Slashdot Mirror
Firefox 3.6 Locks Out Rogue Add-ons
CWmike writes "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. Dubbed 'component directory lockdown,' the feature will bar access to Firefox's 'components' directory, where most of the browser's own code is stored. Mozilla has billed the move as a way to boost the stability of its browser. 'We're doing this for stability and user control [reasons],' said Johnathan Nightingale, manager of the Firefox front-end development team. 'Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users ... Now that those components will be packaged like regular add-ons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems.'"
Those components were installed by editing the Windows registry, not 'dropped in' as is discussed here (Firefox looks in various locations to find plug-ins and addons to load).
Nerd rage is the funniest rage.
In the browser wars, people tend to forget sometimes that marketshare is an inherent part of how much your browser will come under attack. Issue's like these, while it's good they're being patched, should have been taken care of a long time ago in anticipation of things to come. Firefox is still my preffered method of browsing, but thats because I am a halfway knowledgeable user that uses adblock, noscript, betterprivacy, use privately encrypted TOR when about (Iron Key) and only allow certain cookies. I used to recommend it to people, but now it seems just as bad (GASP) as IE with a standard install. I agree with jkrise (First Post!), there needs to be something like sub-builds that focus on security. I still like firefox better, as I occasionally evaluate the other browsers, and find them all lacking more than firefox in some areas. Just my two cents of subjective opinion though. Carpe Out.
"It's ok, I'm completely secure as long as my iron is off"
Well, as no one reads the article, this doesn't concern .NET update in any way:
In actuality, Microsoft did not drop its code into Firefox's components directory, Nightingale confirmed. "The .Net Framework and WPF use our existing extension/plug-in mechanisms, that's why we were able to disable them when they were found to be vulnerable," he said in a follow-up e-mail. "They aren't impacted by this change."
The MS plugin is not effected by this. It did things in the proper way, the documented method for adding system wide extensions rather than user level extensions. That is why Mozilla could easily disable the insecure version of the plugin, because it actually followed the rules.
MS just added a registry key that pointed at the files for the extension, which is well documented and used by many other pieces of software to allow plugins to be installed even before Firefox, and allowing any version of Firefox (or Thunderbird or whatever) to find them, even after installation into some random directory.
If you bother to read the article, it says the same. Google Desktop Search on the other hand, doesn't follow the rules and will be blocked unless Mozilla makes a work around for them or Google updates GDS to follow the rules.
This is essentially like not allowing code from anyone other than MS to be dropped into the Windows directory, and requiring it to be put somewhere else and properly registered with the system rather than throwing it in the system32 directory and loading it as if it were trusted code from MS.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
You do get notified when at least some of those methods are used the next time you start Firefox. Pretty sure it's been that way since shortly after the MS plugin fiasco.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
This is different from that. Those are actually packaged as add-ons so this change wouldn't affect them at all.
What Mozilla should do about those IMO is one of two things: 1) Enable the uninstall button for globally installed extensions (IE installed for all users) on Administrator accounts (in Windows; root on Linux... assuming Linux has global extensions) 2) Take steps to prevent or discourage apps from trying to plop extensions down and install them in Firefox without the user's consent. The "official" way for installers to install extensions should be to invoke Firefox with the URL of the XPI. Then the user would get the normal Firefox "Do you want to install this extension?" dialog and they can decide. Of course it would be impossible to fully prevent extensions from being covertly installed, but I think it would be worth the effort to lay down a few roadblocks if only to indicate to extension devs "don't do it this way".
You can't upload such extensions to addons.mozilla.org, thus it isn't likely many people will use it. Right now extensions can only specify up to 3.6.*.
http://slashdot.org/comments.pl?sid=1407593&cid=29776261
link, because "plain old text" turns urls into links
It pays to be obvious, especially if you have a reputation for being subtle.
The addon Mr. Tech Toolkit has this option. Under its options Misc -> XPI install options -> Enable Addons Compatibility checking
Relax. Have a muffin. Enjoy the show. --Slick, Sept 13th, 2007.
> they should have an "approved" list within the browser's data
That's precisely what this fix does.
> as opposed to a "disabled" one
I have no idea why you decided there's such a list. Was it something in the article?
That's assuming you're talking about component loading, not add-ons; from the latter part of your comment it sounds like you're talking about add-ons...
FF less than 3.6
1. Right-click -> New -> Boolean
2. Name: extensions.checkCompatibility
3. Value: false
FF more than or equal to 3.6
extensions.checkcompatibility. is used instead (bug 521905). "" is the application version, including alpha and beta releases but excluding minor version updates. For example: Firefox 3.6b2 -> extensions.checkCompatibility.3.6b Firefox 3.6 -> extensions.checkCompatibility.3.6 and Firefox 3.6.1 -> extensions.checkCompatibility.3.6.
it's all here, did you even look before complaining?
IranAir Flight 655 never forget!
Sure you can. You can wipe sites from the history (and thus from the location database) relatively easily.
You can begin typing, highlight a search result by hovering over it with the mouse, then press the Del key to remove that result.
You can also open the history tab, type something in Search, tab into the search results list, Ctrl-A to select all, and press the Del key to remove all of them.
Finally, you can add the HistoryBlock extension which silently prevents certain sites (domains or subdomains) from being added to the history, recently closed tabs, download manager history, cache, or cookies. Blocked domains or subdomains are hashed, so there is no incriminating list, although having the HistoryBlock extension may be incriminating by itself to some people.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.