Sneaky Microsoft Add-On Put Firefox Users At Risk 333
Posted
by
ScuttleMonkey
from the bad-microsoft-no-donut dept.
from the bad-microsoft-no-donut dept.
CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."
Not true (Score:5, Informative)
Re:Sabotage? (Score:5, Informative)
Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.
It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?
Registry Danger! (Score:5, Informative)
Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.
Also, the ability to remove this plug-in was covered on Slashdot a few months ago when Microsoft released version 1.1. It was included in an earlier service release to the .NET Framework for Windows XP and Windows Vista. This plug-in doesn't even exist in Windows XP by default. You must have installed .NET Framework 3.0 or higher to get it. Windows Vista includes .NET Framework 3.0, but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand. Windows 7 allows you to do it because the earlier service release is part of the operating system.
Microsoft bashing is fun, but let's stick to facts.
Re:Not true (Score:5, Informative)
(Going to the Advanced Settings in Java under the Control Panel to uninstall a Firefox extension is unacceptable. I also wish they'd clean up their plug-ins when they update.)
Deja-vu (Score:2, Informative)
Is it just me, or were we just talking about this [slashdot.org]
Re:except Windows 7 (Score:4, Informative)
...depends - the Windows 7 beta and RC had that nasty little habit as well. The RTM is (so far) not doing it.
In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).
To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft... just look at how they're blaming ORacle and Sun for the Sidekick data loss (in spite of the fact that it was lost because their management apparently forgot how to spell "backup").
Re:Registry Danger! (Score:4, Informative)
but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand.
You mean like this? [adblockplus.org] That's *no* uninstalling.
Re:Sabotage? (Score:5, Informative)
WPF not Assistant (Score:2, Informative)
Re:Registry Danger! (Score:5, Informative)
"It's no more dangerous to delete something from your registry"
Perhaps, but...
Re:Not true (Score:3, Informative)
Original reporting from 09 Feb 09: Microsoft Update Slips In a Firefox Extension [slashdot.org]
Follow-up with removal instructions from 05 Jun 09: MS Issued a Fix For Its Unwanted FireFox Extension [slashdot.org]
The second article notes that the fix was actually issued in early May.
Re:Amazing (Score:4, Informative)
If anything, this case further reinforces that claim. Any new functionality (including plugins) added to a browser increases its attack surface, unless it completely replaces part of the existing code. In this case, the increased surface was due to WPF being exposed. In case of Chrome plugin, it's Chrome rendering engine.
If Chrome completely replaced IE renderer, with no means to re-activate it, then it would be reasonable to argue that it does improve security. However, Chrome renderer is opt-in, which means that any attack site willing to exploit an IE vulnerability will happily work in IE with Chrome plugin installed, but at the same time any site willing to exploit a Chrome vulnerability - and it's not like there aren't, or will never be, any - can request IE with Chrome plugin to use Chrome for rendering.
Re:What? Shouldn't firefox fix this one? (Score:3, Informative)
That was my reaction as well. How can ANY firefox plugin be given the authority to not allow itself to be turned off? Sure, it's Microsoft being an asshole, but that also seems like broken behavior on Firefox's part.
Easy, install the plug-in or add-on to a system directory the current user doesn't have permission to change. This wasn't installed through Firefox's add-ons manager. This was installed by a third party executable that dumped the file into a location that the current user couldn't modify.
Re:except anything but Windoze (Score:2, Informative)
You may find free and secure alternatives to Windows at http://ubuntu.com/ [ubuntu.com] or http://opensuse.org/ [opensuse.org]
Re:Shouldn't the title read (Score:3, Informative)
"Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.
In a way it is sneaky. If I used Firefox in Windows and wanted this plugin, I would install it myself. Anyone using Firefox in Windows is already demonstrating that they are aware that they have choices as to what browser software to use, and I strongly doubt that the average Firefox user has never heard of addons.mozilla.com or otherwise doesn't know how to locate and install desired add-ons/plugins on their own.
.NET package. Then either remove it from Windows Update completely and offer it as a voluntary download, or, make it a separate line-item update that can be declined.
The case can be made for automagically installing things for the "blue E is the Internet!" crowd as they are rather averse to any involvement in this sort of decision-making, viewing it as an unwanted burden. Yet even then, it's non-ideal. The honest, non-sneaky way to handle this would be to separate it from the core
Just assuming that you must want this non-essential thing and making that assumption without considering security implications, all in the name of increasing marketshare, is what's sneaky or exploitative. People who use automatic Windows Updates do so because they rely on it to keep their systems patched and secure. When they are not technically inclined, they are something of a captive audience in this scenario.
You know, when the big virulent worms like Sasser and Code Red came out, they attacked vulnerabilities for which patches had already been issued. I used to wonder why so many people didn't keep their machines more up-to-date when an automatic mechanism is provided that will do it for them. Every time I see something like this, I begin to understand why. It's in everyone's interest to lessen the number of vulnerable machines on the network. Another reason to distrust a mechanism that could have prevented many of these infections does not further that interest. If Microsoft were really serious about security, they would minimize this effect by separating Windows Update into two categories: "Bugfixes & Security Patches", and an optional "New Features".
Re:except Windows 7 (Score:4, Informative)
Re:except Windows 7 (Score:3, Informative)
You should learn to read the article, too.
FTFA:
Emphasis mine.
Also, note that this plugin update was pushed out via Windows Update.
Re:except Windows 7 (Score:3, Informative)
Re:except anything but Windoze (Score:5, Informative)
Re:Sabotage? (Score:3, Informative)
Uuuuhhh...never heard of a .reg file? If you have somebody who is afraid of using the reg they really ain't hard to cook up. if you need one here [mydigitallife.info] is a nice tutorial on how to modify and delete reg entries with a .reg file. Certainly a lot easier to go "clicky clicky" on a reg file than risk having the user bone something in CLI.
That is one of the nice things about the Windows registry-it really isn't hard to cook up a .reg file in notepad and send it to someone having a problem. Oh and if anybody needs it here [kellys-korner-xp.com] is a page of the most common fixes for those little problems that pop up from time to time, and nearly all of them are nice simple .reg files that makes it simple to send to someone having trouble or keep on a flash in a misc tools folder. Despite all the hate out there for the reg is actually pretty simple to backup, fix, and maintain, with little effort.