Clearly, having executables loaded automatically at application startup simply because they are located in the components directory is a security hole, particularly when they are beyond the reach of Firefox's add-on management interface...
To me this doesn't seem so clear - if something is able to write files in the directory containing the installed program, it already has taken over this user and it might just as well overwrite the whole program with a "special" version. No need to install extensions.
This does seem to be what Mike Shaver thinks (in bug #519357):
This isn't designed to protect against attacks on Firefox; that is a hard battle to win (though we do the hash check on every update, and pave over if there's a mismatch). This is to close off an extension mechanism that "happened to work"
Once you are done, you're done, so not everything is a security hole.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds