User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) Firefox allows malware to install extension without any confirmation requests. Found a trojan which installs Firefox Addon (hxxp://www.malwaredomainlist.com/mdl.php?search=188.124.16.96). Reproducible: Always Steps to Reproduce: 1. Run trojan on virtual machine. It will regiser in windows autorun and create %PROGRAMFILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D} folder, with malware timer.xul file. 2. In extension-list window installed extension is 'Internal Security 1.0' Actual Results: Malware extesion installs without any requests. So, Firefox allows to install it without any confirmation. It's serious security leak, imho. Expected Results: Firefox and all Mozilla products will track hidden extension installations and show confirmation windows if it's needed. dropper: (http://www.virustotal.com/analisis/9618163d80799bdce260a265c52815cff46e9b9473cd1feff78da09e80403701-1271424252) timer.xul (http://www.virustotal.com/analisis/14b41a4d0e1ae923aab4a424da7aa8b17dfbc94ade9393baaae0178edee692d5-1271422084)

This bug does not need to stay hidden.

note: the warning from bug 476430 could be overridden by the malware. It's just not possible to protect the application files from other applications running with enough privileges.