Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Is there any truth to insecurity allegations?

0 views
Skip to first unread message

Al Mac

unread,
Nov 24, 2009, 11:38:33 AM11/24/09
to
http://blogs.techrepublic.com.com/security/?p=2710&tag=nl.e019
This article claims
1. Some add-ons plug-ins extensions, approved by Mozilla, can
interfere with each other. They gave an example of where NoScript
could be sabotaged by another (unnamed) add-in.
2. Mozilla, it says, has no security policy to disallow such activity.

End-users are advised

* Don’t trust extensions.
* Check Bugzilla for new information about extension-security
issues.
* Make sure extensions are up-to-date.
* Consider Safe Mode, as it disables all extensions.

I visited http://www.bugzilla.org/ & I must say, as an end-user, it is
non-obvious to me how to look up what problems (if any) currently may
have been reported for the add-ons that I am using.

PS. I recently reversed a "drive by" update that I got when I upgraded
free AVG 8.5 to 9.0 using the custom install, and saying NO THANKYOU
every time they offered to alter Fire Fox.

David McRitchie

unread,
Nov 24, 2009, 12:42:22 PM11/24/09
to
"Al Mac" ...
> *** Some Firefox extensions may be exploited to install malware ***

> http://blogs.techrepublic.com.com/security/?p=2710&tag=nl.e019
> This article claims
> 1. Some add-ons plug-ins extensions, approved by Mozilla, can
> interfere with each other. They gave an example of where NoScript
> could be sabotaged by another (unnamed) add-in.
> 2. Mozilla, it says, has no security policy to disallow such activity.
>
> End-users are advised
>
> * Don�t trust extensions.

> * Check Bugzilla for new information about extension-security
> issues.
> * Make sure extensions are up-to-date.
> * Consider Safe Mode, as it disables all extensions.
>
> I visited http://www.bugzilla.org/ & I must say, as an end-user, it is
> non-obvious to me how to look up what problems (if any) currently may
> have been reported for the add-ons that I am using.
>
> PS. I recently reversed a "drive by" update that I got when I upgraded
> free AVG 8.5 to 9.0 using the custom install, and saying NO THANKYOU
> every time they offered to alter Fire Fox.

Okay the article name which you failed to include is specifically about
malware. Yes there have been problems with some extensions purposely
sabotaging or making "improvements" on other extensions options. These
problems are being addressed as best they can. It had not been a major problem
in the past, but where money is involved (help me write better code by giving
me money) it is certainly going to get worse.

Of course the statements you indicated are true statements. But your "approved by Mozilla" because
it appears on the addons site does not mean all that much. Mozilla may *try* to
make sure that the extensions don't break rules for extensions, but there is no way
they and all of their volunteer helpers can check if extensions conflict with other
extensions.

Looking through Bugzilla is a misleading, you refer to a bug report, but most
people find problems through other things that point the actual problem
report often generated by investigators who later report in bugzilla for problems
found in newsgroups such as this on and can be seen in MozillaZine KB for instance
with problems, solutions and references. Frequent references to Bugzilla.
For addons the newsgroup of interest would be mozilla.dev.amo (for Addons Mozilla Org).

Mozilla is improving their methods of dealing with malicious extensions (including
those written by large companies that you no longer see on the addons site).

The Addons group is trying to fix some of the problems with a checklist
of items for developers to mark to indicate such problems. It may take a
few years for that to work out, but some improvements have been made
already. I certainly remember their attempt to improve the search -- they
actually destroyed the search for two years as a result, and while the Advanced
search has been put back it is not as good as the original, but it is easier to get to.

The MozillaZine "Problematic extensions" page can be of some help for some of the
most used extensions and their major problems relating to Firefox and to a lesser
degree with other extensions.

If you install the "keyconfig" extension, you will see that a lot of extensions conflict
with Firefox itself and on other extensions for keyboard shortcuts.

--
HTH,
David McRitchie, extensions I use are briefly documented on my site
Firefox Custom: http://www.mvps.org/dmcritchie/firefox/firefox.htm


Greywolf

unread,
Nov 24, 2009, 4:45:34 PM11/24/09
to
Al Mac wrote:
> http://blogs.techrepublic.com.com/security/?p=2710&tag=nl.e019
> This article claims
> 1. Some add-ons plug-ins extensions, approved by Mozilla, can
> interfere with each other. They gave an example of where NoScript
> could be sabotaged by another (unnamed) add-in.
> 2. Mozilla, it says, has no security policy to disallow such activity.
[etc]

No browser is totally secure, and add-ons for any browser may interfere
with each other. I keep IE for Windows Updates, and occasionally for
otherwise problematic websites, but I use Mozilla 99.9% of the time. So
far, no problems.

HTH
wolf k.

0 new messages