Rogue Firefox Add-Ons Bring Security Risks
Security is as much about choices as it is about policies. Which software solution you pick is as important as how you configure and use it. With the vast majority of threats today coming from the Web, the choice of browser is critical. With few exceptions, most Web sites are cross-browser compatible. Choosing a browser is less about compatibility and more about usability and security.
Like many companies, Nemertes Research standardizes on the Firefox browser. There are many reasons for this choice, but a major one is security. Once properly configured and with the assistance of add-ons such as No-Script, which applies a default-deny towards scripts on unapproved sites, Firefox becomes extremely robust and secure. It's also cross-platform, which helps in a company where we run and support multiple operating systems. Lately, however, I've become increasingly concerned about Firefox's add-ons. Add-ons are plugins than extend the browser features. They can be used to enhance security (NoScript is a great example) or to extend features (FireBug is an indispensable Web development tool). Used sparingly, they add great value. Of course, like any piece of code they come with bugs, memory leaks and possible security issues. So it is important to limit them to the essentials and carefully control them. But increasingly I am seeing add-ons installed that I didn't ask for.
Over time, I've had many different applications dump an add-on into Firefox, without asking my permission. Media players, Java installers, Office launchers, "helpers" and ""assistants". All of these add-ons purportedly improve integration with some or other software I just installed. But again, I didn't ask for them -- and even worse
So every couple of months, I have to dry-dock my browser to remove the barnacles. This is where things get interesting -- the uninstall button is disabled. Infuriatingly, the software installers not only lacked the manners to ask my permission but they have the chutzpah to dictate their presence! A deep dive in the registry and various configuration files quickly results in the forced removal of these pests.
One has to wonder: How many times do we have to learn these lessons? Browser Helper Objects in Internet Explorer became the death-by-popup sentence for the browser. ActiveX and other "extensions" created an endless parade of drive-by malware. Once again, security is sacrificed on the altar of features.
Before I go out and install a firewall-add-on to protect me against rogue add-ons I have to ask: Who came up with the idea of an add-on with a disabled uninstall button? Mozillians take note: Strengthen the controls of add-ons. You don't want to go down that road -- Here, There Be Dragons.