Trev has a good writeup about some obvious holes in Firefox plugins. I’ve long said that the biggest holes you will find in Firefox will be in the plugins themselves, not in the browser. I consider browser rulesets to be sorta the equivalent of killing an ant with a club. You can be pretty sure you’ve taken care of the issue if you turn off scripting in the browser, but that is not the case with tools like noscript. As Trev points out once you start making exceptions that’s where things start going awry quickly. To quote myself:
Trev himself told me that he’s been thinking about this a long time as well, outside of the context of my arguments. The sheer complexity of a stand alone web-browser is startling (in a big way this entire website is at least in part devoted to it) but it makes matters exponentially worse when you start adding new and untested technologies on top of the systems. Not that I think either Adblockplus or noscript are bad plugins, but both suffer from that exclusion list issue which really can make things far more complex from a security perspective. Diversity in browser functionality is a good thing for security, but from an actual vulnerability standpoint it’s a scary thought given how many holes we’ve found in these sorts of applications.
As a side note, I’ve been wanting to turn Adblockplus into an application firewall for a long time (over the less functional alternatives). I hope something as mature as adblockplus can be converted into something like this, because it’s got a great chance of at least partially mitigating a lot of problems that have been all but unsolvable to date.