In association with heise online

Firefox/Mozilla/Netscape Demo: Loading and executing files as XPI

With Mozilla, Netscape and Firefox, additional functions can be downloaded and installed via browser extensions. These extensions are packed into XPI files and contain common programs that have permission for the same activities as the registered user: read files, possibly delete files, etc. Once the user has confirmed the installation, the program is launched automatically. Users who press the installation button all too hastily (in the default setting up to Mozilla version 1.6) risk catching a Trojan or a dialer. Several Web sites actively exploit this mechanism.

Under Mozilla 1.7 and current Firefox releases the default setting has been changed to "cancel", and a forced pause of three seconds has been built into the dialog. The browsers also work with lists that permit XPI installation only from specific sites.

When starting the execution, a bar with a message is displayed saying that software installation was prevented. If you permit this site to install software, a dialog appears to guide you through the software installation process. If you click "Install", the demo program is launched and a red window appears displaying the message "You are vulnerable".

Although at present the following demo only works on Windows systems and under Linux (x86), programs can also be installed and executed on other platforms. While this demo requires JavaScript, the installation of XPI files is basically possible even if JavaScript is disabled.

Users are advised to install software only from a few trusted sites. This is, however, no guarantee; intruders may also manipulate such Web pages and infiltrate malicious programs. An update to Mozilla 1.7 or a current Firefox version significantly reduces the risk of catching a Trojan horse. Another remedy is to disable the software installation.


  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit