Firefox Disables Microsoft .NET Addon
448
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
MS kinda overstepped its bounds on this one. (Score:4, Insightful)
Microsoft has deservedly taken a LOT of sh*t for forcing this addon into Firefox unannounced - AND preventing you from disabling or uninstalling it - unless you yank it out of the registry. It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"
The real reason why they want to hack user agent (Score:4, Insightful)
While some slashdotters think otherwise, Java/Windows install base is huge thanks to couple of very popular apps and tiny games. Since companies these days looks for multi platform, multi arch; MS needed to show that their herd has been installed/infected by .NET too.
So, they haxor the user agent to show that clueless CTO that their 90% of users have .NET so they should use it instead of massively multi platform Java.
Anyway, as you see, karma is a real bitch and if Sun had a real management, they could milk this issue but... Lucky for MS, Sun is under auto pilot, even under Larry Ellison's Oracle.
Re:Ha ha (Score:4, Insightful)
Re:MS kinda overstepped its bounds on this one. (Score:4, Insightful)
It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"
You seem quite lost. They're not blocking it for that reason, but because it had a security vulnerability.
Re:MS kinda overstepped its bounds on this one. (Score:4, Insightful)
The .NET installer/updater that forces this addon into Firefox is running as administrator or even system rights. How should a non-running app protect itself against a code injection in their home directory done by a process with system privileges? Without creating another mess of cryptographic signing, super-super user and files undeletable when Joe Sixpack decides to uninstall?
I'm sure the Firefox team is working on hardening their application against scummy plugins that disallow being uninstalled, but I fear it's not exactly trivial protecting against administrator privileged malware without breaking a whole lot of other stuff.
Re:Bad for Firefox in the long run? (Score:2, Insightful)
>Websites _should not_ be OS specific
Try telling that to corporate IT which wants certain functionality implemented certain ways. Hell, if you want, blame whoever invented the "best viewed by" concept and slap them around with a wet trout.
Re:Nuke it with regedit... (Score:4, Insightful)
Only nukes the addon, the plugin is hiding in C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (and C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll if you have the .NET 4.0 beta).
Remove HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5
And HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF, version=4.0 if you have the 4.0 beta
Re:Oops (Score:3, Insightful)
It's open source; you did the testing for them just then!
Now if only reporting these types of issues could be done from within Firefox without having to jump through hoops.
Re:Why was the MS plugin again legal? (Score:5, Insightful)
Re:Oops (Score:1, Insightful)
Like they do with the ubuntu bugtracker, in which popular bugs are polluted with lusers asking instructions? No thank you, leave reporting to the semi-professionals instead of every luser with a keyboard...
Imagine this from the other side (Score:5, Insightful)
Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."
Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.
That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...
Re:Nuke it with regedit... (Score:2, Insightful)
I'm so glad I never need to help anybody keeping their Windows machines functioning.
This is very annoying for me (Score:3, Insightful)
I like to play games through http://2dfighter.com/default.aspx [2dfighter.com] and this extension let me do so through firefox, now I can't reactivate it at all, and I can't install a new version because it's been removed from the website. Thanks Mozilla, now I have to go back to IE to use 2df.
Re:Read the TFA, MS suggested this! (Score:5, Insightful)
and Microsoft is recommending that all users disable the add-on.
Well gosh, that "unable-to-be-disabled" feature seems really quite stupid now, doesn't it?
Outrage (Score:3, Insightful)
Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?
Re:Imagine this from the other side (Score:3, Insightful)
Bigger shitstorm than the one which happened when MS installed browser extensions without consent from end user?
Company abused its position and put malware on users' machines. Good thing that Mozilla has some options to handle such behavior.
Re:Imagine this from the other side (Score:4, Insightful)
Re:Bad for Firefox in the long run? (Score:3, Insightful)
So your argument against the fact that a plugin replicating IE-specific tech for firefox doesn't matter in intranet environments is... ... that it's windows specific?
Are you kidding?
Re:Imagine this from the other side (Score:4, Insightful)
If Mozilla had been installing Firefox without the users' consent and prevented the same users from uninstalling it, then yes, Microsoft would have been justified to hit the kill switch. The same way, if it was just a regular Firefox Addon that MS distributed (that the user explicitly installs and can uninstall at any time), I doubt Mozilla would have made a fuss about it.
Re:How about just disabling Microsoft? (Score:4, Insightful)
So your argument against people switching away from MS, is that people use MS??
That's the classical excuse of to beta human: I can't do it, because nobody does it.
And why does "nobody" do it? Because everybody uses that "argument" to not do it!
The best thing is, that it isn't even remotely true that nobody does it. You're reading a comment from someone doing it right now. But it's so convenient to ignore it that, isn't it?
Maybe that's the difference between alphas and betas. Alphas have no problem being the first in the club, to start dancing. No they even grab a girl and make a show out of it! ^^ (Because they know that that makes them the leader. Something that is very handy and feels great. Killing any insecurity-based awkwardness.)
So if one person can do it, then two can too. Including handling MS file formats. Including the ability to be in a MS (SMB) network. And so on.
So if two can do it, everybody can.
Which means nobody needs to use MS software. But they want it! Why? Because it's less effort. One can be lazy. And the excuses "always work", to lie even to oneself, about wanting to switch.
"Oh, if only others would use it! Then I would too! But in this situation? No way!" Except that you wouldn't. Or if you would, then I wonder what a pathetic kind of cattle you are, for always trying to conform, even if it's not what you like.
Hell, I'd even prefer to hear that you actually prefer Windows, and that this is mostly because you don't like all the work required to switch. That would at least be honest. And while not agreeing with the view, I could absolutely comprehend and accept it.
Do yourself a favor, stop imitating others just to be "accepted", stop caring what others think of you, build your own set of values, be you, do what you like, and strongly stand behind your reality. That is a basic human right of everybody. And we will not hate you for it. No, we will love you for it. (Isn't it strange, how doing the opposite of what you did, will give you what you always wanted? ^^)
P.S.: If anywhere you found that my assumptions are wrong, *of course* you can tell me how wrong I am. But only if. ^^ (And moderation is no replacement.)
Re:This is very annoying for me (Score:3, Insightful)
Lessee. . . By default a secure browser for a few hundred thousand users who didn't want an invasive add-on in the first place or. . , your ability to play video games.
You know, there are some other fun websites out there which will also try to trick you into installing malware. You might enjoy visiting those as well. --Hey, they even have boobies!
-FL
I can't believe this. (Score:4, Insightful)
my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.
You did the right thing. Please ignore silly comments from the peanut gallery.
All diplomacy aside, I appreciate any efforts to lock down the walls against invasive bullshit I was tricked into installing and had to crawl through my registry with a flashlight and hip waders in order to kill. Further, anybody who doesn't have a problem with Microsoft tampering with third party software they have no business touching is probably not the sort of person whose complaints are worth clogging up your conscience with.
Cheers!
-FL
Re:MS kinda overstepped its bounds on this one. (Score:3, Insightful)
Furthermore, Microsoft agreed with the plan of disabling it. (RTFA)
So it's more like
It's nice to see the Mozilla folks say
Mozilla> "NOPE, you...'re NOT doing this to our browser, now get lost!".
Mozilla> that is, if it is OK with you, Microsoft, we would like to temporarily disable the addon until you come up with a fix
Microsoft> we see we get some bad press, so yeah, its OK
Mozilla> Ooh thank you for talking with me
FOSS people> Yeah, Mozilla, take them! M$ is buggy and insecure!
Re:MS kinda overstepped its bounds on this one. (Score:3, Insightful)
This makes sense for example in a company, where you deploy Firefox to desktops - you'll want for addons to be installed on a system, and not a per-user base.
It doesn't make sense that Steve Balmer administrates your company's systems.
Re:Inconsistent logic (Score:4, Insightful)
While I was angry at Microsofts silent installation of this component in Firefox and there is part of me that is ready to cheer on Mozilla for disabling it, I also feel disappointed by the reaction to this.
Not only are they vulnerable versions of Microsoft's add-on disabled, but also all versions indiscriminately, including the patched version that Microsoft rolled out last this Tuesday. Just as some people may have been impacted by Microsoft's original silent installation, how does Mozilla know whether an end user actually uses sites that depend on that add-on or not?
Imagine what would have happened if Mozilla remotely disabled everyone's Flash plug-in each time a new vulnerability was discovered in it? There have been 0-day exploits in the wild for Flash and just think about it's install base. Or the Adobe Reader plug-in? Lord knows it's a more deserving candidate given its history.
In this case there may be some justification in that the unrequested component might pose yet unknown risks, but now I have to wonder what Microsoft's strategy will be during their next update cycle - to re-enable it given that they've fixed the hole in question? Did Mozilla just give Microsoft precedent that would support it disabling Chrome Frame in future?
As a customer of both parties I feel that I've been dragged into someone else's war, which is being waged with my computer as the battle field.
Re:Why was the MS plugin again legal? (Score:3, Insightful)
So, yes, it's OK when Microsoft installs functionality into Firefox that Firefox should, by all rights, already include compared to Sony installing software designed explicitly to disable existing features on your computer.
No.
Microsoft, if I allow them, can update the code they wrote on my system. But what you are talking about is no different from somebody over in Redmond deciding that your private documents were written poorly and needed to be re-done according to their preferences and took the liberty of doing so without telling you. Heck, I might even agree with their assessment of your writing, but I certainly wouldn't say it was okay for them to mess with it. --At least not without asking you first in a very up front manner.
-FL
Does anybody actually use these forced plugins? (Score:4, Insightful)
Is there any software which actually uses these .NET Helper and Windows Presentation Foundation plugins? Do these expose an API to let javascript code interact with the .NET framework or something? Do they let people write Firefox extensions in a .NET language? Do they let specially crafted Microsoft websites run .NET code in Firefox?
If users have nothing to gain from these plugins, then there is no reason they should exist.
Mozilla should not follow Microsoft- no phone home (Score:2, Insightful)
Re:Why was the MS plugin again legal? (Score:4, Insightful)
Try again anonymous Microsoft fanboi.
As far as I can see there is nothing special special in Firefox for Java to function unless you are referring to the standard plugin architecture that Firefox/Mozilla provides for all plugins.
Java is installed at the choice of the user where the .NET plugin is installed by a Windows update without informing the user. Once installed the Java plugin can easily be removed by the user via the Firefox configuration GUI but the .NET plugin can not be installed without doing some complicated registry and configuration hacks.
To me this looks like an attempt to drag Firefox down to the level of IE by silently adding .NET holes into Firefox and then they can say, "It's not us because Firefox has the same problems we do".
Re:Inconsistent logic (Score:5, Insightful)
Mike, I haven't seen anyone else say this, so allow me. As a grateful firefox user and evangelist, thanks for your efforts, contributions, and patience in putting up with all of us. Please pass this thanks on to your co-team members.
Re:Great (Score:3, Insightful)
because it lets you bring in the same .net vulnerabilities that IE has? Nobody asked for these to be brought into firefox. The issue is that they were installed without any confirmation. It was "installed for you".
duh. Go home you fucking shill.
Re:Great (Score:2, Insightful)
But how much execution? .NET supports sandboxed/isolated app domains.
Saying .NET has remote code execution is like saying Java and Flash do, unless you're specific.
I don't know yet what vulnerability, if any, existed, except that Firefox developers were annoyed Microsoft added another addon.
Google is NOT competing for browser share (Score:5, Insightful)
People, please let this idea die VERY quickly. Chrome is NOT there to get an install base for Chrome. It is there to get an install base for modern browsers with fast javascript/DOM.
Googles operates in the browser and in order to be able to get the next generation products out there, it needs to ensure that those products can be run. IE/MS ain't capable of this, so they both push MS by making them scared to completly loose the browser AND by capabilities to IE to make it play catch up with the real browsers.
In a way, what Google is doing is installing electricity cabling into every house. NOT because it wants to be in the utility business but because it has all these design for electric machines and they ain't going to be selling them to people who use candles and woodstoves.
MS on the other hand does NOT want people to have modern browsers, or rather not browsers that act like browsers. Its business relies on activex and .net and the like to keep apps closely tied to their windows OS.
MS fears projects like gmail and worse wave. It knows that its software is increasingly a major cost of computers (check it, hardware prices go down, MS prices go up) and while so far its software offers a lot more features, the sign of netbooks is that, a lot of them ain't needed. I got a netbook (with linux) that is not nearly as capable as a full PC. I can't game on it, its office tools are simplistic but guess what, it is all I really need.
MS has been selling XP, a lot, for netbooks but it has been doing it at a fraction of the price it would like to charge and really, it only sold XP so cheaply because else Linux would have been installed. You would be right in assuming a LOT of people would replace Linux with an OLD XP copy (license of an old PC you threw away is still valid) but MS doesn't even want the idea that there maybe yet another OS out there. An OS that while not perfect is good enough. People are already getting dangerously exposed to this idea by their cellphones. Quick poll, who has Windows Mobile and is willing to admit it? Everyone knows that an iPhone gets you the girls, this even goes for girls.
MS ideally wants to sell you their OS for 300+ dollars, that doesn't fit well for a 300- netbook or indeed a mobile phone, but that is MS business model, and ideally, you should spend another 300 for the office suit. (please, MS fanboys, do NOT link to student discounts or OEM versions. Full price for the box in the MS store.)
Google is doing something completly different. It is saying. Nah, you don't need a 300 dollar OS with a 300 dollar productivity suite. Just a browser (free) on free/cheap OS and you got all you really need. For free. Sure, there are some angles (your data is on the google servers) but for a lot of people, it is good enough.
AND that, is what scares MS. Because... even if people would still use windows, the window sthey would be using is their old XP. This is already the case in a many companies. And without the cashcows of Windows/Office, how can MS afford all its other attempts to control markets?
The browser wars are back, but they are being fought for a different reason. Chrome is NOT netscape 2.0
Re:Imagine this from the other side (Score:3, Insightful)
Two wrongs doesn't make a right.
Microsoft installing the plugin without the user's explicit concent, and no (easy) way to uninstall was, indeed, wrong.
But Mozilla unilaterally disabling it on the users' machines without an option not to is wrong too.
What about those who have:
What they see is that Mozilla goes in and deletes functionality on their machines. From a logical point of view, it's no better than, say, Amazon going in on end users' e-book readers and deleting specific books in order to right a wrong.
Again, two wrongs doesn't make a right, and by doing this, Mozilla has proven beyond doubt that they have the means to make unilateral changes to a user's machine, without giving the user a choice. This is VERY bad, and I really hope that the fallout will be that a fork appears that's guaranteed free of a backdoor for Mozilla to control the user's machine. No matter whether it's in the end users' "best interest".
But I fear that the average user will actually agree with this knee-jerk reaction, because they in their hearts truly believe truisms like "the enemy of your enemy is your friend" and "the end justifies the means". And presumably get a minor kick out of Mozilla sticking it to Microsoft (let's at least be adult enough to call a spade a spade, and admit that this is what Mozilla did -- the (patched) vulnerability was a convenient pretext to maintain the social illusion).
Re:Inconsistent logic (Score:2, Insightful)
Even presuming you tell the truth, did they really agree that Mozilla should "patch" by removing both vulnerable and patched versions, deny the user an option to choose not to block, and prevent him from (re)installing a non-vulnerable version?
Or did you add all these steps yourself, after being told it's to remove the vulnerable plugins (implicitly with the end user's consent).
Sorry, no, I do not trust you. You haven't given me a reason to. Just because you're the enemy of my enemy doesn't make you my friend. And that you continue to maintain the social illusion of this having absolutely nothing to do with making a small jab at Microsoft gives me a small incentive not to trust you.
Re:How about just disabling Microsoft? (Score:5, Insightful)
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Not really if you look at where the real competition is occurring.
The REAL product that Microsoft is trying to protect is the Windows platform. This is how Microsoft maintains their monopoly. IE is merely a means to try to control the web market to use Windows only across the board. The windows platform maintains much of its monopoly power by controlling the software to run on only Windows. Microsoft has long known that 3rd party developers were a big factor in building their monopoly, and keeping them on Windows maintains that monopoly.
This plugin lets you run parts of .Net on Firefox, correct? .Net is largely Windows only software, correct? So by having Firefox (an increasingly popular web browser on Windows) run .Net software, Microsoft is trying to maintain .Net on web browsers as a viable platform. By doing this they try to ensure that you'll need a Windows computer to run .Net software on a browser. The alternative is that Web developers increasingly reject .Net components because of the increasing popularity of FireFox (and .Net not running on FireFox, thus developers don't want to lose the market share and choose non .Net alternatives). That's bad for Microsoft, since it means more inter-operability with other OS's, which would decrease the relevance of Windows.
Pretty clever, really. Frankly I think the Firefox developers should stop this nonsense not only because of the security concerns, but mainly because it's an attempt to control Firefox by Microsoft. Does Mozilla really want to answer to whatever Microsoft decides to inject into Firefox this week?
I also think it's a anti-competitive move by Microsoft and an abuse of their monopoly power. I doubt anyone will do anything about it though.
Re:Inconsistent logic (Score:3, Insightful)
I know I didn't intentionally install most of these, and the Acrobat and Windows Media Player ones are, I believe, the only ones I specifically installed or agreed to.
Recent versions of the Windows Presentation Foundation plug-in have enable/disable, so that can't be the reason for it.
I stand by my subject line: Mozilla is being inconsistent here.
Re:Read the TFA, MS suggested this! (Score:3, Insightful)
Why are you surprised? Microsoft isn't like some kind of cartoon supervillain... if they have a bug in the add-on, and no fix ready yet, then of course they want people to disable it.
Re:How about just disabling Microsoft? (Score:3, Insightful)
Re:Two words (Score:3, Insightful)
Except that Chrome Frame is doing this via modern standards (HTML5). So it can be used for more than just a single website, and if you don't like Chrome Frame, there's always another browser.
Re:and people wonder why MS has security problems (Score:4, Insightful)
And this is why more and more people don't trust software that isn't open source. Sure, your browser may be free software, but since the operating system is closed source, others can still play dirty tricks on you. If there is any non-free software on your computer, you don't really control it.
Wait, its okay for Firefox to have a kill switch? (Score:3, Insightful)
Given all the past fuss about Amazon, Apple, and Microsoft to have the ability to remotely disable features, software or addons it's suddenly not an issue that Firefox has the capability of pushing changes? While I think the Firefox devs gave some serious thought before throwing this switch, I don't think this is a no-brainer. What about environments where they need the .net add-on? Are they forced to go back to using IE? Do you see Microsoft disabling the old versions of Firefox or Adobe Flash?
If you want to read a mix of retarded, informative, and stupid comments have a look at the bug report https://bugzilla.mozilla.org/show_bug.cgi?id=522777 [mozilla.org]. For example - "Firefox shouldn't have to rely on IE patches for security" - this is not related to IE. It also seems to be political as they have no interest in determining if they have the .net update that negates the vulnerability (the vulnerability is not in the firefox add-on, its in .net which becomes accessible from within Firefox if the addon is enabled).
Re:Bogus (Score:3, Insightful)
A car analogy: If Ford could decide to add a part to your car next time you took it to be serviced, without asking or telling you what it did, and they had a history of shitty engineering, would you really want to have to take your car back in a week because the unauthorized add-on was found to cause the vehicle to burst into flames, or the doors not to be able to latch shut?
Re:Great (Score:5, Insightful)
I consider any plugin installed without my consent to be malicious, especially if it's a plugin FOR SOMEONE ELSE'S SOFTWARE.
Re:Great (Score:2, Insightful)
The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications [wikipedia.org] to run in Firefox and ClickOnce [wikipedia.org] program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?
To answer your question, No, it is in fact a bad thing. This is another instance of a typical microsoft strategy called "Embrace - Extend - Extinguish". To see how this works see the comment from the poster below:
I have over 100+ boxes at work that depend on this plugin. When I get into work tomorrow, if they're not working (they run FF), then I'm not going to have much choice but to switch back to IE, am I?
Microsoft have embraced Firefox by writing software for it, Extended it's functionality to add support for their own proprietary "standards" and now they are trying to extinguish Firefox by forcing Mozilla to remove a plugin that some users have come to rely on. If microsoft were serious about adding functionality to Firefox then they would have contributed source code to this open source project. One good thing has come from this though, the rug has been pulled from under this plugin quite early, probably before many users have become dependent on it, because it was only a matter of time (probably a few years) before microsoft withdrew this plugin themselves in an attempt to force users back to IE.
Re:Great (Score:3, Insightful)
First off, if you install Java even if you wanted to install it just for IE, or just to run a local program that runs java, it installs the Java Plugin for FireFox as well as ask you for the toolbar of the day. The same goes for Adobe Acrobat Reader if you just wanted to view a PDF, and is actually worse since the earlier installers would install Adobe AIR Without permission. Flash doesn't install to both by default, but the problem with Flash for FireFox is that it does not automatically update. (don't know why. The ActiveX Flash has an updater.)
Second. Again, I'm all for the blacklisting, Especially the 1.0 version since uninstall was not possible until 1.1. What I'm saying is that this needs to happen with other plugins with similar security issues and not just with Microsoft's because a few zealots are butthurt because they see a MS product in their Microsoft free FireFox.
In February, .NET 3.5 framework comes out and it has 2 verified exploits (See Here) [microsoft.com]. In that period of time, Adobe flash has had 4 exploits and Acrobat Reader had 8 (See Here) [adobe.com]. Java had 15 (not too sure of this number See Here) [sun.com] Now considering that none of the affected Adobe or Sun Plugins were blocked (as they should have been) Is this more of a political move because it's Microsoft or is it because Firefox cares about the security of their browser? (which they should.)
Re:Great (Score:5, Insightful)
Especially when it disables the friggen "uninstall" button!
Re:Great (Score:4, Insightful)
No, actually, it is not. Not at all a good thing, quite the opposite. If you are using firefox to run "content" via a closed, windows-only system like .net, you might as well be using IE. In fact that would be better - at least no one would be fooled into thinking they were writing something that would work on firefox when in fact it would only work on Windows/Firefox.
Because MS forced the plugin out without user consent and without even a disable option to begin with. Either of which is sufficient in and of itself to classify this bug as malware and remove it whenever encountered without further fuss.
Oh, indeed it is. MS nonetheless has been doing it regularly for decades, and usually get away with it.
Good to see Mozilla give them what they deserve, even if I do suspect astroturfers like you will wind up sadly blunting the impact as usual.
Re:Great (Score:3, Insightful)
He might well have installed it as a prerequisite for one particularly important application that was programmed by brain-dead chimps. Doesnt mean he wanted it hijacking his browser.
Re:Imagine this from the other side (Score:3, Insightful)
Sufficiently insecure software is indistinguishable from malware.