MozillaZine

Blocking Extensions that are installed by surprise

Discussion of general topics about Mozilla Firefox
the-edmeister

User avatar
 
Posts: 32248
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Post Posted October 15th, 2008, 3:27 pm

Elfguy wrote:While this has some use, I would argue that it's useless to most people. Users won't go write protect files and disable all plugins to prevent a potentially unwanted application from hooking into Firefox.

That's why I approached this thread with the concept of us accumulating info on which programs and plugins are using a "stealth" installation setup and then using what Firefox already has built into it for blocking those specific files from being installed. It would be a relatively simple matter to create an extension that would install a custom blocklist.xml file for "most people" who aren't very technical.

My premise has a few holes in it, which has been pointed out in this thread, plus trying to collect the data needed for for the blocklist.xml file would be nearly impossible to accomplish given the anecdotal type responses given to my request for the exact data that will be needed for that file.


Ed
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.

jpj-fr
 
Posts: 1
Joined: October 18th, 2008, 1:14 pm

Post Posted October 18th, 2008, 1:26 pm

Hi,

With Windows, a new extension comes with Java 6update 10 (Java Quick Starter).
It is installed via Windows registry (HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\).

See, in french, extension java quick starter 1.0 on Geckozone.org.

Alice

User avatar
 
Posts: 2629
Joined: April 23rd, 2003, 11:47 am

Post Posted October 18th, 2008, 5:52 pm

jpj-fr wrote:With Windows, a new extension comes with Java 6update 10 (Java Quick Starter).
It is installed via Windows registry (HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\).

See, in french, extension java quick starter 1.0 on Geckozone.org.


I haven't installed JRE6u10 yet but I found some general info on the new Java "Quick Starter" feature here:
http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html
Java(TM) Quick Starter for JavaSE 6u10

The Java installer also silently installs a global "hidden" extension in Firefox (or at least it did as of JRE 6 Update 6) for the Java Console, accessed in Firefox from the "Tools" menu . It came up awhile back due to a "bug" in JRE 6.0 and JRE 6 Update 1 installer that disabled the Java Console in Firefox 2.0.0.1 and later. Ref:
http://kb.mozillazine.org/Java#Java_console_disabled_-_Firefox
http://forums.mozillazine.org/viewtopic.php?p=2972321#p2972321

I have the Java Console for Firefox 2 installed in the "C:\Program Files\Mozilla Firefox\extensions" folder. I still see the extension for JRE6 U6, which I installed 5-12-2008, even though I updated to JRE 6 U7 on 07-13-2008 and then uninstalled JRE 6 U6 on 7/17/2008. (I keep pretty good notes!)

The "C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}" folder is dated 05-12-2008, though, and the install.rdf file inside says this:
Code: Select all
<?xml version="1.0"?>

<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
     xmlns:em="http://www.mozilla.org/2004/em-rdf#">
  <Description about="urn:mozilla:install-manifest">
    <em:name>Java Console</em:name>
    <em:id>{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}</em:id>
    <em:version>6.0.06</em:version>
    <em:type>2</em:type>
    <em:hidden>true</em:hidden>
    <em:targetApplication>
      <Description>
        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>


I installed Firefox 3 rc2 into "C:\Program Files\Mozilla\Firefox3" on 05-30-2008 but it doesn't include the Java Console extension. I'm not sure why that is. It may be just as well, since the Java Console might not work with JRE 6 U10. See Bug 460244 - Unable to open Java Console after installing JRE6u10
Alice Wyman

blumoon

User avatar
 
Posts: 76
Joined: May 18th, 2006, 10:36 am
Location: Canada

Post Posted December 14th, 2008, 2:33 pm

Sure glad I found this thread. I had already isolated the problem to being Google Updater, (I don't have anything google except the chrome browser) and the iTunes application detector and this thread confirmed it. I couldn't even use the browser with these plugins working. Since I disabled these things are working fine-talk about bloatware. Thanks for your informative posts.
Last edited by blumoon on December 15th, 2008, 12:54 am, edited 1 time in total.
blumoon
Win 10 FF 53.0.2/ TB 52.1

LIMPET235
Moderator

User avatar
 
Posts: 39121
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted December 15th, 2008, 12:35 am

Hi blumoon,
Sorry to such a long distance pain but would you please
remove/change your coloured sig to plain black. Thank you.
"The Relevant Rules".

Merry Christmas.

Image
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-62.0-70.0/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.12.
(Always choose the "Custom" Install.)

blumoon

User avatar
 
Posts: 76
Joined: May 18th, 2006, 10:36 am
Location: Canada

Post Posted December 15th, 2008, 12:47 am

Thanks for informing me-I didn''t realize I was breaking the rules. I haven't been here very much since the forums changed.
blumoon
Win 10 FF 53.0.2/ TB 52.1

LIMPET235
Moderator

User avatar
 
Posts: 39121
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted December 15th, 2008, 2:32 am

Mucho appreciado.
The new forum still has a few bugs to sort but the owner is very busy.

Merry Christmas.
L..
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-62.0-70.0/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.12.
(Always choose the "Custom" Install.)

NanM
 
Posts: 179
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted November 27th, 2009, 7:57 am

Useful resource here, because I have to admin an XP machine on the home network - and find that I was spending too much time now chasing down various extensions and plugins from update to update of previously well-behaved invited third-party apps with system rights - ie, apps now presuming and assuming Fx territory rights as if every browser is just commercial meat, you know.
Thanks for the Frank Lion solution in particular. It just works - and I don't have to write myself reminders that I have a very good chance of skipping on a busy day; but if an addon won't install then I am immediately told to "fix this" and have some basic audit initiative back where it belongs.
Don't know how this would manage a <em hidden> MS kind of install, but ... roll on 3.6 I suppose.

And my question, because I do have one, is: what pathway, if any, does something with system rights have to re-enable a disabled plugin (not an extension, because I just don't leave any of those hanging around at all)?

*moseys off remembering the good old Fx days of manual plugin getting*

Alice

User avatar
 
Posts: 2629
Joined: April 23rd, 2003, 11:47 am

Post Posted November 27th, 2009, 3:04 pm

Couple of issues that will be fixed in Firefox 3.6:
Alice wrote:Norton 360 and Norton Internet Security... installs the file "coFFPlgn.dll" directly into the Firefox program components folder and adds the Norton anti-phishing toolbar to Firefox.

Applications will no longer be allowed to add components directly to Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=519357
Bug 519357 - (compdir-lockdown) Only load known components from app directory

Alice wrote:The Java installer also silently installs a global "hidden" extension in Firefox (or at least it did as of JRE 6 Update 6) for the Java Console

Hidden extensions are also no longer allowed:
https://bugzilla.mozilla.org/show_bug.cgi?id=508109
Bug 508109 - Firefox Allows Hidden Extensions (e.g., Java Console)
Alice Wyman

Alice

User avatar
 
Posts: 2629
Joined: April 23rd, 2003, 11:47 am

Post Posted November 27th, 2009, 3:33 pm

NanM wrote:And my question, because I do have one, is: what pathway, if any, does something with system rights have to re-enable a disabled plugin (not an extension, because I just don't leave any of those hanging around at all)?

Almost forgot. In an earlier post in this thread, Frank Lion talked about turning off plugin scanning and possibly installing Firefox in a non-default location to prevent "rogue" plugins that install directly into the Firefox application plugins folder. Or did you men something else?
Alice Wyman

NanM
 
Posts: 179
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted November 27th, 2009, 6:48 pm

Alice wrote:Couple of issues that will be fixed in Firefox 3.6:
[...]
Bug 519357 - (compdir-lockdown) Only load known components from app directory

[...]
Bug 508109 - Firefox Allows Hidden Extensions (e.g., Java Console)


Yep, I'd been following these since the MS hidden extension mess, and because of the increasing reports of malware getting installed in the components dir - - I try to push NoScript lockdown browsing for the XP users and I'm generally pretty sure they are firewalled enough by this from drive-by stuff, but those monkey patches can mess with runtime any way they want when it comes down to it. So indeed, write-protect the install file and roll on 3.6!

Sorry I wasn't clear on the plug-ins question - - I had read Frank Lion's plug-in post and decided that admin for plug-ins with his guidelines would be worse work than following his final recommendation, ie check plug-ins regularly and leave config as is for now. What I'm not sure about is whether a plug-in's enabled/disabled status can be toggled by an app with system rights after the user has set it. No big problem because I can check that status along with installations regularly, but if disabling in a profile isn't hard and fast then I may look at uninstalling the more untrusted plug-ins and getting users to flag when they want to use them; gives me a little initiative back. Maybe.

Frank Lion

User avatar
 
Posts: 20649
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted November 29th, 2009, 9:45 am

NanM wrote:Sorry I wasn't clear on the plug-ins question - - I had read Frank Lion's plug-in post and decided that admin for plug-ins with his guidelines would be worse work than following his final recommendation, ie check plug-ins regularly and leave config as is for now.

Yes, it's a pity that Firefox doesn't autodetect Flash in the same way as it does WMP, Adobe, Java, etc. If that were the case then admins could just about:config and toggle plugin.scan.plid.all to false and job done. The user would then just be left with the most needed (and safe, well, safe..ish) plugins.

The full manual plugin lockdown procedure is still useful to know though.

What I'm not sure about is whether a plug-in's enabled/disabled status can be toggled by an app with system rights after the user has set it.

In theory, no, a disabled plugin cannot be enabled once disabled by the user.

However, I could re-enable it without the user's knowledge, so you must assume that others also could. I don't propose to go into details of how this is done, etc. :)
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

NanM
 
Posts: 179
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted November 29th, 2009, 10:35 pm

OT observation: Fx is *officially 5 this month. I was reminded because I washed the 1.0 t-shirt this morning. What a community!

Frank Lion wrote:The full manual plugin lockdown procedure is still useful to know though.


And my thanks right now for it :-)

However, I could re-enable it without the user's knowledge, so you must assume that others also could.

::facehand:: oh burger

I don't propose to go into details of how this is done, etc. :)


Local? network? Win only? all of the above? Ah gwan, tell us. /Mrs Doyle.

EDIT: one time to add * detail to the ot birthday comment that got technically excepted in the next post below by James
but some consider 1.0 to be when Firefox was stable like 1.0 actually meant anything over 0.9 and earlier.

Well the revelation for me, after battling with 0.6.5 in OS X, not getting any headway with bug reporting, and not finding plugins very co-operative, was 0.8.5. It was like everything suddenly clicked and the train was steaming. Camino was nice for a brisk holiday of course :-) But I've jumped off the apple hardware muppet train now that Canonical's giving the sport of desktop ripoffs a bit of a nudge ;-) Open and free is a really enjoyable game, and I still believe that it wouldn't have got off and running so quickly without this great Firefox community example to give the nixers a boost.
Last edited by NanM on March 12th, 2010, 5:27 am, edited 1 time in total.

James
Moderator

User avatar
 
Posts: 27671
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Post Posted November 30th, 2009, 3:35 pm

NanM wrote:OT observation: Fx is 5 this month. I was reminded because I washed the 1.0 t-shirt this morning. What a community!

Technically over seven years but some consider 1.0 to be when Firefox was stable like 1.0 actually meant anything over 0.9 and earlier.

Return to Firefox General


Who is online

Users browsing this forum: Bing [Bot] and 2 guests