Mozilla locks out rogue Firefox add-ons

Mozilla has made a significant tweak to this Firefox 3.6 code base to block rogue add-ons from loading in the browser's application components directory.

Mozilla has made a significant tweak to this Firefox 3.6 code base to block rogue add-ons from loading in the browser's application components directory.

This will most certainly block developers and software vendors from silently installing Firefox add-ons without explicit user permission.  It will also significantly reduce browser crashes linked to third-party add-ons, Mozilla said.

[ SEE: Microsoft exposes Firefox users to drive-by malware downloads ]

The change (see bug report here) will be introduced in Firefox 3.6to block third-party applications from adding their code directly to the “components” directory, where much of Firefox's own code is stored.

Here's the explanation from Mozilla's security blog:

Components installed in this way aren’t user-visible, meaning that users can’t manage them through the add-ons manager, or disable them if they’re encountering difficulties. What’s worse, components dropped blindly into Firefox in this way don’t carry version information with them, which means that when users upgrade Firefox and these components become incompatible, there’s no way to tell Firefox to disable them. This can lead to all kinds of unfortunate behaviour: lost functionality, performance woes, and outright crashing – often immediately on startup.

In Firefox 3.6 (including upcoming beta refreshes), we’re closing this door. Third party applications can still extend Firefox via add-ons and plugins the way they always could, but the components directory will be for Firefox only.

A migration document is available for help add-on developers understand the change.  More information on the Mozilla's thinking here.