Mozilla plans to prevent third party programs from installing Firefox add-ons without the express approval of users and will start displaying confirmation dialogs beginning with Firefox 8.
"These add-ons installed by third parties present a number of problems: they can slow down Firefox start-up and page loading time, they clutter the interface with toolbars that often go unused, they lag behind on compatibility and security updates, and most importantly, they take the user out of control of their add-ons," says Justin Scott, Mozilla's product manager for add-ons.
Additionally, there have been cases when trojans worked as Firefox extensions installed offline by other threats.
In December 2008, security researchers from BitDefender found a trojan that functioned as a Firefox extension and stole online banking credentials. The rogue add-on was posing as Greasemonkey, a legit and relatively popular extension.
In 2009, Trend Micro reported that a click fraud trojan which hijacked Google searches also installed itself as a Firefox extension. A separate information stealing trojan with similar characteristcs was found in December 2008.
This shows that the problem dates back a long time and Mozilla took a long time to finally address this attack vector. It's also unfortunate that this change doesn't also extend to plug-ins, another source of security problems.
It's good that ehe company is also taking the past into consideration and when users will upgrade to Firefox 8 for the first time, all extensions previously installed offline will be disabled by default.
Users will see a one-time dialog where they'll be able to choose which ones they want to keep or remove completely. After that, every time an extension is copied directly in the browser's directory without following the normal installation procedure, users will be prompted to confirm if they want to keep it.