Sunbelt Software: Spyware, Adware, & Mozilla Firefox
well start clicking through boxes, merrily giving their consent to unwanted software just as they do now with older versions of Internet Explorer.
Users of Mozilla Firefox can install software in at least four different ways. (See example screenshots in "Figures: Firefox Installation Methods" at the end of this document.) First, they can download a traditional setup program to their hard drives and run it. Second, they can install browser plugins, like Macromedia Flash, that let Firefox display special types of content on web sites. Third, they can install "browser extensions," which are special add-on programs that provide extra functionality to Firefox. Fourth, they can consent to the use of Java applets that are loaded by web sites to add special features to web pages. We can set aside traditional setup programs because although there is always risk in downloading and running software from the internet, users must deliberately run such programs once those programs land on their hard drives. The other types of software installations are fraught with danger, though -- especially the "browser extensions" and Java applets.
When Firefox users visit web sites that require plugins to display special content, Firefox provides a discrete notice in a yellow information bar along the top of the browser window. It also embeds clickable notices within the web page itself. Once users click the yellow information bar or the embedded notices, they are stepped through an installation wizard that names the plugin to be installed and displays a EULA. As installation processes go, this one isn't too bad, though it could be improved to require vendors to supply a more readable summary or description of the plugin and its functionality. With only a long, legally dense EULA to read, many users could simply click through to install the plugin without fully understanding the nature and purpose of the software. At least such plugins can supply a EULA, though.
"Browser extensions," by contrast, are much more problematic. When web sites attempt to install "browser extensions," Mozilla Firefox again displays a notice in a yellow information bar along the top of the browser window. After users click the information bar, however, they are presented with prompt to add the web site to a list of sites allowed to install software. No information is provided about the web site or the software. If users elect to permit the site to install software, they are presented with another prompt to allow installation of the particular "browser extension." This installation prompt provides even less information than the old Internet Explorer "Security Warning" box -- there's not even a link for users to click to get more information or to read the EULA. Without such information, many users might click the "Install Now" button, not understanding that they've consented to the installation of adware or spyware. And although the "browser extension" installation process does require users to jump through several hoops, the utter lack of useful information all the way along is a potentially serious problem.
The greatest risk, though, comes from Java applets, which Firefox can install and run with the aid of Sun's Java Runtime Extension (JRE) (http://java.sun.com/). Many web sites use Java applets to enhance the functionality of web pages, and most Java applets are completely innocuous, though we have seen Java applets that are used to install spyware and adware. Thus, Java applets represent yet another means through which Firefox users could encounter such unwanted software, and even experienced users could unwittingly consent to the installation of spyware and adware delivered by rogue Java applets.