a Firefox compiled for the ARM to run on that?

    I hink firefox shoudl focus on these and similar issues...

    • by toppavak (943659) on Wednesday November 18, 2009 @11:26AM (#30143998)
      A pony would be nice as well!
    • Re: (Score:2, Funny)

      by Aquaseafoam (1271478)
      • by wed128 (722152)

        Ok i understand not reading the article. I understand not reading the summary. But not reading the post you're replying to?

        slashdot gets more progressive every day.

    • by Shikaku (1129753)

      At my company I would like a stripped-down Firefox without features like awesome bar and other bloat.

      What is the other bloat? On the default install please list everything you'd like to have removed.

    • by Lord Bitman (95493) on Wednesday November 18, 2009 @12:27PM (#30144962) Homepage

      The awesome bar, and most of the other firefox bloat, should be plugins. Firefox had this great plugin architecture which everyone and their dog used- except the firefox devs.
      Why doesn't firefox ship with an array of "default" plugins, all of which can be disabled? There's no need for something like awesomebar to be core, is there?

      • by rliden (1473185)

        I disagree. Most of those features like 'the awesome bar' should be config items not plug-ins/add-ons. So if someone wants a lean FF they can enable/disable those features in config. I would much rather some features be built in rather than a downloadable add-on, but being able to configure the browser without having to go into the about:config system would be something I very much appreciate.

        • I would much rather some features be built in rather than a downloadable add-on

          notice, this wasn't his suggestion (which seems good).

      • by nabsltd (1313397)

        There's no need for something like awesomebar to be core, is there?

        Maybe the full set of functionality isn't required to be in the "core", but I think that you'd have to have some sort of location bar in the core.

        Then, you end up with an add-on either extending or duplicating the existing functionality, either of which can become a problem.

        I think it would be far easier to have the full "awesome bar" as part of the core, but have a real UI that allows users to enable/disable every feature.

      • Because the awsome bar is effectively free give firefox now uses sqlite to store bookmarks, as it can be disabled easily (or you can have an addin to re-theme it to the oldway, but getting rid of the "bloat" can be done with a gui setting)

      • There's no need for something like awesomebar to be core, is there?

        Apparently, this is something the Mozilla folks thought people would like--and, indeed, many do. When used properly, the AwesomeBar nearly lets you forget about bookmarks and history. I really miss this feature in other browsers or in computer labs with older versions of Firefox.

        If you don't like it (or if you're just too set in your ways), you can tweak it do be Firefox 2-ish by changing some preferences--just Google it. Also, there is the oldbar extension [mozilla.org].

    • Re: (Score:3, Insightful)

      by LordSnooty (853791)
      Take source, rewrite source, build.
    • Re: (Score:2, Insightful)

      by anasciiman (528060)

      The code is available and forkable. Why not fix it to your liking and then submit patches?

  • .NET Anyone? (Score:5, Insightful)

    by Daengbo (523424) <.moc.liamg. .ta. .obgnead.> on Wednesday November 18, 2009 @11:18AM (#30143838) Homepage Journal

    Last February, and again in May, Firefox users complained when they found that Microsoft had pushed the .Net Framework Assistant add-on and the Windows Presentation Foundation (WPF) plug-in to their browsers as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update.

    That's the first thing I thought of when I read the summary.

    • Re:.NET Anyone? (Score:4, Insightful)

      by NoYob (1630681) on Wednesday November 18, 2009 @11:21AM (#30143914)
      The first thing I thought of was those Yahoo! toolbars that folks love to slip into every browser.
      • That's what I thought. I wonder what Yahoo! would do if it's software could only be installed by the user, and not by other software. Perhaps they will strike a deal with Microsoft to get back at Firefox.
      • by Anonymous Coward on Wednesday November 18, 2009 @11:56AM (#30144478)

        What do you mean? As far as I know, in all the instances where a toolbar is bundled with some other software, the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox change will make it much harder for us to reach our users.

        • Re:.NET Anyone? (Score:5, Insightful)

          by mqduck (232646) <mqduck@@@mqduck...net> on Wednesday November 18, 2009 @12:37PM (#30145118)

          the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox change will make it much harder for us to reach our users.

          I fail to see the downside for anybody but you, and you make it sound like you clearly deserve it.

        • Re:.NET Anyone? (Score:5, Insightful)

          by Miamicanes (730264) on Wednesday November 18, 2009 @01:03PM (#30145498)

          > What do you mean? As far as I know, in all the instances where a toolbar is bundled with some other
          > software, the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar
          > is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox
          > change will make it much harder for us to reach our users.

          Q. What's the difference between a 'trojan' and 'malware'?

          A. Malware has a EULA.

          I can't even *begin* to emphasize how badly it pisses me off when some app tries to sneak BHOs and plugins into their installer... almost always in ways that someone in a hurry to install the app that's actually *desired* will overlook. I flat-out refuse to ever use Yahoo and Google's toolbars, *precisely* because they have so many people trying to ram them down my throat and trick me into installing them.

        • Re:.NET Anyone? (Score:5, Insightful)

          by andi75 (84413) on Wednesday November 18, 2009 @01:34PM (#30145948) Homepage

          If it's "mentioned in the EULA" it might as well be "on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'". About the same amount of people will be able to read & understand it.

    • Re:.NET Anyone? (Score:5, Informative)

      by maxume (22995) on Wednesday November 18, 2009 @11:25AM (#30143968)

      Those components were installed by editing the Windows registry, not 'dropped in' as is discussed here (Firefox looks in various locations to find plug-ins and addons to load).

      • by Krneki (1192201)

        Those components were installed by editing the Windows registry, not 'dropped in' as is discussed here (Firefox looks in various locations to find plug-ins and addons to load).

        Firefox (or any other browser) should have only one place for addons and plug-ins and this location should be locked with a password, like the OS devices.

        Right now any program (or virus) can add addons to our browsers.

        I'm sick of getting my browser hijacked every time I install a program.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          I'm sick of getting my browser hijacked every time I install a program.

          Maybe you should stop installing malicious software, then.

          There's a perfectly good reason why these apps need to look in multiple locations: different users have different setups.

          It's all well and good to have "one location", until that one location on one person's machine is an administrator-only location that non-privileged users can't edit, meaning they have no ability to customize their use of the software. I don't give a crap what p

          • by schon (31600)

            I'm sick of getting my browser hijacked every time I install a program.

            Maybe you should stop installing malicious software, then.

            But.. but.. how else will I see the dancing bunnies?!?!?!

    • by poetmatt (793785)

      they said they would have a solution, and this is a viable one. That is exactly what I had in mind as well. Like they say, locks keep honest people honest.

    • Yes, and I think that's pretty much what they're taking aim at. They already specifically blacklisted the add-on a while ago, causing huge cheer as well as huge backlash. It seems that with this approach they want a more flexible solution by making sure people can disable stuff they don't want.

    • Re: (Score:3, Informative)

      by The MAZZTer (911996)

      This is different from that. Those are actually packaged as add-ons so this change wouldn't affect them at all.

      What Mozilla should do about those IMO is one of two things: 1) Enable the uninstall button for globally installed extensions (IE installed for all users) on Administrator accounts (in Windows; root on Linux... assuming Linux has global extensions) 2) Take steps to prevent or discourage apps from trying to plop extensions down and install them in Firefox without the user's consent. The "official"

      • by pjt33 (739471)

        1) Enable the uninstall button for globally installed extensions (IE installed for all users) on Administrator accounts (in Windows; root on Linux... assuming Linux has global extensions)

        I think the majority opinion about Linux administrators is probably still that you shouldn't run X as root. Have the button there and use kdesudo / whatever the GNOME equivalent is.

    • by mqduck (232646)

      I'm pretty sure that's the first thing everybody here thought of.

  • User perspective (Score:5, Insightful)

    by omfglearntoplay (1163771) on Wednesday November 18, 2009 @11:19AM (#30143860)

    From a user perspective, this sounds like a good move. Stability problems in Firefox always seems to stem from add-ons or extensions. Lock that crap down, and make the devs code the right way.

    • by fluffy99 (870997) on Wednesday November 18, 2009 @12:44PM (#30145194)

      From a user perspective, this sounds like a good move. Stability problems in Firefox always seems to stem from add-ons or extensions. Lock that crap down, and make the devs code the right way.

      Correction - stability problems in Firefox have always been blamed on add-ons or extensions. Of course the developers always became deaf when people having issues with no plug-ins installed.

      • Re: (Score:3, Insightful)

        Because --safe-mode is too much?

        To get help all I've ever had to do is run the program in --safe-mode and see if the bug is still there (often it's not), personally i like keeping a blank profile and launching it with --no-remote anyway, but --safe-mode isn't that much to ask, given they are normally caused by addons

  • by Voulnet (1630793) on Wednesday November 18, 2009 @11:20AM (#30143882)
    So what would be the effect on Add-on development? Would it make it more difficult to develop them? Would it constrain the Add-on developers?

    Or is this just a method to lock out some Add-on with already known problems?
    • Re: (Score:3, Insightful)

      by socsoc (1116769)
      Hopefully it's gonna lock out add-ons that weren't initiated from within the browser with explicit intention from the user. The MS .NET stuff and the browser addons that get automatically (if you're not paying close attention, which my users never are) added from Adobe Reader, Java, CCleaner, etc.
      • by BitZtream (692029) on Wednesday November 18, 2009 @11:45AM (#30144308)

        The MS plugin is not effected by this. It did things in the proper way, the documented method for adding system wide extensions rather than user level extensions. That is why Mozilla could easily disable the insecure version of the plugin, because it actually followed the rules.

        MS just added a registry key that pointed at the files for the extension, which is well documented and used by many other pieces of software to allow plugins to be installed even before Firefox, and allowing any version of Firefox (or Thunderbird or whatever) to find them, even after installation into some random directory.

        If you bother to read the article, it says the same. Google Desktop Search on the other hand, doesn't follow the rules and will be blocked unless Mozilla makes a work around for them or Google updates GDS to follow the rules.

        This is essentially like not allowing code from anyone other than MS to be dropped into the Windows directory, and requiring it to be put somewhere else and properly registered with the system rather than throwing it in the system32 directory and loading it as if it were trusted code from MS.

        • Re: (Score:3, Insightful)

          by socsoc (1116769)

          I disagree with the "proper way." I do not use .NET and have no wish for that to be in a competitor's browser. To me the proper way is for me seek out a download, preferably through an XPI, but definitely not through Windows/Microsoft Update.

          Although I thought I read it, I didn't see the link to the second page to TFA, so thanks for redirecting me back to it.

        • Re: (Score:2, Insightful)

          by ImYourVirus (1443523)
          If it followed the rules, it would have asked instead of just installing it, quit spewing this shit of 'they did it the right way' obviously not if the user was unaware it was happening and thus didn't want it installed.
    • Re: (Score:3, Insightful)

      by vertinox (846076)

      So what would be the effect on Add-on development? Would it make it more difficult to develop them? Would it constrain the Add-on developers?

      Its the same reason why IE made it easier to develop web pages by tolerating broken HTML code.

      People were using unintended features to make their work easier, but then when the unintended feature was removed then it breaks a lot of things.

      In that respect, the developers should have wrote to spec in the first place rather than taking advantage of loopholes because it mi

    • by natehoy (1608657)

      Net effect: Slight increases in development effort.

      As I understand it, you can install additional functionality into Firefox in one of two ways:

      1. Use the built-in installer. This is the "countdown box" that confirms that you want to install what the software is asking to install. It checks compatibility, and offers the capability of checking for updates and validating compatibility when a new version of Firefox gets installed (and disabling software that has NOT been tested with that specific flavor of

  • Marketshare Issues. (Score:4, Informative)

    by carp3_noct3m (1185697) <slashdotNO@SPAMwarriors-shade.net> on Wednesday November 18, 2009 @11:28AM (#30144026)
    In the browser wars, people tend to forget sometimes that marketshare is an inherent part of how much your browser will come under attack. Issue's like these, while it's good they're being patched, should have been taken care of a long time ago in anticipation of things to come. Firefox is still my preffered method of browsing, but thats because I am a halfway knowledgeable user that uses adblock, noscript, betterprivacy, use privately encrypted TOR when about (Iron Key) and only allow certain cookies. I used to recommend it to people, but now it seems just as bad (GASP) as IE with a standard install. I agree with jkrise (First Post!), there needs to be something like sub-builds that focus on security. I still like firefox better, as I occasionally evaluate the other browsers, and find them all lacking more than firefox in some areas. Just my two cents of subjective opinion though. Carpe Out.
    • Re: (Score:3, Insightful)

      by socsoc (1116769)

      I am a halfway knowledgeable user that uses adblock, noscript, betterprivacy, use privately encrypted TOR when about (Iron Key) and only allow certain cookies.

      Do you really feel this is necessary? Sounds like you are jumping through a lot of hoops and degrading your browsing at the expense of a tin-foil hat.

      • Re: (Score:3, Insightful)

        by carp3_noct3m (1185697)
        Like I said, I only use the TOR on my ironkey when I'm say at class on an open wifi signal. The cookie thing is annoying as hell at first, but, as well as with noscript, once you have gone to the majority of the sites you frequent, its not an issue anymore.
        • Like I said, I only use the TOR on my ironkey when I'm say at class on an open wifi signal.

          What are you doing at class that needs privacy/security from those around you on wifi, but not from an unknown party (the TOR nodes you're routing through)?

          • The TOR nodes I'm routing through are privately encrypted by IronKey and are not public. I am doing work related stuff (I am both a Computer Contractor and Personal Security Contractor).
      • Re: (Score:3, Insightful)

        by TheReaperD (937405)

        Do you really feel this is necessary? Sounds like you are jumping through a lot of hoops and degrading your browsing at the expense of a tin-foil hat.

        If you are doing anything of importance with your browser, yes. If all you do is surf the web all day, then usually, no.

        If you work with online banking, do other forms of commerce online, then you need to treat your web browser like your bank should because it is, by extension, your bank. If any form of VPN connections are used to your work, then you need to treat your computer as a work computer and secure it appropriately. Also, if you surf for porn, you really need to use this as the most nasty ex

    • I am a halfway knowledgeable user that uses adblock, noscript, betterprivacy, use privately encrypted TOR when about (Iron Key) and only allow certain cookies

      And here are us uninformed louts who somehow manage to squeak by without any of these - and no A/V or software firewall to boot - and haven't gotten compromised in over 20 years...

      • It really isn't that simple. You could be running *nix or a mac. You might go to the same 3 sites everyday, but never browse new things. Due to the nature of the ways browsers are installed by default (which you imply you are using) you could get infected by even legitimate websites (who resell adspace to unscrupulous buyers) and not even realize it. With no tools, how do you propose to prevent cross-site scripting attacks, Java-script attacks, etc? I actually don't run a/v on personal systems. But I do run
        • You're forgetting one option: Just because they think they have not been compromised in 20 years does not mean that they haven't. The best exploits are the ones the user never sees. If they don't run any of these tools or their equivalents, how would they ever know if they were compromised unless they were hit with a bad quality exploit (I admit, there's a lot of these) that made itself obvious?

        • Expecting every user to whitelist all of their web content is certainly the most impractical plan ever (and doesn't address the real problem of social engineering anyway).

          Using things like Tor isn't just impractical, it's paranoia.

          How about browser vendors getting their shit together instead? Firefox is a prime example, loudly promoted as "secure", but actually a cheap whore for any DLL someone decides to throw onto your computer. If they focused on building effective sandboxes first rather than "developmen

    • by rsborg (111459)

      ... but thats because I am a halfway knowledgeable user that uses adblock, noscript, betterprivacy, use privately encrypted TOR when about (Iron Key) and only allow certain cookies....

      First time I've heard of betterprivacy, which is VERY cool. Thanks for the tip. (Just a note: it seems, according to the BetterPrivacy addon summary, it will help ALL your browsers because LSO's like flash cookies are cross-browser, so deletion of these will generally make you much harder to track on all browsers as long as y

  • by BitZtream (692029) on Wednesday November 18, 2009 @11:34AM (#30144140)

    Works great, till you have someone like myself, who just specifies that my components are compatible with Firefox 2.* to 10.* so I don't have to worry about a new version claiming my plugin isn't compatible even though it is, which has happened enough in the past that I just don't care anymore.

    Am I wrong? Yes. Is Mozilla wrong? Yes, you never trust the external code to tell you the truth, basic programming 101.

    • Re: (Score:3, Informative)

      by The MAZZTer (911996)
      You can't upload such extensions to addons.mozilla.org, thus it isn't likely many people will use it. Right now extensions can only specify up to 3.6.*.
    • by kalirion (728907)

      Seriously, I wish Firefox gave you the user the option of "Yes, install this extension even though it's not marked as compatible, I ACCEPT FULL RESPONSIBILITY." It's a pain opening the archives and updating the version compatibility values manually.

      • Re: (Score:3, Informative)

        by traycerb (728174)

        The addon Mr. Tech Toolkit has this option. Under its options Misc -> XPI install options -> Enable Addons Compatibility checking

      • Re: (Score:3, Informative)

        FF less than 3.6
        1. Right-click -> New -> Boolean
        2. Name: extensions.checkCompatibility
        3. Value: false

        FF more than or equal to 3.6
        extensions.checkcompatibility. is used instead (bug 521905). "" is the application version, including alpha and beta releases but excluding minor version updates. For example: Firefox 3.6b2 -> extensions.checkCompatibility.3.6b Firefox 3.6 -> extensions.checkCompatibility.3.6 and Firefox 3.6.1 -> ext

    • by Sockatume (732728)

      So, you just have it assume that it's compatible in perpetuity? Even though it might not be? Surely you can see why Mozilla thinks that defeats the whole purpose of having add-ons declare compatibility.

  • prevent developers from sneaking add-ons into the program

    Not that I disapprove of this particular decision, but imagining the Slashdot's reaction to Microsoft implementing a thus-describable feature makes my head spin...

    • by solevita (967690)
      Sounds like Mozilla is securing Firefox; I imagine the average Slashdotter would approve of Microsoft doing to the same to IE. I don' t think this is related to anti-competitive behaviour, it's just ensuring that plugins act as plugins and don't overstep the boundary into application code.
    • I seem to remember that IE 8 does something like this when it's first installed, asking if you want any IE extensions enabled at all, and whether you want IE extensions blocked until you approve them, or something of that nature. But suffice to say that I don't install IE often enough to remember for sure.
    • What, you mean, MS prevent programs from being installed or even piggybacking on other installs?

      I don't know of anyone who'd be against that except the sales/marketing assholes of the world.

      But that's ok. You seem to have a straight head judging from your sig.

    • by Nimey (114278)

      Mozilla isn't a monopoly, unlike Microsoft's operating system business.

  • by Todd Knarr (15451) on Wednesday November 18, 2009 @11:50AM (#30144382) Homepage

    I notice this doesn't extend to plug-ins and extensions found via the various plugins directories and registry keys. If it were me, I'd extend this feature to include saving a list in a locked-down location of all known extensions/add-ons found via the plugin directories and via registry keys. Every time the browser started, if it found a plugin or extension being loaded via the registry or a plugin directory that wasn't on the list, it'd notify the user what the plugin was and ask whether they wanted it enabled or not. That way nothing can get added to the browser without the user knowing and approving of the change.

    Down in the advanced options I'd add a setting to give expert users the additional option of removing the plugin by either removing it's files from the plugins directory it was found in or removing it's registry keys depending on how it was found.

    • You do get notified when at least some of those methods are used the next time you start Firefox. Pretty sure it's been that way since shortly after the MS plugin fiasco.

    • by mounthood (993037)

      Every time the browser started, if it found a plugin or extension being loaded via the registry or a plugin directory that wasn't on the list, it'd notify the user what the plugin was and ask whether they wanted it enabled or not.

      Don't ask me anything. Add-on's and extensions should only be included if you go to a Firefox UI and turn them on. There won't be any stealth additions, and if people really want some plug-in they'll figure it out, and the vendors will help by giving instructions.

      Also, don't ask me about upgrades. Just upgrade the plug-in when starting (and restart if you must), and give me a way to lock an add-on at a particular version.

  • by JustNiz (692889) on Wednesday November 18, 2009 @12:01PM (#30144566)

    The acutal problem is that firefox blindly loads whatever is in that directory.
    Locking the directory is a hack of a solution that others, especially Microsoft will easily find a way around. The proper answer is that Firefox needs to compare components it finds by their signature (checksum and name combo or whatever) with a secure list of components it is authorised by the user to load, before it loads them.
    The other fix firefox needs is to deny installed extensions the ability to prevent the user from uninstalling them (like Microsoft's .NET framework firefox extension did).

    • by Nemyst (1383049)
      Simply put, they should have an "approved" list within the browser's data as opposed to a "disabled" one like they appear to have now. Any new plugin found is disabled until added to the approved list by the user. Sure, it'd probably be possible to edit the list upon installation of said add-on, but that should lock out legitimate developers from doing it (Microsoft wouldn't do that for instance). Malware writers will always find a way I guess.
      • Re: (Score:3, Informative)

        by BZ (40346)

        > they should have an "approved" list within the browser's data

        That's precisely what this fix does.

        > as opposed to a "disabled" one

        I have no idea why you decided there's such a list. Was it something in the article?

        That's assuming you're talking about component loading, not add-ons; from the latter part of your comment it sounds like you're talking about add-ons...

    • by fluffy99 (870997)

      It'd also be nice if verified plug-ins were signed by Mozilla, so the user knew they were safe. Perhaps make use of some of that peer-review that all the OSS folks claim is constantly happening? If it looks kosher, bless it with a digital signature like Microsoft does? Firefox has become a victim of lots of crappy add-ons. Keeping a list of unsafe add-ons would also be helpful (again list MS does).

  • nethack (Score:4, Funny)

    by SnarfQuest (469614) on Wednesday November 18, 2009 @12:16PM (#30144782)

    If it doesn't allow rogue add-ons, does it allow nethack ones?

  • Will this prevent Adobe from installing their mongoloidish "Download Manager" Add-on that's set up to start every time you open a new window instead of just running when you start your browser?
    • by argent (18001)

      Probably not: Firefox still has to handle platform-based plugins written for APIs that predate the Firefox extension framework. I'm sure that Acrobat will keep reinstalling itself, too. :(

  • JavaScript C-Types

    Some add-on authors create binary components not because they want to interact with Firefox at the C++ level, but strictly so that they can make use of third party DLLs. If this is the only reason you are using a binary component instead of JavaScript, take a look at the new JavaScript C-Types support introduced in Firefox 3.6. It allows JavaScript code to load functions from DLLs on windows, and should allow you to eliminate your dependence on binary components entirely. This leads to a b

"Now this is a totally brain damaged algorithm. Gag me with a smurfette." -- P. Buhr, Computer Science 354

Working...