Perhaps you read the Mozilla blog at http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/ where it was revealed that two add-ons for Firefox were infected with Trojans. In this case the distribution was very small, so not many users were infected, but this type of attack is likely to grow.
A large part of the time I worked at Microsoft I was responsible for ensuring that Microsoft did not release infected software. To some extent my job was made easier by the fact that most of the software was developed at Microsoft and the rest of was from 3rd parties who had a financial interest in maintaining business ties with Microsoft. For companies like Mozilla, Apple, And Google the job is far more difficult.
The add-ons are not “Firefox” or Mozilla code. Anyone is welcome to write an add-on and submit it for distribution. Apple’s iPhone App Store let’s anyone write and distribute applications for the iPhone. Just as Mozilla experienced a malicious contributor, Apple has had to pull spyware applications off of the iPhone App Store according to an article at http://news.cnet.com/8301-27080_3-10446402-245.html.
Google will allow developers to write applications for the Android phones and you better bet there will be some malicious ones. Facebook, MySpace, Orkut, and other popular social networking sites allow people to write and distribute applications.
The common thread is that you, the consumer, do not know who wrote these applications, what their intent is, or what their knowledge of security is. In the case of Rockyou.com, miserable security malpractice resulted in over 32 million user email addresses and passwords being compromised.
No matter whether you use a Mac or a PC, an iPhone, an Android, a Blackberry, or some other device, be careful when choosing to install an application or add-on. Find out who it is from and that there is a reason to trust them or you may find your free program is very expensive.
It is good that Mozilla had added a couple more virus scanners to their arsenal, but they probably should be using a whole lot more than three and I would question if they have the process for publishing add-ons tuned to where it should be. They are doing a good job, but there is often room for improvement.
If they would like me to assist with their process, I think they know where to find me. I’d be happy to provide insight, experience, and recommendations at no cost should they choose to pursue it.
Director of Technical Education
Author ESET Research, We Live Security