Firefox/Mozilla/Netscape Demo: Loading and executing files as XPI
With Mozilla, Netscape and Firefox, additional
functions can be downloaded and installed via browser
extensions. These extensions are packed into
Under Mozilla 1.7 and current Firefox releases the default setting has been changed to "cancel", and a forced pause of three seconds has been built into the dialog. The browsers also work with lists that permit XPI installation only from specific sites.
Demo:
When starting the execution, a bar
with a message is displayed saying that software
installation was prevented. If you permit this site to
install software, a dialog appears to guide you through
the software installation process. If you click
"Install", the demo program is launched and a red
window appears displaying the message "You are
vulnerable".
Although at present the following demo only works on Windows systems and under Linux (x86), programs can also be installed and executed on other platforms. While this demo requires JavaScript, the installation of XPI files is basically possible even if JavaScript is disabled.
Remedy:
Users are advised to install
software only from a few trusted sites. This is,
however, no guarantee; intruders may also manipulate
such Web pages and infiltrate malicious programs. An
update to Mozilla 1.7 or a current Firefox version
significantly reduces the risk of catching a Trojan
horse. Another remedy is to
