Blocking Extensions that are installed by surprise

[the-edmeister]

While this has some use, I would argue that it's useless to most people. Users won't go write protect files and disable all plugins to prevent a potentially unwanted application from hooking into Firefox.

That's why I approached this thread with the concept of us accumulating info on which programs and plugins are using a "stealth" installation setup and then using what Firefox already has built into it for blocking those specific files from being installed. It would be a relatively simple matter to create an extension that would install a custom blocklist.xml file for "most people" who aren't very technical.

My premise has a few holes in it, which has been pointed out in this thread, plus trying to collect the data needed for for the blocklist.xml file would be nearly impossible to accomplish given the anecdotal type responses given to my request for the exact data that will be needed for that file.


Ed

[jpj-fr]

Hi,

With Windows, a new extension comes with Java 6update 10 (Java Quick Starter).
It is installed via Windows registry (HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\).

See, in french, extension java quick starter 1.0 on Geckozone.org.

[Alice]

With Windows, a new extension comes with Java 6update 10 (Java Quick Starter).
It is installed via Windows registry (HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\).

See, in french, extension java quick starter 1.0 on Geckozone.org.

I haven't installed JRE6u10 yet but I found some general info on the new Java "Quick Starter" feature here:
http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html
Java(TM) Quick Starter for JavaSE 6u10

The Java installer also silently installs a global "hidden" extension in Firefox (or at least it did as of JRE 6 Update 6) for the Java Console, accessed in Firefox from the "Tools" menu . It came up awhile back due to a "bug" in JRE 6.0 and JRE 6 Update 1 installer that disabled the Java Console in Firefox 2.0.0.1 and later. Ref:
http://kb.mozillazine.org/Java#Java_console_disabled_-_Firefox
http://forums.mozillazine.org/viewtopic.php?p=2972321#p2972321

I have the Java Console for Firefox 2 installed in the "C:\Program Files\Mozilla Firefox\extensions" folder. I still see the extension for JRE6 U6, which I installed 5-12-2008, even though I updated to JRE 6 U7 on 07-13-2008 and then uninstalled JRE 6 U6 on 7/17/2008. (I keep pretty good notes!)

The "C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}" folder is dated 05-12-2008, though, and the install.rdf file inside says this:

Code: Select all

<?xml version="1.0"?>

<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
     xmlns:em="http://www.mozilla.org/2004/em-rdf#">
  <Description about="urn:mozilla:install-manifest">
    <em:name>Java Console</em:name>
    <em:id>{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}</em:id> 
    <em:version>6.0.06</em:version>
    <em:type>2</em:type> 
    <em:hidden>true</em:hidden>
    <em:targetApplication>
      <Description>
        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>

I installed Firefox 3 rc2 into "C:\Program Files\Mozilla\Firefox3" on 05-30-2008 but it doesn't include the Java Console extension. I'm not sure why that is. It may be just as well, since the Java Console might not work with JRE 6 U10. See Bug 460244 - Unable to open Java Console after installing JRE6u10

[blumoon]

Sure glad I found this thread. I had already isolated the problem to being Google Updater, (I don't have anything google except the chrome browser) and the iTunes application detector and this thread confirmed it. I couldn't even use the browser with these plugins working. Since I disabled these things are working fine-talk about bloatware. Thanks for your informative posts.

[LIMPET235]

Hi blumoon,
Sorry to such a long distance pain but would you please
remove/change your coloured sig to plain black. Thank you.
"The Relevant Rules".

Merry Christmas.

[blumoon]

Thanks for informing me-I didn''t realize I was breaking the rules. I haven't been here very much since the forums changed.

[LIMPET235]

Mucho appreciado.
The new forum still has a few bugs to sort but the owner is very busy.

Merry Christmas.
L..

[NanM]

Useful resource here, because I have to admin an XP machine on the home network - and find that I was spending too much time now chasing down various extensions and plugins from update to update of previously well-behaved invited third-party apps with system rights - ie, apps now presuming and assuming Fx territory rights as if every browser is just commercial meat, you know.
Thanks for the Frank Lion solution in particular. It just works - and I don't have to write myself reminders that I have a very good chance of skipping on a busy day; but if an addon won't install then I am immediately told to "fix this" and have some basic audit initiative back where it belongs.
Don't know how this would manage a <em hidden> MS kind of install, but ... roll on 3.6 I suppose.

And my question, because I do have one, is: what pathway, if any, does something with system rights have to re-enable a disabled plugin (not an extension, because I just don't leave any of those hanging around at all)?

*moseys off remembering the good old Fx days of manual plugin getting*

[Alice]

Couple of issues that will be fixed in Firefox 3.6:

Norton 360 and Norton Internet Security... installs the file "coFFPlgn.dll" directly into the Firefox program components folder and adds the Norton anti-phishing toolbar to Firefox.

Applications will no longer be allowed to add components directly to Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=519357
Bug 519357 - (compdir-lockdown) Only load known components from app directory

The Java installer also silently installs a global "hidden" extension in Firefox (or at least it did as of JRE 6 Update 6) for the Java Console

Hidden extensions are also no longer allowed:
https://bugzilla.mozilla.org/show_bug.cgi?id=508109
Bug 508109 - Firefox Allows Hidden Extensions (e.g., Java Console)

[Alice]

And my question, because I do have one, is: what pathway, if any, does something with system rights have to re-enable a disabled plugin (not an extension, because I just don't leave any of those hanging around at all)?

Almost forgot. In an earlier post in this thread, Frank Lion talked about turning off plugin scanning and possibly installing Firefox in a non-default location to prevent "rogue" plugins that install directly into the Firefox application plugins folder. Or did you men something else?

[NanM]

Couple of issues that will be fixed in Firefox 3.6:
[...]
Bug 519357 - (compdir-lockdown) Only load known components from app directory

[...]
Bug 508109 - Firefox Allows Hidden Extensions (e.g., Java Console)

Yep, I'd been following these since the MS hidden extension mess, and because of the increasing reports of malware getting installed in the components dir - - I try to push NoScript lockdown browsing for the XP users and I'm generally pretty sure they are firewalled enough by this from drive-by stuff, but those monkey patches can mess with runtime any way they want when it comes down to it. So indeed, write-protect the install file and roll on 3.6!

Sorry I wasn't clear on the plug-ins question - - I had read Frank Lion's plug-in post and decided that admin for plug-ins with his guidelines would be worse work than following his final recommendation, ie check plug-ins regularly and leave config as is for now. What I'm not sure about is whether a plug-in's enabled/disabled status can be toggled by an app with system rights after the user has set it. No big problem because I can check that status along with installations regularly, but if disabling in a profile isn't hard and fast then I may look at uninstalling the more untrusted plug-ins and getting users to flag when they want to use them; gives me a little initiative back. Maybe.

[Frank Lion]

Sorry I wasn't clear on the plug-ins question - - I had read Frank Lion's plug-in post and decided that admin for plug-ins with his guidelines would be worse work than following his final recommendation, ie check plug-ins regularly and leave config as is for now.

Yes, it's a pity that Firefox doesn't autodetect Flash in the same way as it does WMP, Adobe, Java, etc. If that were the case then admins could just about:config and toggle plugin.scan.plid.all to false and job done. The user would then just be left with the most needed (and safe, well, safe..ish) plugins.

The full manual plugin lockdown procedure is still useful to know though.

What I'm not sure about is whether a plug-in's enabled/disabled status can be toggled by an app with system rights after the user has set it.

In theory, no, a disabled plugin cannot be enabled once disabled by the user.

However, I could re-enable it without the user's knowledge, so you must assume that others also could. I don't propose to go into details of how this is done, etc.

[NanM]

OT observation: Fx is *officially 5 this month. I was reminded because I washed the 1.0 t-shirt this morning. What a community!

The full manual plugin lockdown procedure is still useful to know though.

And my thanks right now for it

However, I could re-enable it without the user's knowledge, so you must assume that others also could.

::facehand:: oh burger

I don't propose to go into details of how this is done, etc.

Local? network? Win only? all of the above? Ah gwan, tell us. /Mrs Doyle.

EDIT: one time to add * detail to the ot birthday comment that got technically excepted in the next post below by James

but some consider 1.0 to be when Firefox was stable like 1.0 actually meant anything over 0.9 and earlier.

Well the revelation for me, after battling with 0.6.5 in OS X, not getting any headway with bug reporting, and not finding plugins very co-operative, was 0.8.5. It was like everything suddenly clicked and the train was steaming. Camino was nice for a brisk holiday of course But I've jumped off the apple hardware muppet train now that Canonical's giving the sport of desktop ripoffs a bit of a nudge Open and free is a really enjoyable game, and I still believe that it wouldn't have got off and running so quickly without this great Firefox community example to give the nixers a boost.

[James]

OT observation: Fx is 5 this month. I was reminded because I washed the 1.0 t-shirt this morning. What a community!

Technically over seven years but some consider 1.0 to be when Firefox was stable like 1.0 actually meant anything over 0.9 and earlier.