Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Firefox web browser locks down rogue addons

Mozilla adds security feature to 3.6 release

Article comments

Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking addons into the program, the company said.

The new feature, which Mozilla dubbed "component directory lockdown," will bar access to Firefox's "components" directory, where most of the browser's own code is stored. The company has billed the move as a way to boost the stability of its browser.

"We're doing this for stability and user control [reasons]," said Johnathan Nightingale, manager of the Firefox frontend development team, in an email. "Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users.

"Now that those components will be packaged like regular addons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems," Nightingale added.

His mention of "regular addons" referred to the new policy that will be enforced by Firefox 3.6, a minor upgrade to last summer's 3.5 that is to ship before the end of the year. Because third party developers will no longer be able to drop their code into the components directory, they must instead recreate their addons as XPI-based files, the standard Firefox extension format. Mozilla has posted information on its developer site to aid programmers who need to migrate addons to the XPI format.

Most, but not all, Firefox addons are available through Mozilla's Addon site, which boasts that more than 1.6 billion addons have been downloaded by users.

Nightingale said that rogue addons created performance and stability problems for Firefox users. "[They] can lead to all kinds of unfortunate behavior: lost functionality, performance woes and outright crashing, often immediately on startup," he wrote in a post to the Mozilla developer's blog.

Crashes are caused in large part because of developer lethargy, added Mozilla developer Vladimir Vukicevic, who headed up the work on the new lockdown feature. "Many of these components were written for Firefox 3.0, and have not been updated for Firefox 3.5," Vukicevic said in a blog post of his own. "Because a number of internal interfaces changed between the two versions, this leads to crashes or other problems when these components are used."

Nightingale wouldn't link Firefox's new feature to any one unauthorised addon, but the lockdown follows a security brouhaha last month over an addon and plugin that Microsoft sneaked into Firefox earlier this year.

Last February, and again in May, Firefox users complained when they found that Microsoft had pushed the .Net Framework Assistant addon and the Windows Presentation Foundation (WPF) plugin to their browsers as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update. Users were furious that the software was installed without their approval, and even angrier that the components were impossible to uninstall without editing the Windows registry.

In October, after Microsoft admitted that those components left Firefox open to attack, Mozilla disabled Microsoft's software.

In actuality, Microsoft did not drop its code into Firefox's components directory, Nightingale confirmed. "The .Net Framework and WPF use our existing extension/plugin mechanisms, that's why we were able to disable them when they were found to be vulnerable," he said in a followup email. "They aren't impacted by this change." Other addons aren't as lucky. Google's desktop search addon, for example, must be revamped to work with Firefox 3.6. Nightingale said Mozilla is looking into that potential incompatibility.

"We'll be working with third party developers over the next while to help them make the transition to a supported extension mechanism," he said. "The main result for users will be less breakage, not more. But one reason we announce this and get it out in betas is to make sure we know what all the major impacts will be before we release it to a couple hundred million users."

Firefox 3.6 Beta 3 will include the component directory lockdown feature. When it launches, Firefox 3.6 Beta 3 will be available from Mozilla's site. Current beta users will be updated automatically.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *