Firefox 3.6 locks out rogue add-ons

New feature bars add-ons from dropping code into Firefox's own directory

1 2 Page 2
Page 2 of 2

Crashes are caused in large part because of developer lethargy, added Mozilla developer Vladimir Vukicevic, who headed up the work on the new lockdown feature. "Many of these components were written for Firefox 3.0, and have not been updated for Firefox 3.5," Vukicevic said in a blog post of his own. "Because a number of internal interfaces changed between the two versions, this leads to crashes or other problems when these components are used."

Nightingale wouldn't link Firefox's new feature to any one unauthorized add-on, but the lockdown follows a security brouhaha last month over an add-on and plug-in that Microsoft sneaked into Firefox earlier this year.

Last February, and again in May, Firefox users complained when they found that Microsoft had pushed the .Net Framework Assistant add-on and the Windows Presentation Foundation (WPF) plug-in to their browsers as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update. Users were furious that the software was installed without their approval, and even angrier that the components were impossible to uninstall without editing the Windows registry.

In October, after Microsoft admitted that those components left Firefox open to attack, Mozilla disabled Microsoft's software.

In actuality, Microsoft did not drop its code into Firefox's components directory, Nightingale confirmed. "The .Net Framework and WPF use our existing extension/plug-in mechanisms, that's why we were able to disable them when they were found to be vulnerable," he said in a follow-up e-mail. "They aren't impacted by this change." Other add-ons aren't as lucky. Google's desktop search add-on, for example, must be revamped to work with Firefox 3.6. Nightingale said Mozilla is looking into that potential incompatibility.

"We'll be working with third-party developers over the next while to help them make the transition to a supported extension mechanism," he said. "The main result for users will be less breakage, not more. But one reason we announce this and get it out in betas is to make sure we know what all the major impacts will be before we release it to a couple hundred million users."

Firefox 3.6 Beta 3, slated for release later today, will include the component directory lockdown feature. When it launches, Firefox 3.6 Beta 3 will be available from Mozilla's site. Current beta users will be updated automatically.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon