How to block Firefox extension installs with CIS

[Guest]

[Vakko]

Sandboxie is awesome. But you don't need parent lock down features. If you have your browser forced to always start Sandboxed then no changes can ever be made to your browser unless you run them outside of a Sandbox. Its very easy. More easy then what your suggesting.

http://www.sandboxie.com/

[SilentMusic7]

Sandboxie is awesome. But you don't need parent lock down features. If you have your browser forced to always start Sandboxed then no changes can ever be made to your browser unless you run them outside of a Sandbox. Its very easy. More easy then what your suggesting.

http://www.sandboxie.com/

If I understand correctly, Sandboxie doesn't prevent installing a Firefox extension by the user -- it makes Firefox effectively forget changes when Firefox is closed.  This allows a user to install a malicious extension and get their identity stolen.  Also, the inexperienced user is not able to save their bookmarks update between sessions.

[Vakko]

No you are completely wrong. Please read the Sandboxie site. It tells you everything. And how did we go from Extensions to Identity theft? If you browse under a Sandbox then any changes you make such as extensions or themes will never be installed cause they never actually did get installed. Think of Sandboxie as a virtual machine. Try it yourself if you don't believe me. You can also install programs under a sandbox. As soon as you empty the sandbox then the program is gone cause it never really got installed. It was never written to the hard drive. Yes bookmarks can be saved. There is the option to do so in Sandboxie settings.

[SilentMusic7]

I did spend a few hours reading the Sandboxie site.  My understanding is that, from the (inexperienced) user's point of view, they can install an extension under Sandboxie.  But when they restart Firefox (new sandbox), the new extension is gone.

And how did we go from Extensions to Identity theft?

I used identity theft (phishing, etc.) as an example of possible results of malicious extensions -- even those that are not permanently installed (because of a sandbox).

Simply use Sandboxie and no changes to your browser will be made.

The topic of this thread is to help parents and others prevent Firefox installs by a child or another inexperienced user.  Someone who investigates the Comodo forum to find this thread likely is already familiar with CIS and wants to learn more about it.  I don't understand how adding Sandboxie to CIS is simpler than the CIS configuration I suggested for this audience.  I suspect that learning Sandboxie and CIS takes longer than only learning CIS, especially since new versions of Firefox may require Sandboxie updates and investigation.  Also, Sandboxie requires extra memory and CPU resources when supplementing CIS than CIS alone, which I cannot afford on one of my PCs.  Finally, other posts in this forum mention unresolved security flaws and/or bugs with Sandboxie.  For an experienced user that doesn't share their PC, I understand Sandboxie's appeal.

[Vakko]

WOW.....you are completely not reading the site. Sandboxie is free. It takes 2 seconds to install it and by default needs no tweaking unlike CIS. Also you are not adding Sandboxie to CIS. Your adding it to your browser. To install CIS and configure like your saying will take well over 15 minutes and some knowledge. A newbie can install Sandboxie within 2-3 secs and be under way. I have ran Sandboxie successfully with CIS and Online Armor. It also works with Outpost. You really do not understand what the term "sandboxed" means. Heck there are tons of people who use Sandboxie as there only means of security. BTW I have been a Firefox users for well over 5 years now and I have never seen an extension that requires my personally information.

[Vakko]

I want you to look through this link and tell me where you find a malicious add on.


https://addons.mozilla.org/en-US/firefox/

[Vakko]

I do not understand your point about all this anyways. I have seen well over 1,000 infected pc's through my years of fixing them and I have never seen 1 malware infection caused by a Firefox extension. Not one.

[Toggie]

heise Security UK » Firefox add-on contains malware

News - Trojan spoofs Firefox extension, steals IDs

Internet-security-blogs | Exploits Spy

Microsoft quietly installs a massive security vulnerability in ...

Seek and ye shall find...

[Vakko]

Most of those articles are old and out dated but again you missed my point. From the list of official add ons I posted please point out a malicious one. There is NONE. Installing a language pack is not an official add on and Microsoft screwing up Firefox is not an official add on . Did you even read those links you posted?

[Vakko]

Users have discovered malware in a Vietnamese language pack add-on for Firefox on the servers of the Mozilla project. The developers do not know how many users downloaded the infected add-on.

[Vakko]

Normally, Firefox extensions -- which in Windows have the .xpi file extension -- display a confirmation dialog that the user must acknowledge before the add-on installs. The bogus Numberedlinks, however, skips that.


If you took the time to read then you would have seen that there is no alert from Firefox for this one and the article is from 2006. Also a good anti keylogger would have stopped this.

[Vakko]

This article says nothing.

http://newexploits.com/tag/internet-security-blogs/

[Toggie]

I'm sorry you missed the point...

[HeffeD]

I guess you missed all the recent hullabaloo about an author of a popular "security" extension that effectively patched another very popular extension to ignore the authors websites?

Slighty OT to what is being discussed, but don't buy into the "there are no malicious extensions" argument...

[Endymion]

I guess you missed all the recent hullabaloo about an author of a popular "security" extension that effectively patched another very popular extension to ignore the authors websites?

Slighty OT to what is being discussed, but don't buy into the "there are no malicious extensions" argument...

There is an Addon policy meant to guarantee safety whenever there have been two cases that pointed out the possibility of loopholes (NS Vs ADP hullabaloo included: No Surprises << Mozilla Add-ons Blog).

Apparently there were less strict checks for well known components although this do not mean that no step was taken to address this.

But assuming that malicious components are actually featured on mozilla and are not detected by any AV could potentially cause unwarranted concerns to any users willing to manually install addons featured on mozilla.org (Mozilla: For the Record >> Blog Archive  >> Vietnamese Language Pack FAQ) .

Although outside mozilla.org there is a possibility of unauthorized parties attempting to tamper firefox folder and silently configure FF to run an extension (without using built-in Frefox installer),

in case of Microsoft .NET Framework Assistant (ClickOnce) though, the possibility was apparently leveraged to provide the same support to .net that is featured by IE (interoperability and support are often crucial factors) although such approach was opposed by many Firefox users who ran .NET 3.5 SP1 framework setup,

whereas in 2006 an IE specific web exploit and/or a downloaded were seemingly involved: FormSpy malicious Firefox extension

[Tags:]