Add-ons behaving badly: the challenges of policing the Firefox ecosystem

Isn't it like.. 98% of Firefox extensions use incredibly powerful APIs that they have no reason to be using? Can't remember the stats.

 

Mozilla needs to take some "unpopular" decisions quickly. Tip-toeing around isn't going to help.

 

http://webblaze.cs.berkeley.edu/2010/secureextensions/

There it is.

Mozilla has long said that the biggest factor in page-slowdown etc is faulty extensions. And we've seen toolbars that load up non-ASLR binaries allowing exploits.

 

I remember Google pushing its 'free' toolbar when I first ran Firefox 2.

 

more scare tactics

 

So what I take away from that is don't install the Ask Toolbar or McAfee Site Advisor.

Interesing- that article was dated 2009. I wonder if Mozilla has changed anything since then... or taken Berkeley's advice.

 

I haven't heard anything about changes like that to their system.

 

Then I recommend you to fully read the changelogs of recent versions (v4 and beyond) and every article in the Mozilla blog since 2010. There were many changes in the correct direction.

 

"firefox extension security changes" "changes to firefox extension system" aren't really showing anything.

Ctrl + F for the word extension all the back to the FF4 beta gives 1 results not relevant to security.

If you have a link talking about changes to their extension system, provide it please. I hate digging.

edit:
http://www.security-assessment.com/...eeman_abusing_firefox_extensions_defcon17.pdf Another older link I believe - I hope they have made things better.

EDIT2: https://developer.mozilla.org/en/Extensions/Updating_extensions_for_Firefox_4

I have only glimpsed at it atm but I see no security changes. Same for 3.5's page.

edit3: http://www.cs.berkeley.edu/~afelt/felt-extensions-leastpriv.pdf A omre recent paper saying the same thing. I think this one was 2010.