Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Microsoft IT

Sneaky Microsoft Add-On Put Firefox Users At Risk 333

CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."
This discussion has been archived. No new comments can be posted.

Sneaky Microsoft Add-On Put Firefox Users At Risk

Comments Filter:
  • by nurb432 ( 527695 ) on Friday October 16, 2009 @03:15PM (#29772471) Homepage Journal

    Best upgrade then ya lusers!.. Here is an online form to order your shiny new pc with Windows 7..

    • Re:except Windows 7 (Score:4, Informative)

      by Penguinisto ( 415985 ) on Friday October 16, 2009 @03:44PM (#29772781) Journal

      ...depends - the Windows 7 beta and RC had that nasty little habit as well. The RTM is (so far) not doing it.

      In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).

      To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft... just look at how they're blaming ORacle and Sun for the Sidekick data loss (in spite of the fact that it was lost because their management apparently forgot how to spell "backup").

      • by srmalloy ( 263556 ) on Saturday October 17, 2009 @02:05AM (#29776095) Homepage

        To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft...

        Well, of course it is... After all, isn't being unable to prevent the company that controls the OS your program runs under from automatically installing unremovable exploit code a severe security hole in your program? So clearly it's a problem with Mozilla, and has nothing to do with Microsoft at all.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      or ... here's a novel idea ... get ready ...

      maybe microsoft could try making good quality products that people want to use instead of spending all their money on subversive, childish, and frankly idiotic, endeavors to stem the flow of users away from their products.

      they have been doing the same crap for years with every piece of software in the market that's not theirs. they release an update that makes it insecure or unstable.

      not that they care, but i have no respect whatsoever for the poor excuses for bus

  • Sabotage? (Score:5, Insightful)

    by Reyendo ( 1451201 ) <learnfully@yahoo.com> on Friday October 16, 2009 @03:19PM (#29772511)
    Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.
    • Re: (Score:3, Interesting)

      by Voulnet ( 1630793 )
      On the other hand MS shouldn't want Windows machines to be anymore vulnerable.
      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Friday October 16, 2009 @03:45PM (#29772791)
        Comment removed based on user account deletion
        • Thanks for the laugh. I'm not sure that the guy who modded you "informative" really got that one though.
        • Re: (Score:3, Insightful)

          And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions. There you will find both it and the Java extension, just delete and voila! No more Dotnet or Java plugins.

          Whoa, there partner! There hasn't been even a theoretical remote Java exploit for quite some time. The Java plugin is actually useful (especially on the corporate desktop where there are a lot of enterprise-internal Java apps not made available to the public) so might be worth leaving it on.

        • Re: (Score:3, Insightful)

          by Ilgaz ( 86384 )

          Users can't use regedit. Apple knows it for the tiny plist files (which are text) so they did a "plutil" (plist utility) command included in OS which they (or developers) can tell users to run Terminal and "paste that command _exactly_ as it appears".

          While there are 3.500.000 results for "run regedit" at Yahoo, can't they steal that idea from Apple so it would be basically "regutil --remove HKLM_Software_Mozilla_Firefox_Extensions .net"?

          The most insane idea of all is entering Firefox on Windows, you know, t

    • Re:Sabotage? (Score:5, Informative)

      by noundi ( 1044080 ) on Friday October 16, 2009 @03:29PM (#29772617)

      Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

      It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?

      • Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

        It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?

        Because if it looks deliberate, the FTC gets mad at you. They never actually do anything, though.

      • Re:Sabotage? (Score:5, Insightful)

        by Gadget_Guy ( 627405 ) on Friday October 16, 2009 @09:32PM (#29775223)

        No, it is paranoid. How are you finding out about the vulnerability? Because Microsoft patched it last Tuesday. If they wanted to discredit Firefox they would have shipped something to take advantage of the security hole, not something to fix it. Besides, a security hole that only exists on the Windows version of Firefox (and will inevitably be traced back to their code) just makes it look like it is better to run FF on Linux rather than Windows - which would NOT be what they wanted.

        The sad part is that this could have gone so well for them. This should have been remembered for Microsoft supporting alternate browsers under Windows so it would be one less reason to say how IE has an unfair advantage. I could (barely) forgive them for silently installing it the extension because from Microsoft's point of view they are adding support for Firefox to .NET rather than the other way around.

        What was unforgivable was shipping this without the ability to disable the extension. Even if they had never contemplated the idea that anyone would want to uninstall it, it should have been blindingly obvious that a grayed out Disable button meant that this would stand out from other extensions. They couldn't just say that they didn't notice that it was not able to be uninstalled.

        I would like to know how you disable those buttons. Is there some API call when installing the extension (meaning it is a deliberate feature, for which both Microsoft and Mozilla should be shot)? Is it caused by a lack of uninstall script (meaning Microsoft did a half-arsed job of writing the extension)? Or is it a permissions thing that the update was installed by the Administrator account and limited users were not allowed to delete the files/registry keys (meaning... I don't know what to think of that option)?

    • Re: (Score:3, Insightful)

      by e2d2 ( 115622 )

      Yeah, that sounds like the most likely scenario. It's not just piss poor code, no no. It's definitely a nefarious plan concocted by the Illuminati and put into action by the secret lab they have at Microsoft. First step - fuck up Firefox. Second step - Destroy national borders.

      Too many movies makes you think strange things. For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP. Real life: r

      • Re:Sabotage? (Score:5, Interesting)

        by jamstar7 ( 694492 ) on Friday October 16, 2009 @04:07PM (#29773025)

        Too many movies makes you think strange things. For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP. Real life: rotary phones, paperwork in triplicate, and a gigantic fucking bureaucracy that thinks pagers are still useful.

        Or the idea of NSA 'agents' running around shooting up everything in sight (because the CIA isn't the big Boogie Man anymore). Real life: Bunch of bureaucrats overseeing a bunch of pastyfaced nerds and cubicle rats busy doing signal intercepts and codebreaking. Though the bandwidth and internet access is great, I hear...

      • Re: (Score:3, Funny)

        by PopeRatzo ( 965947 ) *

        For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP.

        That's how those bastards did me, too!

    • Re: (Score:2, Funny)

      by Captain Spam ( 66120 )

      Not really, not when it's due to a plugin they themselves installed and have their name all over. I mean, you don't consider Flash vulnerabilities to be the fault of IE or Firefox, do you? If anything (and that's a big "if" in this case), it'll be a black eye for Microsoft.

      Nah, if you're going the paranoid route, it'd have been a better idea if they made this plugin under the guise of a shell company or something, then when the vulnerabilities hit the fan, have the shell complain about how "hard" it is to

      • by Korin43 ( 881732 )
        I consider flash vulnerabilities the fault of any browser that doesn't support the canvas, video and audio tags (requiring people to use flash).
    • Re:Sabotage? (Score:5, Insightful)

      by FlyingBishop ( 1293238 ) on Friday October 16, 2009 @03:31PM (#29772643)

      This is a .NET vulnerability, on MS Windows. Firefox being the vehicle is entirely Microsoft's fault as the maintainer of the .NET plugin.

    • Re:Sabotage? (Score:5, Insightful)

      by shutdown -p now ( 807394 ) on Friday October 16, 2009 @04:26PM (#29773181) Journal

      Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

      I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090 [microsoft.com]) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional - the vulnerability itself is a fairly obscure corner case in .NET bytecode validator/verifier, and, so far as I can tell, it has been there for a very long time, seemingly before WPF was even released. All in all, it looks like a genuine bug.

      A testament to its obscurity is the way I encountered it - I was designing an Algol-60 compiler targetting .NET, and was looking for an efficient way to pass Algol function-type function arguments (which are effectively vararg on the caller side) without having to lift outer locals used by captured functions to heap. Only after coming up with an efficient design and testing that it works, I realized the implications of what I had just done to the verifier.

      I cannot comment on CVE-2009-2529 (the second Firefox-affecting vulnerability), but I don't see how it would be any different. Really, the idea of MS deliberately adding vulnerabilities to its products in hope of marginally affecting Firefox by them (remember that IE is hit much worse...) is pretty absurd - even if you disregard the notion of business reputation when it comes to MS, it poses a very high legal liability. No-one in a sane mind would even contemplate doing such a thing.

      Disclaimer: I do work for Microsoft at present, though not on the affected products. I did not work for Microsoft when I discovered and reported that vulnerability.

      • by PopeRatzo ( 965947 ) * on Friday October 16, 2009 @05:11PM (#29773601) Journal

        I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090 [microsoft.com]) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional...remember that IE is hit much worse

        You're spoiling everyone's fun, you know that?

      • Re:Sabotage? (Score:4, Interesting)

        by hAckz0r ( 989977 ) on Friday October 16, 2009 @10:02PM (#29775349)
        You had me going there right up to the "Algol-60" part. In 2009? After all everybody her on SlashDot knows that Algol-68 is the most recent version! Why would anybody be using a back-dated version of a language?

        Ok, seriously. Why Algol-60?

        • Re:Sabotage? (Score:5, Interesting)

          by shutdown -p now ( 807394 ) on Friday October 16, 2009 @11:35PM (#29775667) Journal

          Ok, seriously. Why Algol-60?

          Because it is one of the three languages that started it all, and one that affected all existing mainstream languages most. Curly braces of C, and the block construct that they represent, began their life as "begin .. end" in Algol-60.

          Because it is at the same time a very beautiful language - especially considering the time when it was designed - and one with some very advanced constructs, not found even in many modern languages, that can pose significant challenge to implement efficiently, especially in an otherwise constrained environment such as sandboxed CLR. To list a few such features: computed goto, label variables/function arguments and the associated nonlocal goto, arbitrarily nested functions with variable capturing, and call-by-name. Challenges are fun.

          Because it's a very important milestone in history of CompSci in general, and language design in particular (in case it's not quite obvious yet, I'm a language design geek), a piece of it that I wish to preserve. Apparently, I'm not alone in that, either - there's also GNU Marst [gnu.org] - curiously enough, written by another Russian dude.

          Because Simula-67 (the first OOP language ever, and the ultimate ancestor of virtually every statically typed OO language today, including C++, Java and C#) is a strict superset of Algol-60, and I wanted to go after it next.

          And, of course, just for fun. I mean, this is Slashdot, right? We routinely get people installing KDE2 on NetBSD running on toasters with 7-segment indicators here; I think my little fetish is relatively benign in contrast.

          (To bring the above references to Algol-60 language features into some context for those not familiar with the subject, the final Algol-60 language spec is here [masswerk.at]; it's a fairly short read.)

          After all everybody her on SlashDot knows that Algol-68 is the most recent version!

          Algol-68 is an entirely different language from Algol-60. It's not evolutionary, but a complete, ground-up redesign, by very different people. It's also a very interesting one, and important in its own right, since C borrowed a lot of things from it, down to keywords (VOID, INT, SHORT, LONG, STRUCT and UNION are all Algol-68 keywords with virtually the same meaning they have retained in C).

          It would be fairly interesting thing to implement as well, but in many ways it's a much more rationally designed language than Algol-60, dropping some overly exotic and complicated features, and, consequently, implementing it is less of a challenge (I guess they had had enough real-world experience writing compilers by then to conclude that some features of Algol-60 looked good on paper only...).

  • the big deal here is they never uninstalled it off the people they shoved it on. They simply gave a way to uninstall it.

    Thus, now it's harder for firefox to say it's safer while said plugin is installed.

  • Not true (Score:5, Informative)

    by Voulnet ( 1630793 ) on Friday October 16, 2009 @03:23PM (#29772549)
    That's not true, I have Win XP SP2, Firefox 3.5.3; and I just disabled this plugin. It CAN be disabled.
    • Agreed. I just brought it up in a firefox install on XP SP3. The disable and uninstall options are both available. Don't know if this is just poor reporting or if perhaps ANOTHER ms patch "fixed" the uninstall and disable options. Anyone know? Either way, it's retarded that they pushed it out in the first place.
      • by noundi ( 1044080 )

        Agreed. I just brought it up in a firefox install on XP SP3. The disable and uninstall options are both available. Don't know if this is just poor reporting or if perhaps ANOTHER ms patch "fixed" the uninstall and disable options. Anyone know?

        Either way, it's retarded that they pushed it out in the first place.

        The disable button has always been working for me on XP SP3, the uninstall however had not. I remember it wasn't working even months after it was installed on my work PC. Since then I've dumped a clone image and made sure to pick that update out so I wouldn't know the current status.

      • Re:Not true (Score:5, Informative)

        by The Moof ( 859402 ) on Friday October 16, 2009 @03:37PM (#29772711)
        Originally, you couldn't uninstall the extension. Microsoft did eventually release a patch that activated the Uninstall button, it's been out for a while now. I even think Slashdot had a story about the patch that enabled the button. Still patiently waiting for Sun to give me the same option with "Super Cool Java Firefox Extension"...

        (Going to the Advanced Settings in Java under the Control Panel to uninstall a Firefox extension is unacceptable. I also wish they'd clean up their plug-ins when they update.)
    • Re:Not true (Score:5, Interesting)

      by Neon Spiral Injector ( 21234 ) on Friday October 16, 2009 @03:31PM (#29772645)

      That may not be entirely true. Have a look at this:
      http://adblockplus.org/blog/the-return-of-net-framework-assistant [adblockplus.org]

  • Almost (Score:4, Insightful)

    by Kell Bengal ( 711123 ) on Friday October 16, 2009 @03:23PM (#29772557)
    I went through the process of removing the plug-in. While I was incensed that it was installed without so much as a by-your-leave, the removal method I used didn't require registry hacks or anything so high falutin.

    That said, I should not have had to have gone to any such effort in the first place.
  • I had no idea about this plug-in. Thanks for the links to getting it fixed / removed.

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Friday October 16, 2009 @03:30PM (#29772631)
    Comment removed based on user account deletion
    • Re: (Score:3, Insightful)

      The difference is, its pretty easy to figure out what things do in the Program Files directory, the Windows directory is a bit more confusing, but a lot of it is still pretty easy to figure out. Good luck for an average computer user to figure out what /HKEY_LOCAL_MACHINE\ SOFTWARE\etc. is compared to Program Files and X program.
    • Re:Registry Danger! (Score:4, Informative)

      by Frosty Piss ( 770223 ) on Friday October 16, 2009 @03:44PM (#29772787)

      but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand.

      You mean like this? [adblockplus.org] That's *no* uninstalling.

    • Re:Registry Danger! (Score:5, Informative)

      by Penguinisto ( 415985 ) on Friday October 16, 2009 @03:52PM (#29772875) Journal

      "It's no more dangerous to delete something from your registry"

      Perhaps, but...

      1. This kinda invalidates the argument that Windows fanboys have been spouting for years, namely "...but in Linux/BSD/Whatever, you have to edit files, which is too hard for Joe Sixpack to do!"
      2. If you bork the registry, discover it's borked only after a full reboot/log-in, then try to reboot again thinking it's some other problem, that backup copy of the registry just went 'pfft!', and you may or may not be able to get to a point where you can use System Restore
      3. The registry makes a great place to hide stuff in (see also half the malware to come down the pike in the past 9 years)
      • Re: (Score:2, Troll)

        by drsmithy ( 35869 )

        This kinda invalidates the argument that Windows fanboys have been spouting for years, namely "...but in Linux/BSD/Whatever, you have to edit files, which is too hard for Joe Sixpack to do!"

        The big difference is that Registry editing is extremely uncommon in Windows. Trawling through textfiles in Linux (or BSD) is - ironically - something you're almost certainly going to have to do as soon as you step off the narrow path of basic setup and usage.

        If you bork the registry, discover it's borked only after

    • Looking at my add/remove programs list I have 4 different versions of the .Net framework installed, I wish all the programs that relied on them would be able to use the latest one, but unfortunately they do not.
    • Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.

      Joe Sixpack doesn't have a clue about editing the registry, he just wants something 'That Just Works(tm)'. Anything else, he'll let his 'computer geek kid' screw up for him til it needs to go to the

    • Re: (Score:3, Insightful)

      by Rennt ( 582550 )

      Go with me on this one. *ahem*

      "Windows will NEVER be ready for the desktop until you can remove a plugin without hacking the registry. If a user has to open regedit.exe MS has already failed."

  • Amazing (Score:5, Insightful)

    by gmuslera ( 3436 ) on Friday October 16, 2009 @03:33PM (#29772661) Homepage Journal
    This is from the same people that claimed that the Google Chrome Render plugin for IE6+ will make the browser less secure?
    • Same company -- not the same people. I swear there's whole nations worth of people in companies the size of Microsoft that aren't even on the same page, ever.

    • Re: (Score:2, Insightful)

      by matzahboy ( 1656011 )
      The other funny thing is that the firefox plugin was installed without the user's permission. The user has to go to the chrome website and click the button that say "install".
    • See, they know what they are talking about.

    • It'll be ok though, because Google is making a plugin for this plugin
    • Re:Amazing (Score:4, Informative)

      by shutdown -p now ( 807394 ) on Friday October 16, 2009 @04:33PM (#29773265) Journal

      If anything, this case further reinforces that claim. Any new functionality (including plugins) added to a browser increases its attack surface, unless it completely replaces part of the existing code. In this case, the increased surface was due to WPF being exposed. In case of Chrome plugin, it's Chrome rendering engine.

      If Chrome completely replaced IE renderer, with no means to re-activate it, then it would be reasonable to argue that it does improve security. However, Chrome renderer is opt-in, which means that any attack site willing to exploit an IE vulnerability will happily work in IE with Chrome plugin installed, but at the same time any site willing to exploit a Chrome vulnerability - and it's not like there aren't, or will never be, any - can request IE with Chrome plugin to use Chrome for rendering.

  • Deja-vu (Score:2, Informative)

    by Dishwasha ( 125561 )

    Is it just me, or were we just talking about this [slashdot.org]

  • by jim_v2000 ( 818799 ) on Friday October 16, 2009 @03:48PM (#29772831)
    There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.
    • by asa ( 33102 ) <asa@mozilla.com> on Friday October 16, 2009 @04:30PM (#29773229) Homepage

      There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.

      No. Wrong. Installing plug-ins or extensions without asking is bad. Period. Full stop. End of story.

    • I personally get really sick of having to double-take when installing FOSS builds that include ASK/Google/(insert others) toolbar for my browser(s).. used to be it was only in IE.. now they target FF as well... Maybe Chrome is better off without plugins/extensions/toolbars... I'd be happy if Chrome used the OS's theme and window wrap... Adding in F12 developer tools like firebug and an adblock plus like feature would be enough for me.

  • by jayme0227 ( 1558821 ) on Friday October 16, 2009 @03:55PM (#29772903) Journal

    "Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.

    • There is not enough schadenfreude in the world to satisfy the demand when it comes to Microsoft pulling something like "a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update."

      Come on, you tell me, what on earth justifies that?

    • Re: (Score:3, Informative)

      by causality ( 777677 )

      "Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.

      In a way it is sneaky. If I used Firefox in Windows and wanted this plugin, I would install it myself. Anyone using Firefox in Windows is already demonstrating that they are aware that they have choices as to what browser software to use, and I strongly doubt that the average Firefox user has never heard of addons.mozilla.com or otherwise doesn't know how to locate and install desired add-ons/plugins on their own.

      The case can be made for automagically installing things for the "blue E is the Internet!"

  • Nice job, of trying to push the blame on a third party software that is kicking your own apps ass when it comes to web browsing!
    So what to do, say could we not develop a nice little add on , that allows remote execution once infected and destroys that apps security...and also make it impossible through windows (M$) to uninstall.

    Wow, nice one...
    -clap/clap/clap

  • How many times must we hear about this plugin? This is at least the third time I've seen an article on it.

    If you got 1.0 of the plugin and want to get rid of it, get the update here [mozilla.org] or Here [microsoft.com], install it, and then uninstall it.

    I'm saving this in my journal. That way, when they post the next .NET plugin story next month, I can just post the journal link. Maybe I can keep the story count there too.

  • So firefox allows a rogue addon to install without any user intervention and the story is all about how evil MSFT is?

    Sure, they did it. Bad Microsoft.

    But isn't the bigger issue that now that this is known....*anyone* can pull this on firefox users?

    No. I am not apologizing for Microsoft. This was "Sony Stupid" of them. We're used to that here, though. What we're not used to (and apparently sweeping under the rug) is the massive, unholy hell of a mess mozilla's extension system for firefox is....

    • by asa ( 33102 ) <asa@mozilla.com> on Friday October 16, 2009 @04:33PM (#29773269) Homepage

      So firefox allows a rogue addon to install without any user intervention and the story is all about how evil MSFT is?

      Sure, they did it. Bad Microsoft.

      But isn't the bigger issue that now that this is known....*anyone* can pull this on firefox users?

      No. I am not apologizing for Microsoft. This was "Sony Stupid" of them. We're used to that here, though. What we're not used to (and apparently sweeping under the rug) is the massive, unholy hell of a mess mozilla's extension system for firefox is....

      Anyone that can run executable code on your system can do anything to your system. The "good guys" aren't supposed to do things to your system without asking you first. The "bad guys" can simply replace Firefox entirely with a version that has what ever features they want. If you let someone run code on your system, you lose. Firefox cannot stop that code from doing what ever it wants. The point is that you're supposed to only install software from vendors you trust. You should be able to trust Microsoft and that your trust was abused and abused in a way that caused you to be vulnerable to remote exploits is the story here.

  • should secure Firefox to make it impossible for M$ to install anything in their browser.
  • Note that this isn't just about Firefox. There's a WPF plugin for IE as well. Furthermore, this is about any browser that can handle "Netscape style" plugins, which is what WPF/XBAP plugin is. In particular, this includes Opera and Chrome, too; not sure about Safari, but it's probably covered as well.

  • by macraig ( 621737 ) <mark...a...craig@@@gmail...com> on Saturday October 17, 2009 @02:26AM (#29776129)

    This screen capture of a dialog [photobucket.com] I saw tonight demonstrates that Mozilla is paying attention and doing something about it, though:

To thine own self be true. (If not that, at least make some money.)

Working...