Every time it looks as if Mozilla is getting on top of the problem of malicious or risky extensions, it finds itself having to step in to block another batch.
In the latest action, noticed by a ZDNet reporter, Mozilla banned 197 extensions, 129 of which were published by one B2B software developer, 2Ring.
The nature of the banned extensions is difficult to say – Mozilla lists them on Bugzilla using only the IDs they used on addons.mozilla.org (AMO) – however, 2Ring’s products appear to be designed for organisations using Cisco telephony and other software products.
These will now be disabled in Firefox and it will no longer be possible to install or update them.
What did the extensions do to incur Mozilla’s wrath? According to the reviewer who made the decision:
I’ve reviewed the add-ons and confirmed they are executing remote code.
Dredging a swamp
The hard ban on extensions that execute remote code seems to have happened around the time pre-release versions of Firefox 72 hove into view, but this was only noticed by some developers and users when the company abruptly banned several page translation extensions in November.
At the time, some developers complained that Mozilla hadn’t communicated the change and offered no workaround for a small number of cases where it might prove useful.
In fact, the policy on remote code goes back to the early days of Firefox but was apparently not always enforced. Mozilla’s policy is now unambiguous – add-ons must be self-contained and not load remote code, which opens up the user to all sorts of risks.
That implies that, prior to November, extensions loading such code could operate with more freedom, specifically those that were being self-hosted as unlisted extensions rather than served via the AMO.
That doesn’t mean that every extension loading remote code in the past was doing so for malicious reasons, but it underlines how Mozilla is having to tighten controls in the face of growing abuse.
It’s becoming a perpetual game of whack-a-mole.