14 DAY TRIAL // In an attempt to resolve performance issues Mozilla plans to block the offline installation of add-ons, a measure that will also impact security in a good way.
Mozilla intends to make a series of add-on-related changes that involve the introduction of automatic performance testing, slow performance warnings, and most importantly, from a security perspective, mandatory opt-in installation.
This means that no third-party program will be able to install extensions, toolbars or plug-ins by placing files directly in the Firefox directory.
This is actually an attack vector that has been discussed and criticized before by the security community.
Back in December 2008, security researchers from Bit Defender found a trojan that worked as a Firefox extension and stole online banking credentials.
The trojan was being installed by other infections and was registering itself as "Greasemonkey," a legit and relatively popular extension.
The malware was also dropping a malicious DLL in the Firefox plug-in directory and a browser.js file in the chrome folder.
Since then, other threats were found to be functioning as malicious Firefox extensions, one just two weeks ago, as part of Facebook survey scam.
"It’s an all-too-common practice of third-party software to install toolbars and other bundled add-ons in your browser without permission. [...] "In an upcoming version of Firefox, third party add-ons will not be installed unless the user explicitly allows the installation in Firefox.
"We expect this to have a huge impact on Firefox performance, as well as giving users back the control they should have over their add-ons," announced Justin Scott, Mozilla's product manager for add-ons.
Another consequence of this change will be that users won't need to deactivate commonly attacked plug-ins each time they are updated.
For example, a very large number of drive-by download attacks currently target Java vulnerabilities. Since Java is not so commonly used on the Web anymore, some experts have recommended that users disable its plugin from the browser.
However, Java is still required by a lot of programs on the desktop, so users need to have it installed. The problem is that every time the local Java installation is updated so is the browser plug-in.