Firefox Disables Microsoft .NET Addon
448
Posted
by
kdawson
from the with-their-consent-of-course dept.
from the with-their-consent-of-course dept.
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
Oops (Score:4, Informative)
I just checked my addons and whilst I don't have the Microsoft addon, I do have an AVG one which is disabled. Clicking on the more information link (https://en-gb.www.mozilla.com/en-GB/blocklist/) presents me with a page that says:
Whilst it is nice to see they've done it, it's a shame that they didn't test the end to end user flow.
Read the TFA, MS suggested this! (Score:5, Informative)
From the TFA, it is clear that Microsoft approves of this particular move. I quote
It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.
I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article [microsoft.com] and implement it themselves. At least, not my mom.
Nuke it with regedit... (Score:5, Informative)
For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions
Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'
Re:Bad for Firefox in the long run? (Score:5, Informative)
Oh, I think not. The "functionality" added is Windows specific. Websites _should not_ be OS specific. And Microsoft had _no business_ shoving their plug-in silently into Firefox. And most of all. .NET is now a security nightmare: Brian LaMacchia, one of the authors of ".NET Framework Security", resigned from .NET development rather than continue with it. (LaMacchia's career is fascinating: if you'd like to follow a trail of an expert engineer getting involved in projects that are doomed for mishandling security, perhaps in spite of his best efforts, check out his career.)
Re:Great (Score:5, Informative)
Re:Inconsistent logic (Score:5, Informative)
Re:MS kinda overstepped its bounds on this one. (Score:2, Informative)
Firefox offers an option for addons installed on the system level, and not on the user level, like the addons you manually install are.
This makes sense for example in a company, where you deploy Firefox to desktops - you'll want for addons to be installed on a system, and not a per-user base.
The .NET utility just made use of that.
Re:Bad for Firefox in the long run? (Score:5, Informative)
You better check again, as the plugin tries to re-install itself silently when a .NET service is called from a website in Firefox, and also via the recent batch of patches from Microsoft. The only way to be sure is to double-check and not only nuke the appropriate registry entry, but the entire sub-folder of your .NET installation the plugin is installed to, as well as resetting the ID string in About:Config. Then you should proceed to disable that update from being downloaded or displayed via Automatic Updates.
The really disturbing thing I found, is that after sneakily re-installing itself via the latest patch from MS, the plugin is not displayed at all in the Addons/Extensions portion of the Firefox configuration screen. The only reason I even found it reinstalled, was that warning from Firefox when the nasa.gov site attempted to load the plugin while viewing their photo galleries.
Yes, it was my fault to have updates set on Automatic/Automatic, which has since been remedied on this system. I was irresponsibly lazy on the matter.
Re:Cat and mouse (Score:5, Informative)
Re:Inconsistent logic (Score:5, Informative)
While they're at it... (Score:5, Informative)
It's proprietary and full of ads! Just what I wanted, an extension that checks for updates of my Adobe Reader software. Uninstalled. The Firefox team should send a message. Firefox add-ons are not yours to take over like the Windows startup.
Re:Oops (Score:1, Informative)
It's being worked on. See bugs 505031 [mozilla.org] and 454299 [mozilla.org] to track.
Re:This is very annoying for me (Score:5, Informative)
Re:Imagine this from the other side (Score:4, Informative)
Invalid certificate - no site (Score:1, Informative)
And what's even worse: It only has a 'check certificate' and and 'abort' button. There's no way to get to the webpage.
If the site didn't have a cert at all, firefox would happily display it, but with an invalid cert you don't even get an option to do that.
Re:Great (Score:5, Informative)
Re:Inconsistent logic (Score:4, Informative)
Re:Two words (Score:3, Informative)
and people wonder why MS has security problems (Score:2, Informative)
In what universe is it acceptable for vendor A to modify vendor B's software on User C's (i.e. my) computer? To modify it at all, let alone with security-impacting ramifications?
Earth to Microsoft: drive-by downloads are among the worst of vulnerabilities. They must be avoided at all costs. And the way to avoid them is not to be more careful when writing and installing unnecessary little browser plug-ins. The way to avoid them is not to install unnecessary little browser plug-ins in the first place. (And if you simply must install unnecessary little browser plug-ins, do it with your own grotty browser, not the non-Microsoft one I installed specifically to avoid all the security concerns of yours.)
Sheesh.
Re:Inconsistent logic (Score:3, Informative)
As I said elsewhere, a lot of plugins seem not to report their version information. Why don't you disable them too?
According to your plugin checker [mozilla.com] the following plugins on my system don't report version information:
Java(TM) Platform SE 6 U13 Java(TM) Platform SE binary
Microsoft Office Live Plug-in for Firefox Office Live Update v1.4
Java Deployment Toolkit 6.0.150.3 NPRuntime Script Plug-in Library for Java(TM) Deploy
ActiveTouch General Plugin Container ActiveTouch General Plugin Container Version 104
Adobe Acrobat Adobe PDF Plug-In For Firefox and Netscape
Microsoft® Windows Media Player Firefox Plugin np-mswmp
Google Update Google Update
iTunes Application Detector iTunes Detector Plug-in
See this screen shot. [yfrog.com]
Many of these have had vulnerabilities in the past.
Re:Great (Score:5, Informative)
Not exactly. It also allows you to run .Net and WPF apps inline in the browser, hosting a CLR instance. Not to mention mapping the ClickOnce file type.
Re:MS kinda overstepped its bounds on this one. (Score:3, Informative)
A vulnerability which has already been patched. I use this functionality on over 100+ machines at the office. I've already deployed the patch. As far as I can tell, there's no easy way for me to disable the block list. I'm going to get into work tomorrow and switch 100+ boxes back to IE, if they don't reverse it. And I won't be switching them back to FF.
Re:How about just disabling Microsoft? (Score:1, Informative)
Microsoft has issued a download that will remove the .NET-related addon politely.
http://www.microsoft.com/downloads/details.aspx?FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab&displaylang=en
It didn't even ask for a reboot (not sure how that works, if it has to alter the registry) and Firefox seems to be happy now.
Re:Bad for Firefox in the long run? (Score:3, Informative)
Re:While they're at it... (Score:2, Informative)
You're going too low on the food chain; just disable adobe reader.
The thing is an ongoing greek tragedy of one inexcusable remotely exploitable security
vulnerability after another on a monthly basis. 9.1 I figured I'd forgive them their errors and I installed the 9.1.1 patch, yes, patch, since apparently they couldn't be bothered to make an installable version so you'd have to install the KNOWN VULNERABLE version FIRST then patch it to get the latest version. Fast forward a few weeks and, oops, 9.1.1 has also a remotely exploitable vulnerability that sits unpatched for all too long until 9.1.2 patch comes out. Ok, installed that. Rinse, repeat, what do you know, 9.1.2 is remotely exploitable too, and here comes a 9.1.3 patch. Ok, this is getting ridiculous and scary since there have been common exploits in the wild infecting people with drive-by malware through PDF/javascript/browser integration while they were cooking up the latest patches. And, hey, what do you know, 9.1.3 NOW has itself a remotely exploitable vulnerability and there IS NO PATCH.
F*** adobe and their insecure bloatware. Is it too much to ask that sometime in the last dozen versions you could have, say, removed a lot of the insecurities, disabled the media / javascript / browser integration / etc. stuff by default, and come out with a useful version that isn't the SINGLE BIGGEST VULNERABILITY on millions of systems?
PDFs are now getting read or format converted to something that doesn't wreck my machine using a linux VM via evince / xpdf / ghostview or whatever. Never again, Adobe; your PDF reader software is "considered harmful".
Oh, and the story with FLASH player plugin is the same. Look at the vulnerability reports for the last dozen or so versions and try to convince yourself it is safe to run their latest honeypot of the day "it's fixed now, honest..." version.
FWIW, though, for the masochists that insist on drinking their PDF poisoned kool aid, do yourself a favor and use ftp.adobe.com to download it and not their worthless web site; at least you can save some of the pain of dealing with their malware soap opera of non-improving versions.
Re:While they're at it... (Score:3, Informative)
Re:Great (Score:5, Informative)
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
For anyone curious as to the real state of affairs behind this MS plugin issue, you might be interested in a few things. For everyone else just enjoying a good anti-Microsoft circle-jerk, ignore this post.
The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications [wikipedia.org] to run in Firefox and ClickOnce [wikipedia.org] program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?
This is the bug [mozilla.org] in question. There is a lot of interesting comment there, including the fact that while everyone is crying about Microsoft "secretly" adding the plugin and preventing users from disabling it, Mozilla doesn't even give users an option to enable it! Their blocklist is all or nothing. Why doesn't that bother anyone here? One poster [mozilla.org] is very insightful:
But perhaps the best thing about this entire issue, is that Mozilla didn't block the plugins until AFTER they were patched and the mechanism of the block is retarded. Mozilla is claiming [mozilla.com] that Microsoft agreed to issuing the block of the affected plugins, and that might be true, but only to an extent. Mozilla is currently blocking the plugins based on the name of the plugin, not the version, which means users who have installed the patched version of the plugs (at this point almost everyone using Windows Update) are still unable to use the plugins and have no way to re-enable them.
So essentially, by issuing this patch, Mozilla is doing nothing but hurting its business customers. Slashdotters can scratch their heads trying to figure out who uses these technologies, but the answer is a lot of businesses do. This absolute, non-scriptable and non-changeable block of these plugins will just remind corporations that open source isn't ready for the big leagues and they should just stick with Microsoft and IE. The sad thing is that if this kind of knee-jerk, carte-blanche blocking behavior becomes the norm for Mozilla, they will probably be right! Taking this kind of control away from the users is simply unacceptable, doubly so for businesses.
If you're wondering what MS says about this, you might take a look at this [technet.com]:
So there it is -- pretty much everyone
Re:Ha ha (Score:5, Informative)
I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.
(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)
Re:Wait, its okay for Firefox to have a kill switc (Score:3, Informative)
We have interest in determining if the Firefox user in question has applied the IE patch in question, but we do not have the means.
It is related to IE, because the patch in question is explicitly labelled as affecting Internet Explorer, and makes no mention of the fact that it can impact Firefox users who have not gone out of their way to disable part of .NET Framework 3.5 SP1. (That's one of the things we're working on getting fixed, as it happens.)
Re:Great (Score:5, Informative)
There is no version difference for the plugin or add-on between patched and unpatched systems. That's one reason that this is so messy right now; if we had known about the Firefox aspect of the vulnerability before the SRD blog post, we would have suggested just that sort of version bump.
Re:Imagine this from the other side (Score:3, Informative)
Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."
Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.
That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...
Well, since you asked I'll describe the order of priorities of what we are against:
.NET framework.
1. Installing software without our consent, that includes sneaking in software in methods that classify as "gray zones". The ask.com bar is a good example of this, and also the
2. Kill-switches
So you see, as described above, the installation of such applications is far more dangerous than the kill-switch. Also since this kill-switch can be turned off. If you don't think MS did anything wrong, then let me ask you this: why are so many people angry with this installation? For those of you who installed IE7 or IE8 on XP through Windows update, do you remember the EULA that popped up after the download and before the installation? Wouldn't it had been completely acceptable if such a screen would have showed for this as well? Since ultimately this was something new for Windows update, never before had it tampered with Firefox, so people -- don't fucking pretend it was a harmless and innocent move.
Re:Why was the MS plugin again legal? (Score:4, Informative)
Java is installed at the choice of the user where the .NET plugin is installed by a Windows update without informing the user.
Whoa, whoa, whoa... There's an imbalance in your equation here. You're comparing Java itself to the .NET Framework plugin.
Yes, Java itself requires that the user explicitly install it, but the Java Quick Starter extension for Firefox is also silently injected. Now, with the exception of Windows Vista and Windows 7, the .NET Framework must also be explicitly installed by the user.
Also, the Java Quick Starter extension can not be removed through Firefox's UI; it can only be disabled. This may actually be the better option, though, because even if you remove it through the Java Control Panel applet, it's reinstalled with the next Java update (which is pretty heinous, in my opinion). Disabling it may leave it disabled across updates, but I haven't tested that.
To me this looks like an attempt to drag Firefox down to the level of IE by silently adding .NET holes into Firefox and then they can say, "It's not us because Firefox has the same problems we do".
Not to defend Microsoft, but that is unbelievably paranoid. In fact, I'd say it qualifies as an outright conspiracy theory.
Re:It's part of the Microsoft business model, IMO. (Score:2, Informative)
Re:Great (Score:3, Informative)
Traditionally MS is wide open under its sandboxed/isolated app marketing speak.
MS might be able to fake protection for one or two applications, but anything they expose from the inner MS workings is then wide open.
Re:While they're at it... (Score:3, Informative)
Re:Wait, its okay for Firefox to have a kill switc (Score:3, Informative)
Pretty sure it's XBAP's use of mshtml that's the problem for 09-054; 09-061 is a different vuln that is also exposed through some .NET widget.
Re:It's part of the Microsoft business model, IMO. (Score:2, Informative)
I also laugh especially at the anti-Microsoft zealots that call Windows 7 "Vista SP3" or a "small update" to Vista when in fact it is anything but that (was XP Win2k SP5?). But I guess you wouldn't really know just how good Win7 is since you can't be bothered to actually give it a whirl since MS is so "evil." I've been using Win7 since the first public beta and it's the best OS I've ever used and I'm not new to the OS landscape (Gentoo, Slackware, Red Hat/Fedora, Ubuntu, random small linux distros like SourceMage, OS/2, Mac OS 9-X.5, DOS, Win3.1-Win7). It's definitely a large step up from Vista in terms of performance, stability, bloatiness, and general user-friendliness.
You've also apparently missed the very large campaign that MS has done in recent months of "Buy Vista now and get Windows 7 FREE." So you don't even have to buy Windows twice, only once. It even works for older Vista license keys. You'd get the corresponding upgrade version of Win7 that you got of Vista. But I guess you can't be bothered to check your facts since MS is so "evil."
Yeah, Vista wasn't that great at first. But as soon as SP1 dropped it got much, much better and wasn't riddled with half the problems it had at launch (most of which weren't MS's fault but software and hardware manufacturers being lazy). Vista fundamentally changed the Windows programming scape and software and hardware manufacturers sat around with their thumbs up their asses not wanting to change their broken code when there were tons of betas and release clients for Vista floating around on MSDN for a long time. Vista's launch was anything but rushed.
There also comes a point when backwards compatibility becomes a system security liability and it just has to go. So upgrading to Win7 from XP makes sense not only in the fact that it's a completely different kernel design but an entire OS version behind (5.1 to 6.1). Upgrading in the typical sense just wouldn't work at all. However, the emulation options under Vista and 7 for WinXP actually work most of the time.
You can disagree with Microsoft's business tactics all you like but please at least get your facts straight and have a little bit of an objective perspective.