The Demise of Mozilla

I could not be more in agreement with you the options should be "mandatory" part of the installation, or available with the blessing of mozilla.org. I seems to be that way, on the mozilla website,. but who know what is going on

 

And I'm glad you answered
I read all 7 pages of 1 link & 4 pages of a link therein. Discussions without resolution. Shameful that the current system leaves such a security gap. I thought Extensions could be potentially malicious/malware & I read the evidence there that some are. I didn't know Extensions could go as far as running exe files within them or that they could run dll files & mess up your registry even without an executable (negating some posts there saying the solution would simply be not to let Extensions cross the line into acting like Plugins). I saw many holes in the whitelisting concept.

Overall it seems we're left in the usual 'wild west' with the best (but not complete) protection seeming to be AV + AT + in this case especially using a locked Hosts file loaded with localhost redirects on bad sites using Spybot & Spywareblaster etc.

Thank you very much for the information even if though it confirmed the fears I guessed existed.

 

Hi, Marklet,

Glad I could confirm your fears .... hey, forewarned is forearmed... or something like that?

As mentioned in the MozillaZine thread Posted 25th Mar 2004 by momokatte,

Lots of people think that XPI files are only used to add themes and extensions to Mozilla browsers, and that uninstalling the browser or removing the profile gets rid of the XPI installation. Not true! XPI files can be used to install the Java 2 Runtime Environment from within Mozilla, for example... see http://plugindoc.mozdev.org/faqs/java.html ..... so XPInstall goes way beyond the browser confines.

 

Hi mikewanca,

By total coincidence I happened across something new while surfing that bears directly on this discussion.

I'm on a totally 'legitimate' site of a major big pharma GlaxoSmithKline. I'm offered a $3 coupon on a product I use. I want to print the coupon. First time I've ever seen this: I'm offered a required .xpi to enable receiving the coupon. It is cscmv5.xpi from coolsavings coupon manager. I install it & ZA firewall requests permission for a new Netscape Component to access the internet: NPCpnMgr.dll & I allow it & the coupon prints. I try printing another copy & get a message that I already printed it & am only allowed one (of course I could photocopy). I now go through WE & Registry & attempt to clean this stuff out. I go back there with a different hi anon proxy/IP & all history/cookies/caches cleared. Darn thing recognizes me still with the same message. My silly mistake was not running a free Regshot in advance.

I now go to coolsavings directly & run Regshot & reinstall their couponmanager & then clean my Registry using the Regshot & reboot. Go back to GSK site & darn it still recognizes me. So something left over from the first xpi install is still there. I've combed Mozilla folder, Netscape folder, & Application Data Profile for Owner, default etc; can't find anything (or to say it another way I can't find anything I can recognize that I need to delete). Nothing in HiJackThis etc either.

My point here is not geared to seeking help to get rid of it (but if someone knows the specifics PLEASE feel free). My point is to discuss another way xpi is obviously being used & how 'deep' it can affect you & hide.

I won't 'argue' whether this is malware or not (I'll just say I personally view it as malware). So let's not dwell on that. The point is the 'power' of what this xpi can do & the fact that it is NOT a browser Extension or Theme. It is a Plugin delivered by xpi in Netscape (& I'll safely assume the same would occur in seamonkey or firefox); in IE it's delivered by ActiveX. My view is this is a big security problem in what an xpi can do.

One possible answer for Moz might be to change the license specifically on the use of open source xpi to limit its usages. I have no expertise in the licensing & guess many would argue against any change in licensing, but this is for security & would create the ability to bring legal action for misuse.