it is not a security thing
Posted Nov 26, 2009 19:15 UTC (Thu) by zuki
Parent article: Firefox locks down the components directory
Clearly, having executables loaded automatically at application startup
simply because they are located in the components directory is a security hole, particularly when they are beyond the reach of Firefox's add-on
To me this doesn't seem so clear - if something is able to write files
in the directory containing the installed program, it already has taken over this user and it might just as well overwrite the whole program with a "special" version. No need to install extensions.
This does seem to be what Mike Shaver thinks (in bug #519357):
This isn't designed to protect against attacks on Firefox; that is a hard
battle to win (though we do the hash check on every update, and pave over if there's a mismatch). This is to close off an extension mechanism that "happened to work"
Once you are done, you're done, so not everything is a security hole.
to post comments)