Good news for Firefox users who like me think that Mozilla needs to do something against third party add-on installations in the browser. Third party add-ons are browser extensions that are installed from third party programs on the system. It is for instance very common for security software to install toolbars and other add-ons in the browser automatically during installation. The real problem here from a security point of view is malicious software exploiting the issue. The worst case scenario is malware that successfully installs an add-on in the browser this way.

The current version of Firefox does not offer protection against these kinds of installations. Mozilla has acknowledge the issue and is currently working on a solution. The development team plans to include protection against unwanted add-on installations from Firefox 8 on.

A wiki page over at Mozilla offers details about the motivation and current stage of development.

Mozilla notes that they "currently do not provide adequate warning to users that new third-party provided add-ons have been installed" and that the "project will ensure that users opt-in to all add-ons that aren't installed through the Firefox UI".

With the protection in place, Firefox would inform its user of new add-ons that have been installed from third party software and not from within the browser UI. It is Mozilla's plan to display an opt-out page to the user so that it is possible to block the installation and execution of the add-on in the browser.

A mockup has been created that shows how the user prompt could look like during start of the browser. In this mockup, each third party add-on installation would span in its own tab in the browser. (via)

We do not know at this point if add-ons refer only to browser extensions, or if browser plugins are also included in the checks. It would make sense if Mozilla would block all automatic third party installations, and not only those that are extension related.

Conceivable Tech notes that Mozilla also wants to make sure that add-ons are always removable in the browser, another long standing issue that is about to get resolved.

The projected release target should give Mozilla ample time to test the new security measure before it reaches the majority of users in the Firefox Beta and Stable channels.

Advertisement