Firefox 3.6 blocks sneaky addons

Computerworld is reporting that the forthcoming version of Firefox 3.6 will include a feature which disables the ability for other applications to "sneakily" install add-ons without the users knowledge. One can assume this is in response to Microsoft's sneaky move which installed an add-on without notifying users at all - and exposed users to malware.

In an email to Computerworld, Johnathan Nightingale, manager of the Firefox front-end development team said
"We're doing this for stability and user control, Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users."

Nightingale goes on to say; "Now that those components will be packaged like regular add-ons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems,"

Developers will now be required to package their extensions as "regular addons" - which are the XPI-based files that are usually downloaded from Mozilla Addons. The new feature locks down the components directory entirely, so all applications will be forced to use the regular XPI install process to install their addons now, which may create problems for older applications after the change.

Nightingale also added that "We'll be working with third-party developers over the next while to help them make the transition to a supported extension mechanism, The main result for users will be less breakage, not more. But one reason we announce this and get it out in betas is to make sure we know what all the major impacts will be before we release it to a couple hundred million users."

Firefox 3.6 Beta 3 is planned for release later today and will include the new lockdown feature. Current beta users will be updated automatically.

Report a problem with article
Previous Story

Microsoft gives away Tablet PCs to PDC attendees

Next Story

Microsoft live labs introduces Pivot visual search

40 Comments

Commenting is disabled on this article.

RealFduch said,
I still remember those anti-MS guys screaming about "Internet Explorer secretly saving all your visited pages to the hidden Temporary Internet Files". Didn't see much uproar about Google's keylogger/tracker in Firefox though...

What Google keylogger/tracker?

And about IE, you mean \Documents and Settings\<user>\Local Settings\Temporary Internet Files\ (in XP) that gets wiped clean with IE's Delete Browsing History option or is there something else?

Jar of Files said,
What Google keylogger/tracker?

Everything you type in Firefox's address bar is sent to google even if you deleted it and didn't press Enter. Every url you visit is sent to google too (with session ids etc). Maybe recent versions behave a bit differently, but it was a real case in the past.

Jar of Files said,
And about IE, you mean \Documents and Settings\<user>\Local Settings\Temporary Internet Files\ (in XP) that gets wiped clean with IE's Delete Browsing History option or is there something else?

Yes, I mean exaclty this. But anti-MS people of the time were crying loudly about this just like they cry today.
Just read this amusing article and have some fun: http://sillydog.org/mshidden.php

RealFduch said,
Everything you type in Firefox's address bar is sent to google even if you deleted it and didn't press Enter. Every url you visit is sent to google too (with session ids etc). Maybe recent versions behave a bit differently, but it was a real case in the past.

It looks like you're confusing Firefox with Chrome.
It is true that if you have keyword.enabled in about:config that it passes data to google when it is NOT a url (e.g. no domain level .* suffix) AND the user has pressed enter, but you can make it pass it to any site, e.g. I've set my keyword.URL to http://yubnub.org/parser/parse?command=

shhac said,
It looks like you're confusing Firefox with Chrome.
It is true that if you have keyword.enabled in about:config that it passes data to google when it is NOT a url (e.g. no domain level .* suffix) AND the user has pressed enter, but you can make it pass it to any site, e.g. I've set my keyword.URL to http://yubnub.org/parser/parse?command=

Download FF 3.5.
Start typing in address bar.
See the spinning thing at the left.
After a moment some google suggestions appear under the address bar.

I assume you mean the search box, since the address bar only searches your history and bookmarks (never leaves your system)

And it doesn't send your visited URL's to Google either (you could configure Firefox 2 to do that, but you can't in 3+)

em_te said,
Will this mean Flash will no longer secretly install itself in Firefox?

+1

And I really wish there was an uninstall button for the broken non-standards-compliant Transformix XML module that Firefox uses and refuses to let go (like XP users clinging to IE6).

em_te said,
Will this mean Flash will no longer secretly install itself in Firefox?

It's not a Microsoft plugin so they'll probably leave it alone.

em_te said,
Will this mean Flash will no longer secretly install itself in Firefox?

I guess I am in the minority and actively sought to install Flash. A bunch of flash-haters here. :P

Anyhow, if Flash is installed without prompting, that would be bad.

However, my experience (on Linux, mind you) was I browsed to a site that used flash, and was prompted that a plugin was needed and to "click here" to install. It should use the same method for Firefox on Windows. If it auto-installs without user authorization, that would be a problem.

This is unrelated to plugins, this was closer to an extension (although such that the 3rd party app was inserting itself as part of Firefox's core)

Excellent. Even safer Firefox is a very good point to get more converts.

I had to manually disable windows system file protection and then delete a bunch of files from Windows Media Player Folder, Adobe Folder, .NET folder and registry to disable all the disgusting cr@p Microsoft installed on it. I also disabled Java Development Toolkit (Causes Firefox to lagg) and Default Plugin. **** is fast.

Reallly now?

You had to disable wsfp to delete stuff from the programs folder? How interesting.

I call epic BS on that and on the rest of your post.

/- Razorfold said,
Reallly now?

You had to disable wsfp to delete stuff from the programs folder? How interesting.

I call epic BS on that and on the rest of your post.


Don't forget he "deleted the registry" also =)
Now I understand why there is a market for those "fix you registry errors" "tools".
Wait till he finds out that he also has Microsoft Windows installed on his PC.

/- Razorfold said,
Reallly now?

You had to disable wsfp to delete stuff from the programs folder? How interesting.

I call epic BS on that and on the rest of your post.

Windows doesn't allow one to just delete its files without consequences. There are two backups for example for WMP11 files. So, simply put, you have to delete the backups to delete the actual file and keep it from coming back. Vista/7 on the other hand just doesn't give you permission to delete the file in the first place. So, either way, it is a pain.

Removing the registry files for addons that silently installed actually doesn't do much. It is more like a precaution.

Firefox seems to just automatically scan and add addons itself, so to disable that, I had to delete the files themselves. There is no uninstall option.

Java Development Toolkit causes lagg when loading images on my netbook. I am actually not sure what exactly that addon is for - it is part of Sun Java SDK and not the JRE.

I have Adobe Flash Player, Foxit, and Sun Java addons enabled atm. I also have two addons disabled - Development Kit and Default Plugin.

Firefox is tweaker's paradise.

Udedenkz said,
Removing the registry files for addons that silently installed actually doesn't do much. It is more like a precaution.

Like you know what "registry files" are and where they are located...

Poople who mutilate their systems instead of uncheking 1-2 checkboxes in Programs and Features are.... well, time will tell if evolution is still working.

RealFduch said,
Like you know what "registry files" are and where they are located...

Poople who mutilate their systems instead of uncheking 1-2 checkboxes in Programs and Features are.... well, time will tell if evolution is still working.

Stop trolling. You should be fully aware that if I didn't need .NET or WMP11, etc - I would uninstall them and thus remove the silent firefox addons.

Only if it does a full on hack which is kind of against the rules for a reputable piece of software.

I'm not saying it won't happen but people like Adobe, Microsoft, Apple etc won't do it.

The browser settings are stored in the user AppData folder so anything you approve can still install whatever it wants there.

mmck said,
Sounds good, but I'm sure running an executable outside of Firefox can still modify its behaviour if it wants.

Yeah, I wonder how they're implementing that.

mmck said,
Sounds good, but I'm sure running an executable outside of Firefox can still modify its behaviour if it wants.

What application is safe from something like that? It's not a bad point though. Perhaps browsers really should run as virtual machines in a protected memory space (and protected on disk) that can't be modified or accessed externally by any other process? That would make some things difficult, like multimedia.

xiphi said,
I doubt that had anything to do with it.

well they showed the security hole in firefox forcing mozilla to fix it

I agree. I don't consider this a Microsoft issue (Other companies were doing the same thing), but I don't think this is a good practice. I'm glad to see Mozilla doing something about this. I wonder what the ramifications will be though? I'm expecting this to be a little messy...

Growled said,
This is long pass due. I'm all for it. Thank you Microsoft for helping this come to pass.

Last time I checked you can uninstall .Net Assistant from the Firefox Add-ons dialog.
And you still cannot uninstall Java add-on.

I think this is the best indication that the hype was just another staged anti-MS FUD. The "Uninstall" button was always disabled for add-ons installed without xpi files. This was always the case with Java (And don't forget that Java add-on is a great threat/nuisance since it runs code from remote servers inside your browser, it slows the browser down and has had a number of vulnerabilities). This wasn't a problem for FF users since there is a "Disable" button for each add-on. Yet when MS installs add-on for ClickOnce deployment all the hell went loose.
I still remember those anti-MS guys screaming about "Internet Explorer secretly saving all your visited pages to the hidden Temporary Internet Files". Didn't see much uproar about Google's keylogger/tracker in Firefox though...

When you can't be bothered to look at the facts just scapegoat Microsoft. It's not cool anymore but some people still resort to it.

C_Guy said,
When you can't be bothered to look at the facts just scapegoat Microsoft. It's not cool anymore but some people still resort to it.

While I was looking for the screenshot on the net, the boiling swirling swarm of these idiots really astonished me. It was refreshing to remember that there is no more than 1% of them even though they scream like if they were the 99%. But the possibility of "barbarians ruining the Rome/civilization" is quite scary.

Not sure how you two got on your high horse about "uninstall" when the issue being fixed is "stealth install".

It was not a Microsoft issue, but Microsoft's use of this method to install brought attention to a flaw in Firefox that needed fixing. Hence Growled's tongue-in-cheek comment that may have used a bit of sarcastic humor, but in no way placed blame on the bug. Just how their use of this Firefox potential security risk brought enough attention to the matter for Mozilla to fix.

markjensen said,
Not sure how you two got on your high horse about "uninstall" when the issue being fixed is "stealth install".

It was not a Microsoft issue, but Microsoft's use of this method to install brought attention to a flaw in Firefox that needed fixing. Hence Growled's tongue-in-cheek comment that may have used a bit of sarcastic humor, but in no way placed blame on the bug. Just how their use of this Firefox potential security risk brought enough attention to the matter for Mozilla to fix.


It wasn't really stealth install because you are notified that the add-on has installed the next time you run Firefox. Unlike the Java add-on somehow.

I'm fine with Growled and my comment wasn't against him, but against the case. I'm just a bit tired of Firefox (and other anti-MS) trolls everywhere. Just wish there was a Fireblock add-on to remove them...

markjensen said,
Not sure how you two got on your high horse about "uninstall" when the issue being fixed is "stealth install".

It was not a Microsoft issue, but Microsoft's use of this method to install brought attention to a flaw in Firefox that needed fixing. Hence Growled's tongue-in-cheek comment that may have used a bit of sarcastic humor, but in no way placed blame on the bug. Just how their use of this Firefox potential security risk brought enough attention to the matter for Mozilla to fix.

There is no "stealth install." The flaw is in Mozilla's court for scanning for and enabling plugins without asking the user. It's no different than installing the Firefox Flash plugin before you install the browser. It'll be picked up and enabled without asking you just like the .NET Assistant. The fact that you can just drop crap in Firefox's app storage folder and have it run in the browser is a huge security flaw.

GreyWolfSC said,
There is no "stealth install." The flaw is in Mozilla's court for scanning for and enabling plugins without asking the user. It's no different than installing the Firefox Flash plugin before you install the browser. It'll be picked up and enabled without asking you just like the .NET Assistant. The fact that you can just drop crap in Firefox's app storage folder and have it run in the browser is a huge security flaw.

Ummm... That is "stealth". Look it up in a dictionary if you need to.

The problem is in Firefox. Just like I said, and you agreed with (but somehow you make it sound like you are correcting me). Unannounced plugin install within the browser is a bad thing.

RealFduch said,
It wasn't really stealth install because you are notified that the add-on has installed the next time you run Firefox. Unlike the Java add-on somehow

Since when was Java stealth installed? People install Java to get Java. No one installed a .NET update to get an unnecessary plugin installed into Firefox FIRST asking.

It's good Mozilla patched the hole, now this won't happen again!

RealFduch said,
Last time I checked you can uninstall .Net Assistant from the Firefox Add-ons dialog.
And you still cannot uninstall Java add-on.

I think this is the best indication that the hype was just another staged anti-MS FUD. The "Uninstall" button was always disabled for add-ons installed without xpi files. This was always the case with Java (And don't forget that Java add-on is a great threat/nuisance since it runs code from remote servers inside your browser, it slows the browser down and has had a number of vulnerabilities). This wasn't a problem for FF users since there is a "Disable" button for each add-on. Yet when MS installs add-on for ClickOnce deployment all the hell went loose.
I still remember those anti-MS guys screaming about "Internet Explorer secretly saving all your visited pages to the hidden Temporary Internet Files". Didn't see much uproar about Google's keylogger/tracker in Firefox though...


That's only been the case since Firefox pushed an update, FYI

Owenw said,
That's only been the case since Firefox pushed an update, FYI

FYI, that assertion is incorrect. The ability to disable or uninstall the .Net Framework Assistant has been in place since at least May (see the MS Update to .NET Framework 3.5 SP1 for the .NET Framework Assistant 1.0 for Firefox on May 6th) if not in fact before.

For the information of all those that didn't read the linked article, I'll quote this...

In actuality, Microsoft did not drop its code into Firefox's components directory, Nightingale confirmed. "The .Net Framework and WPF use our existing extension/plug-in mechanisms, that's why we were able to disable them when they were found to be vulnerable," he said in a follow-up e-mail. "They aren't impacted by this change." Other add-ons aren't as lucky.

Microsoft technically obeyed the extension install rules (they used a registry hack apparently instead), so their plugin won't be affected by this change. The sweet irony is that the Google desktop search will need to be updated for FF3.6 since it does use this technique which is being banned.

So no, you cannot assume that this has anything whatsoever to do with Microsoft in this case.

RealFduch said,
And you still cannot uninstall Java add-on.
Yes you can...
A web page like this one [@ my site = but you can save this page on your hard disk and run it at any time]:
http://www.mdgx.com/plugins.htm
or this one [@ Browser Spy]:
http://browserspy.dk/plugins.php
detects and displays *all* installed Netscape- style plugins [np*.dll] in Firefox, SeaMonkey, Gecko, Mozilla, Netscape and Opera [I have not tested Safari] using plain old JavaScript. [This does not work with Internet Explorer 5.5 SP1 and all newer editions, because MS removed Netscape-style plugin support. :(]
Do a search on all your local drives for those np*.dll files, and rename, move or delete them. ;)
Default location [if your Windows copy is installed in C:WINDOWS] of Sun Java 1.6.0 (a.k.a. Java SE or JRE 6.0) update xx (curent update is 17: http://java.sun.com/javase/downloads/ ) on Windows 9x/NT4/2000/XP/2003 is C:/Program Files/Java/jre6/bin . Look for these 3 files: npdeploytk.dll , npjpi160_16.dll + npoji610.dll .
Then go to: C:/Program Files/Java/jre6/bin/new_plugin and look for npjp2.dll .

Wasn't that hard, was it? ;)

HTH [hope this helps]