http://secunia.com/advisories/15292/

Thanks for that notification :)

http://secunia.com/advisories/15292/
Apperciate the notification. thanks.

nothing to worry about unless you plan to manually add some random site into the install whitelist so it can execute its exploit

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").How is this "extremely critical?"

Never know what spyware can do ;) modify the hosts files to point the domains at differnt servers. bam, whole can of worms

How is this "extremely critical?"
Good security is layered, so are better vulnerabilities. ;)

Err you can visit a site and it will install blah.exe on your machine and run it, to me thats Extremely Critical.

It uses 2 bugs, one is allowing javascript icons as the paramater to the install function for extensions, this is run as Chrome which has full permissions to the system. But there is a white list for sites allowed to install extensions, specifically update.mozilla.org so they found an XSS too using event triggers and history.

But its been blocked now by changing the install function at update.mozilla.org to have 32 random characters in the name.