To pull this off you need write access to Firefox's SQLite database.
If you have write access to Firefox's SQLite database you've already 'won', the system is already yours. You can do a lot more damage to the system than whitelisting a Firefox extension.
Sure you could argue that this is another place for malware to hide - but I don't that this is really a security flaw in Firefox.
You are correct. His point is that one can use this trick to install programs that Anti-Virus programs cannot detect, because they are part of the browsers, unlike perhaps a service.
Because while having control of a system is 'winning', one still wish to do damage relatively undetected (if one's intent is to use the machine as a zombie, for instance). And doing it through Firefox is a very undetectable way to do so.
I just carefully re-read the text, and it never quite claims this is a security issue with Firefox. (I did not watch the video, so if it's in there, I did not see it.) It just says a lot of various true things, and leaves the implication hanging in the reader's mind without addressing it. I agree that it would be improved if the author was more clear that this is just the way of things in our current user-based permission model and there isn't anything Firefox can do to truly stop this.
As a factual presentation, it is worth pointing out to interested people that Firefox's protection is only advisory, and not completely perfect.
This is one of the exact scenarios Apple is trying to prevent with Gatekeeper. Although I think Apple implemented it poorly and I strongly object to their code signing policies, I do hope more OS's include application-level permissions and methods for developers to sign their binaries as a standard thing.
Plugins and automatic security updates (or any update for what it is worth) are two biggest security holes ever.
Which is why for anything really sensitive I'm booting from a live CD, giving me a system which is "read-only" and not "phoning home" to see if there are updates.
It's a pain. But less of a pain than getting root'ed / admin'ed.
Signed binaries ain't helping either: we've seen several seemingly "legit" software signed with compromised keys.
Plugins are not security holes! Sure they make it slightly more accessible to e.g. steal browser passwords, but you can always inject code into other processes to do such things.
This does not increase privileges of the attacker: If the attacker can modify Firefox's profile directory it could also inject something into firefox or read the cookies directly.
To pull this off you need write access to Firefox's SQLite database.
If you have write access to Firefox's SQLite database you've already 'won', the system is already yours. You can do a lot more damage to the system than whitelisting a Firefox extension.
Sure you could argue that this is another place for malware to hide - but I don't that this is really a security flaw in Firefox.