This isn't a security issue in Firefox.<p>To pull this off you need write access to Firefox's SQLite database.<p>If you have write access to Firefox's SQLite database you've already 'won', the system is already yours. You can do a lot more damage to the system than whitelisting a Firefox extension.<p>Sure you could argue that this is another place for malware to hide - but I don't that this is really a security flaw in Firefox.
This is one of the exact scenarios Apple is trying to prevent with Gatekeeper. Although I think Apple implemented it poorly and I strongly object to their code signing policies, I do hope more OS's include application-level permissions and methods for developers to sign their binaries as a standard thing.
Plugins and automatic security updates (or any update for what it is worth) are two biggest security holes ever.<p>Which is why for anything really sensitive I'm booting from a live CD, giving me a system which is "read-only" and not "phoning home" to see if there are updates.<p>It's a pain. But less of a pain than getting root'ed / admin'ed.<p>Signed binaries ain't helping either: we've seen several seemingly "legit" software signed with compromised keys.<p>False sense of security.