Sneaky Microsoft Add-On Put Firefox Users At Risk 333
Posted
by
ScuttleMonkey
from the bad-microsoft-no-donut dept.
from the bad-microsoft-no-donut dept.
CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."
Sabotage? (Score:5, Insightful)
Almost (Score:4, Insightful)
That said, I should not have had to have gone to any such effort in the first place.
Re:remember the important part (Score:5, Insightful)
Re:Sabotage? (Score:3, Insightful)
Yeah, that sounds like the most likely scenario. It's not just piss poor code, no no. It's definitely a nefarious plan concocted by the Illuminati and put into action by the secret lab they have at Microsoft. First step - fuck up Firefox. Second step - Destroy national borders.
Too many movies makes you think strange things. For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP. Real life: rotary phones, paperwork in triplicate, and a gigantic fucking bureaucracy that thinks pagers are still useful.
Re:Sabotage? (Score:5, Insightful)
This is a .NET vulnerability, on MS Windows. Firefox being the vehicle is entirely Microsoft's fault as the maintainer of the .NET plugin.
Amazing (Score:5, Insightful)
Re:Sabotage? (Score:1, Insightful)
Even if it is regular incompetence, there will be people at Microsoft who will be delighted the add-on has the advantage of discrediting Firefox, and will be considering how best to use it. That's just the nature of any large corporation. Corporations don't blush. They maximize opportunity.
Whether initial malicious intent existed or not is pretty academic now, and likely unprovable in any case. What matters is the lever is inserted, and Microsoft will definitely be considering how much weight to put on it.
(And it doesn't mean you're not paranoid if they are out to get you.)
Re:Registry Danger! (Score:3, Insightful)
Re:Almost (Score:3, Insightful)
This is why you should read the release notes before you install software.
And the 109 page EULA. Don't forget to read all of that too. Pay particular attention to the 215+ word long sentences with words so long they wrap the window and stump your dictionary.
Read everything
Not this shit again. (Score:3, Insightful)
Shouldn't the title read (Score:5, Insightful)
"Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.
Re:Amazing (Score:2, Insightful)
Re:Sabotage? (Score:5, Insightful)
Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.
I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090 [microsoft.com]) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional - the vulnerability itself is a fairly obscure corner case in .NET bytecode validator/verifier, and, so far as I can tell, it has been there for a very long time, seemingly before WPF was even released. All in all, it looks like a genuine bug.
A testament to its obscurity is the way I encountered it - I was designing an Algol-60 compiler targetting .NET, and was looking for an efficient way to pass Algol function-type function arguments (which are effectively vararg on the caller side) without having to lift outer locals used by captured functions to heap. Only after coming up with an efficient design and testing that it works, I realized the implications of what I had just done to the verifier.
I cannot comment on CVE-2009-2529 (the second Firefox-affecting vulnerability), but I don't see how it would be any different. Really, the idea of MS deliberately adding vulnerabilities to its products in hope of marginally affecting Firefox by them (remember that IE is hit much worse...) is pretty absurd - even if you disregard the notion of business reputation when it comes to MS, it poses a very high legal liability. No-one in a sane mind would even contemplate doing such a thing.
Disclaimer: I do work for Microsoft at present, though not on the affected products. I did not work for Microsoft when I discovered and reported that vulnerability.
Re:Not this shit again. (Score:5, Insightful)
There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.
No. Wrong. Installing plug-ins or extensions without asking is bad. Period. Full stop. End of story.
Re:What? Shouldn't firefox fix this one? (Score:4, Insightful)
So firefox allows a rogue addon to install without any user intervention and the story is all about how evil MSFT is?
Sure, they did it. Bad Microsoft.
But isn't the bigger issue that now that this is known....*anyone* can pull this on firefox users?
No. I am not apologizing for Microsoft. This was "Sony Stupid" of them. We're used to that here, though. What we're not used to (and apparently sweeping under the rug) is the massive, unholy hell of a mess mozilla's extension system for firefox is....
Anyone that can run executable code on your system can do anything to your system. The "good guys" aren't supposed to do things to your system without asking you first. The "bad guys" can simply replace Firefox entirely with a version that has what ever features they want. If you let someone run code on your system, you lose. Firefox cannot stop that code from doing what ever it wants. The point is that you're supposed to only install software from vendors you trust. You should be able to trust Microsoft and that your trust was abused and abused in a way that caused you to be vulnerable to remote exploits is the story here.
Re:Sabotage? (Score:3, Insightful)
And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions. There you will find both it and the Java extension, just delete and voila! No more Dotnet or Java plugins.
Whoa, there partner! There hasn't been even a theoretical remote Java exploit for quite some time. The Java plugin is actually useful (especially on the corporate desktop where there are a lot of enterprise-internal Java apps not made available to the public) so might be worth leaving it on.
Re:Sabotage? (Score:3, Insightful)
Users can't use regedit. Apple knows it for the tiny plist files (which are text) so they did a "plutil" (plist utility) command included in OS which they (or developers) can tell users to run Terminal and "paste that command _exactly_ as it appears".
While there are 3.500.000 results for "run regedit" at Yahoo, can't they steal that idea from Apple so it would be basically "regutil --remove HKLM_Software_Mozilla_Firefox_Extensions .net"?
The most insane idea of all is entering Firefox on Windows, you know, the browser which its users use rejecting your built in browser. I wouldn't touch a byte on Firefox dir if I was MS. Even Apple who isn't that "hated" doesn't do anything regarding extensions, they merely install a basic browser plugin which they still get flamed for.
Re:except Windows 7 (Score:3, Insightful)
or ... here's a novel idea ... get ready ...
maybe microsoft could try making good quality products that people want to use instead of spending all their money on subversive, childish, and frankly idiotic, endeavors to stem the flow of users away from their products.
they have been doing the same crap for years with every piece of software in the market that's not theirs. they release an update that makes it insecure or unstable.
not that they care, but i have no respect whatsoever for the poor excuses for businessmen that run Microsoft.
nothing new though i guess ... rather than come out with something useful that makes the world better they just keep churning out the same old crap and bulldoze anyone who gets in their way just like the insurance industry, petroleum industry etc. /sigh
Re:Sabotage? (Score:4, Insightful)
[...] can't they steal that idea from Apple so it would be basically "regutil --remove HKLM_Software_Mozilla_Firefox_Extensions .net"?
Isn't this exactly what reg.exe does already?
Re:except Windows 7 (Score:2, Insightful)
Or if Ubuntu is the unstable and annoying one out of distros, the rest must be utterly amazing.
Re:Sabotage? (Score:2, Insightful)
Of course you are, everyone on Slashdot knows people who work at Microsoft aren't human and are all entirely malicious. They know anyone supporting Microsoft's viewpoint is just a paid shill, in fact they know you made the whole story up to cover up the real story.
Unfortantely, what people "know" on Slashdot is never actually the truth but a disturbingly paranoid cocktail of ignorance and idiocy.
Thanks for the write up, it's always really interesting to hear how people stumble across bugs like this in the first place, because I don't think the obscurity if your story was unique to bug reports- there's an interesting story behind many such bugs and they're all worth hearing as they generally involve something deeply technical and frankly, I'd rather hear such deeply technical stories than a bunch of OSS/Mac zealots whinging about how Microsoft did it intentionally so that when Steve Jobs has a pacemaker installed running Windows it instantly crashes killing him off and destroying Apple's share price, or whatever the fuck crazy story said zealots decide to conjure up in their paranoid minds next.
Of course, what said zealots miss, is that their zealotry and ignorance is more often than not what leads to the vast majority of users being put off their preferred platform.
Re:Sabotage? (Score:2, Insightful)
But this is exactly the kind of crap instructions you get when you try to anything in Linux. I would have thought Slashdot would be singing the praises of this kind of obtuse set of instructions!
Re:except Windows 7 (Score:4, Insightful)
Which is exactly what makes it outrageous.
What the fuck kind of business does MS have with patching someone else's friggin software?
I'd say that MS is illegally making a derivative binary work and should get nailed for infringing on mozilla copyrights.
Additionally, I also say that MS is engaging in anti-competitive behavior by sabotaging a rival product.
Re:Registry Danger! (Score:3, Insightful)
Go with me on this one. *ahem*
"Windows will NEVER be ready for the desktop until you can remove a plugin without hacking the registry. If a user has to open regedit.exe MS has already failed."
Re:Sabotage? (Score:5, Insightful)
No, it is paranoid. How are you finding out about the vulnerability? Because Microsoft patched it last Tuesday. If they wanted to discredit Firefox they would have shipped something to take advantage of the security hole, not something to fix it. Besides, a security hole that only exists on the Windows version of Firefox (and will inevitably be traced back to their code) just makes it look like it is better to run FF on Linux rather than Windows - which would NOT be what they wanted.
The sad part is that this could have gone so well for them. This should have been remembered for Microsoft supporting alternate browsers under Windows so it would be one less reason to say how IE has an unfair advantage. I could (barely) forgive them for silently installing it the extension because from Microsoft's point of view they are adding support for Firefox to .NET rather than the other way around.
What was unforgivable was shipping this without the ability to disable the extension. Even if they had never contemplated the idea that anyone would want to uninstall it, it should have been blindingly obvious that a grayed out Disable button meant that this would stand out from other extensions. They couldn't just say that they didn't notice that it was not able to be uninstalled.
I would like to know how you disable those buttons. Is there some API call when installing the extension (meaning it is a deliberate feature, for which both Microsoft and Mozilla should be shot)? Is it caused by a lack of uninstall script (meaning Microsoft did a half-arsed job of writing the extension)? Or is it a permissions thing that the update was installed by the Administrator account and limited users were not allowed to delete the files/registry keys (meaning... I don't know what to think of that option)?
Re:Sabotage? (Score:5, Insightful)
What idiot modded that insightful?
It is weird how Windows advocates are quite happy to mess about the the Windows registry but claim that copying and pasting a fwe lines into a terminal window is dfficult.
Re:except Windows 7 (Score:4, Insightful)
To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft...
Well, of course it is... After all, isn't being unable to prevent the company that controls the OS your program runs under from automatically installing unremovable exploit code a severe security hole in your program? So clearly it's a problem with Mozilla, and has nothing to do with Microsoft at all.
Re:except anything but Windoze (Score:4, Insightful)
I know you didn't start this, but I have to say:
2k10... 2k08...
What the hell? Are these supposed to be short for 2010 and 2008? What's the freaking point of writing them like that?
Re:Sabotage? (Score:2, Insightful)
Yeah about that? I've found those copy/pasta in the terminals don't...oh what is the word...oh yeah, actually work. Because it was cooked up by some guy with a hardware/software setup that was "kinda sorta like yours, but not really, oh and different revs on hardware firmware".
Contrast this to windows where the EXACT SAME reg file that worked on granny's XP works on little Timmy's gamer rig. That is what is nice about the reg-XP is XP is XP, no matter the hardware. You ever try to get one of those damned Broadcom wireless to WPA2 with those "easy to copy paste" commands in Linux? Yeah, good luck with that pal. It'll make you want to see how far you can chunk that laptop after a half day of dealing with that migraine creator. No thanks.
After 15 years of dealing with Windows as a PC repairman, from Win3.x on up, I can say without fear of exaggeration, that Windows on its worse day doesn't equal the bringing of the pain that is Linux. Linux guys like to talk about switching Windows users, but lets be honest here okay? Its bullshit. Linux is NO different than Mac. Linux is just hunky dory IF you have the right hardware, but that is a really big fucking IF, and of course finding out if that hardware you just bought is gonna work or not is a royal PITA. At least the Mac guys have the Apple store, and Windows has...well every other store, but Linux? Yeah enjoy those hours trawling forums there pal. No thank you, I spend all damned day fixing boxes, the LAST thing I want to do is spend a few hours in a fricking CLI trying to "tweak" a ton of Unix commands in the hopes I can get my soundcard unborked. Bleech!