The only extension I know of that truly increases security in Firefox is NoScript [noscript.net] It truly does make me feel safer when using Firefox because I decide which sites can run scripts, use plug-ins, and it provides XSS protection. I love the fact that it puts me in control. However I definitely tend to stay away from new or unknown extensions unless I am trying it in a Sandbox so I can limit it’s access to the system.

I’ve used that NoScript for a little while before, but so many of my favorite sites use JavaScript so it hinders my experience more than anything. What would be cool is if you could automatically have it whitelist a site once you’ve visited it over a dozen times or so. That way the ones you are just skimming through from a Google search and whatnot will have JavaScript disabled.

You folks still don’t get it do you?? Mozilla markets Firefox on the fact that it’s suppose too be a more secure browser. But you can’t go adding a bunch of extensions too something and expect it too remain more secure. Your just adding “possible cracks”, and I’m still “laughing now”. I’m sure Window Snyder is laughing too when she’s not trying too get it patched. Toldja folks. (Beat up on IE 7 now Firefox faithful)

I don’t think anyone would ever deny that using extensions decreases the security of the browser. I know I’ve never said anything along those lines.

i use the Dr.web Firefox extension to scan all extension before i install them.
or you can download the extension manually be using save link as on the extension and have your antivirus scan it locally

In most cases that will work well, but you still aren’t completely protected. In this situation it took about two months for antivirus apps to pick up on the virus, and so you were left vulnerable for that entire period of time.

That is one of the beauties with the extensions, but some are so complex that it could take a long time to try and find any insecure parts. Plus, from what I gather with this vulnerability the URL was disguised using HTML encodings. So it’s not like you’re looking for a URL that points to an IP address or something like that.

When I first heard this information on another security site I was initially a bit concerned for two reasons:

1) Mozilla is often touted (rightly/wrongly) as being a “secure” browser. I expect to see some finger-wagging and Firefox bashing in the blog-o-sphere out of this.

2) It really is a wake-up call for just downloading and installing Mozilla Add-ons without considering the potential risk…although to my recollection, Mozilla has always been cognizant and public about this risk to its users.

However, I am a bit more relaxed about it for these reasons:

1) Mozilla and the community work hard to ensure these situations don’t happen if the Add-ons are included and downloaded from the approved Add-on site: Mozilla Add-ons – [addons.mozilla.org] (Even if in this particular case it actually got in there.)

2) I am not a programmer, but the Add-on format makes it relatively simple for the average Mozilla user to download, open, and inspect the contents of the Add-on code, prior to installing it.

With a good (and free) file compression program (I use 7-Zip) you can unpack the .XPI file Add-ons are bundled up in.

From there you can open almost all of the elements with Notepad or a good freeware alternative (Notepad++) to view the XML/XUL and JavaScript code.

Even if I don’t know all the details of programming, I can probably pick out a suspicious URL and IP calls or other obvious “gothcas” that might warrant a followup email to a Mozilla forum or even the developer to clarify.

Lifehacker has a nice intro: How to build a Firefox extension – [lifehacker.com]

I guess having a “relatively” secure source for authorized Mozilla Add-ons as well as the format of Add-ons being open for content inspection brings me a bit more comfort.

But it does certainly brings a bit more pause-before-install to my own Add-on love and usage.