Mozilla Add-on guidelines

Mozilla Add-on guidelines

Curious about the effectiveness of the Add-on guidelines that Mozilla enforced a few years ago, I decided to find some more information.

You may have heard about this feature a few months ago when Mozilla decided to put Flash Player and Java plugins on their block-list, given the security risks that these plug-ins brought with them at the time. (July 2015)

If you happen to install an add-on that is blocked as a security risk you will see something like this when you open the “Add-ons Manager”. It tells you that the add-on “is known to cause security or stability issues”.

warning2

Clicking the “More Information” link in that field will show you the reason why this add-on is on the list. In this case “This add-on is silently installed into users’ systems”. And it will link you to the site where the guidelines are specified. Please note that the plugins that can be found at http://addons.mozilla.org are called AMO’s. AMO plugins are subject to even stricter rules.

You can also find when the issue was reported and when the add-on was added to the block-list. There are two gradations to being blocked. Only the items labeled as (malware) on the block-list are completely blocked, the user has no choice but to disable them. The rest gets a warning like the one you see above, this is called a “softblock”.

Problem is that you will have to check the installed add-ons to find the ones that are silently installed if they are on the softblock-list.

As with most rule-sets the guidelines are constantly being reviewed and open to changes. A very welcomed addition to the guidelines was the decision not to allow add-ons that come with setting protectors. These actively interfere when the user tries to remove or alter settings, which should definitely not be allowed.

The success of the blocklist highly depends on the number of users reporting add-ons and on the turnaround time it takes from an add-on being reported to the point where it is being added to the blocklist.

You have to create an account for Bugzilla@Mozilla to be able to report add-ons eligible for the blocklist. Then you can add your request to the list.

Submit

Personally I did not find this procedure very user friendly, but that may be by design. It took quite a lot of searching and clicking to get to the point where I could create a “bug report” for an unwanted add-on. I can imagine that this limits the number of submissions.

The turnaround time seems to be fine. For malware entries I noticed a few that were added to the blocklist one day after the first report, which is very good in my book, considering the nature of the software. In order to stay protected from potentially malicious software in the meantime, we recommend using an anti-malware product, which adds new detections for malware anywhere between 10 to 15 times a day.

Mozilla utilizes an add-on blocklist for its browser Firefox that either blocks the installation of malware add-ons or displays a warning about add-ons that are found to cause other issues. As useful as this feature is, the number of blocked add-ons seems rather low and this might be due to the complicated procedure, since the turnaround time looks to be very good.

 

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.