In order to prevent incompatible DLL files from causing potentially exploitable but assuredly undesirable instability, Firefox 3.6 will use two strategies to prevent unauthorized DLLs from loading:

1. A whitelist of authorized components in the "components folder" (%appdir%\components) will be compiled at build time, and Firefox will not load any other DLL/js placed in the components folder.
2. A blacklist of forbidden DLLs will be compiled at build time, and any DLL on that list will not be loaded by the Firefox process.

This page tracks the progress of these projects, outstanding issues, and ownership.

Component Directory Lockdown

Owner: Johnathan Nightingale

Implementation

Landed on mozilla-central and mozilla-1.9.2, see bug 519357

Affected 3rd party software

QA built a list of popular 3rd party software and determined which installed elements into the component directory. The full list is available here along with the actions.

Outstanding issues

• Google Desktop Search is affected by this change
  • They have been contacted [beltzner, johnath] and confirm that they are working on an XPI-packaged version, though they haven't supplied an ETA as of Dec. 15

DLL Blocklist

Owner: Johnathan Nightingale

Implementation

Landed in mozilla-central and mozilla-1.9.2, see bug 524904.

Current blocklist

Affected 3rd party software

• AVG 8 is on the blocklist as of bug 525103. They are aware of this, and it does not impact the current version.
• Google confirms that unversioned instances of GoogleDesktopNetwork3.dll which have been associated with many of our crashes are ancient, that their current versions are versioned. Blocklisted unversioned instances (version < 0) in bug 519344.

Outstanding issues

• Investigating rdolib.dll (probable malware) bug 530898
• Ditto fgjk4wvb.dll bug 530914