> When a Web site asks the user to install a plug-in (ActiveX control or
Firefox Extension) to see the dancing bunnies, many people will do just
that, regardless of the dangers involved or the warnings provided.
So where the *browser* vulnerability here? If some user drop (s)he
security settings to zero, and then on a popup like "Very Cool soft.
Signed by Catch-Me-If-You-Can. Install?" press "Install": what a hey
Mozilla (or Microsoft) has to do with it? These are software company,
not mental clinics.
If some "bunnies" were *signed* by some real sertificate authority
(VerySign or Thawte), then it's again not a browser problem, but the
sertificate authority failed to check the company properly. The only
stone can be thrown to FF *only if* it doesn't have a revoked
sertificates check mechanics (IE has for sure). Because even
sertificate authorities are being cheated sometimes, specially VerySign
with its "3 class" delegated trust certificates. (You're giving it to a
reputable company, and someone pass it trough the 3 class to some
scum). But again, it has nothing to do with the browser vulnerability.
Vulbnarability is when you have all recommended (default or higher)
security settings and still being successfully attaked by a site
content.