Asyn posted about it somewhere on the forums, I replied there that’s I’d report it to Mozilla, knowing in advance they’d knew it already:
anyway here’s the response to my bug report:
This is a known issue but it's an attack vector we don't currently plan to address. The 3rd party install notification is to give the user choice and control over legitimate programs who try to install adware/bloatware. For that kind of program violating programmatic norms of this sort can be addressed by public pressure or lawsuits (e.g. the lawsuit against Google for bypassing Safari's 3rd-party cookie controls).If you have actual malware running on your system there’s really no mechanism that can prevent tampering with user data. At least if we let them do this as the path of least resistance there’s a chance it can be discovered – for example anti-virus tools could watch for non-Firefox processes writing to this file, or the user will notice the add-on they know nothing about. It’s also relatively easy to clean up if this is how the malware has hooked in.
Such malware could just as easily modify one of the existing addons and that would be much harder to detect or clean up. Or it could modify other parts of Firefox itself.
more info here:
http://www.h-online.com/open/news/item/Silent-installs-of-add-ons-still-possible-in-Firefox-1787297.html
and there:
http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html