Firefox Disables Microsoft .NET Addon

ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.

Great

[sopssa]

All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?

Plugin-checker

[Norsefire]

The TFA makes a reference to Mozilla's new Plugin checker [mozilla.com]. I just went there with JavaScript disabled and ...

You have JavaScript disabled or are using a browser without JavaScript. This Plugin Check page does not work without the awesome power of JavaScript. Please enable this Content Preference and reload the page. Or disable all your plugins and keep JavaScript disabled... you'd be in good company, that's how RMS rolls [lwn.net].

Bad for Firefox in the long run?

[cyclocommuter]

I might be mistaken but don't these add-ons/plugins from Microsoft specifically allow certain web pages to render properly under Firefox which otherwise would have required users to run IE? If so Microsoft centric IT Enterprise users who have started using Firefox at work might revert back to IE. This might reduce the gains that Firefox has been achieving in Microsoft centric IT Enterprise shops.

Two words

[Norsefire]

Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?

Chrome Frame.

will MS release patch sooner

[tokul]

Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner.

Blocklist banned both of plugins without any version limits. Even if MS release updated plugin versions, plugins will remain blocked. I suspect that MS will create new plugs and try to sneak them back to Firefox with .NET "security" updates.

I think Mozilla team even considers removing features abused by MS plugs.

It is nothing compared to VPC

[Ilgaz]

That issue is nothing (they asked for it in fact).

The issue which should make to books about the tech irony is Virtual PC for Mac 7.x (if anyone uses, UPDATE!). MS found a theorotical (not sure) issue which Virtual PC's emulated X86/Hypervisor can MODIFY the OS X memory from "there".

While they were decent to fix it very quickly and shipped an update (7.0.3) confusing Mac users, that is one big amazing issue for you. Imagine by running (emulating in fact) a Windows, you risk your OS X memory locations with overwrite.

Why was the MS plugin again legal?

[cheros]

Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).

Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.

I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..

Anyone else an explanation why that plugin avoided legal consequences?

Re:Great

[xonicx]

Not really. I was on verge of swtiching to chrome because of firefox getting stuck while typing in address bar. Disabling "Windows Foundation Presention" magically fixed the problem.

Re:Bad for Firefox in the long run?

[gbjbaanb]

Do you have a link for that? I'd be very interested to show more flaws in the design of .NET.

I know Chris Brumme's excellent weblog [msdn.com] about the CLR has quite a few interesting things to say, and even more if you read between the lines in places, you know he wants to say "we screwed this up big time" and he does say that occasionally. With hindsight, they did make some technical mistakes - throwing objects instead of just exceptions, allowing .Net apps to run in IIS [msdn.com] at all, thinking GC would remove the need for reference counting [msdn.com], and several marketing mistakes - telling everyone exceptions were very inexpensive (I recall one particularly misinformed MS drone telling me exceptions were free because it was all handled by the CLR... d'oh)(read the blog)

If ever there was an example of keeping it simple, .NET is it - as an example of what not to do. Hats off to Chris who I think is very intelligent and talented, but the scope and spec of what they asked of him was too awkward to make a perfect job of.

Re:Why was the MS plugin again legal?

[gbjbaanb]

I'm sure whatever it was you installed from Sony that snuck the rootkit in had similar wording in its smallprint too.

I guess its ok if MS does it, but not Sony?

Is There a Conspiracy?

[Mad Hamster]

After last Patch Tuesday (yes, this is a confession I do have some Windows boxes), Firefox on my systems developed an issue with pages displaying in sort of a text-only mode when using the Refresh button(1). Page load times were also longer than usual. Those issues disappeared immediately once Mozilla's block of the .NET addon & the WPF plugin arrived.

This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.

After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.

(1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.

Re:Bad for Firefox in the long run?

[thejynxed]

I forgot to mention in my previous post: It always shows up in the Plugin section of Addons (as it always did, found it odd to be displayed in both Plugins and Extensions sections, but whatever), even after the Plugin is uninstalled manually and the system and Firefox are restarted. Anyone know how to fix that?

Re:Inconsistent logic

[Mike Shaver]

That statement is consistent with what I heard from Microsoft, though their post has been updated since that conversation. And MSFT has seen that text; if it's not correct, I'm sure I'll hear it from them, and will be happy to correct it. (I wrote the text pretty quickly, since it was late on Friday night and we were getting inbound already from the blocklist addition.) But that's really ancillary to the issue, which is that Firefox users are vulnerable to a problem that we learned about this week, which is labelled as an IE problem/patch. Microsoft and Mozilla agreed that we should block the plugin and add-on to mitigate the risk while we made sure that FF users were going to install that IE patch. This isn't an us-vs-them thing, but I don't know who you're talking to at Microsoft who is saying different things.

Re:Ha ha

[Mike Shaver]

I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.

It's part of the Microsoft business model, IMO.

[Anonymous Coward]

Vulnerability to malware is very profitable for Microsoft and its main customers, computer manufacturers. When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has security risks. See the New York Times article Corrupted PC's Find New Home in the Dumpster [nytimes.com].

Vulnerability is a business model for Microsoft, in my opinion and that of many people.

But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers [channelregister.co.uk]. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.

But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.

Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.

So, maybe just being evil is another part of Microsoft's business model.

Re:This is very annoying for me

[Winckle]

Hey I agree with it not being installed by default, but I can't install it at all.

Re:Ha ha

[wasabii]

Mike,

Hi.

I have over 100+ boxes at work that depend on this plugin. When I get into work tomorrow, if they're not working (they run FF), then I'm not going to have much choice but to switch back to IE, am I?

I frankly did not know you guys had this ability to unilaterally disable things I depend on. That is a bit disturbing. It's going to unexpectedly cost me HOURS tomorrow.

Can you at least switch the block to only block unpatched versions? I'd agree with that.

Re:Oops

[Anonymous Coward]

Wouldn't a better option be to allow automated/no-registration bug reports on a different bug tracker? Have a bug wrangler or two push the useful information on to the real tracker, and aggressively delete the crap.

Re:Bad for Firefox in the long run?

[spikenerd]

I worked under Brian (bal) when he left .NET. He accepted a position as an architect in another division. I left a couple of years later (but that's another story--I'd love to tell it). It seemed to me at the time that he was just moving upward, not really taking a stand against Microsoft's bad practices. ...or maybe they were just really good at keeping those kind of things quiet. He was always too clear-headed to fully drink the MS kool-aid. Hmm. I suppose I could believe that they gagged him as part of the terms of his new position. Do you have any sources on this information? I'd really like to hear about it.

What the hell, people?..

[uuddlrlrab]

Though it has been exhaustively stated already, it bears repeating...so I'll repeat it: the .NET plugin or extension (whatever it is) does not allow users to disable or uninstall it via normal interfaces. Basically, without Mozilla's patch, you have to do some file system & registry spelunking to close this breach; like someone mentioned, that's not something the average user is going to look forward to, and for many is far beyond their scope of capabilities. To my knowledge, no other plugin or extension exhibits this bad behavior, nor are they foisted on the user via sleight-of-hand as a "security update." Furthermore, to those who balk that Mozilla can't differentiate between unpatched and patched versions, once again, this plugin came from MS. If it's their plugin for their .NET framework, that is exclusive to their OS, wouldn't that sort of make it their responsibility to have it include version info, or some way to check, via the filesystem or registry details, the .NET file version numbers/installed ver info and report it back to firefox? Hell, wouldn't it be on them to ask the user if they want to install it, along with making it fully removable in the first place? How, precisely, should Mozilla, an entirely separate org who I don't imagine ever anticipated having such a wonky problem be created for their browser's extensions, handle this, if not via the patch they released? Why is everyone defending Bill & Steve?

I think this was a real fumble for MS, and Mozilla took steps to prevent critical problems--don't know about the best steps, but at least they were quick to action. Imagine if this had not been done, and exploits for the problem started popping up like wildfire, or widespread browser/OS crashes became common; how many users would firefox lose, due to a problem entirely of someone else's making? Let's not get confused over who's the bad guy. MS has the most to gain from any perceived flaws in a competing product, and their track record isn't exactly one that shows overwhelming care and concern for the end user. Even if not malicious, and chances are it's not, it still is another mark of incompetence on the overall company that they're releasing flawed software and forgetting courtesies like asking the user if they actually want the changes, not to mention not allowing them to revert it without 'popping the hood'.

Re:Imagine this from the other side

[Dreadneck]

Forget about the names involved and examine the situation more closely. A company took it upon itself to introduce an unknown security risk into a competitor's product by way of a stealth install. Said company further complicated the matter by making it next to impossible for average users to uninstall - provided they even became aware of the issue - and compounded it even further by having subsequent updates reinstall the software by stealth again.

I think that given this situation Mozilla did the right thing. Until Microsoft learns to work above board where Firefox plugins are concerned, Mozilla can and should disable them. It would be nice in the future if Mozilla offered users the option - and I think they will - to retain use of a plugin after being told it poses a security risk, but the only action I see in need of correction at the moment is for Microsoft to ask users explicitly for permission to install an add-on to non-Microsoft software on a system.

Re:How about just disabling Microsoft?

[AvalancheBurn]

I agree with your points, that is what I was getting at with the question. Microsoft is really pushing it a little to far when it comes to placing .new code in a third party application. The problem is that with most microsoft code there are going to be bugs throughout it, this is even more so when dealing with a third party application like firefox. I think they should stick to their os and leave the rest to others because they end up causing more issues than they solve.

The Real Question is...

[Nom du Keyboard]

The real question is: what took them so long?

Re:Bad for Firefox in the long run?

[ralphbecket]

The modern CLR seems fairly sensible to me; definitely several steps ahead of the JVM (e.g., compare how parametric polymorphism is handled).

The article you link to on GC is an in-depth discussion on the cost of implementing finalisation in the GC. These problems are well known and, more to the point, are only some of the reasons why implicit (nondeterministic) finalisation is a Bad Thing. Reference counting memory allocators are much slower than mark-and-sweep memory management for most programs, mainly because all of the bookkeeping the mutator (i.e., your application) has to do.

With regards to exception handling being slow, this is something that has always made me curious: why would anyone use exceptions in a situation where they expect exceptions to be thrown frequently (i.e., not exceptionally!)?

For both these points, yes I can come up with examples where reference counting would be sensible and where fast exception handling would be useful, but these would be very special cases that are not representative of most programs.

The .NET CLR is surely not perfect, but I can't think of any competing schemes that do better (C-- is a possibility, but that project has unfortunately been stuck in first gear for a while).

Re:Bad for Firefox in the long run?

[shutdown -p now]

If ever there was an example of keeping it simple, .NET is it - as an example of what not to do.

I don't think the design goal of .NET was ever to "keep it single". It could be a lot simple if its design goals were like JVM - a VM specifically designed to run a single language that is very restrictive in terms of what one can do with it. .NET, however, was originally designed as VM for which you could write a full-featured ISO C++ compiler producing strictly bytecode (not necessarily verifiable - can't really do it with C++ - but 100% "managed"). Because of that, it's far more feature-rich than JVM from its user's perspective, and that, of course, means "more complicated".

In fact, one of the recent .NET vulnerabilities specifically has to do with an obscure CLR feature [microsoft.com] that, so far as I know, was originally added to it solely for the sake of C++.

Re:Why was the MS plugin again legal?

[shutdown -p now]

Now, with the exception of Windows Vista and Windows 7, the .NET Framework must also be explicitly installed by the user.

Here's an interesting question. If you start with a clean Vista or Win7 install (which already has .NET), and then put Firefox on it, then it won't get the .NET extension in it, right? because .NET installer doesn't get a chance to run and put it there...

Re:and people wonder why MS has security problems

[BZ]

> In what universe is it acceptable for vendor A to modify vendor B's software on User C's
> (i.e. my) computer?

This one. Various antivirus software hooks into Firefox and modifies its behavior (in Kaspersky's case by activating normally inactive codepaths that make DOM manipulation 100x slower or so in many case). Various software (Adobe, etc) drop binary plug-ins into both IE and Firefox (and anything else they can). Various software of dubious provenance throws various dlls into the Firefox process that do ... something. Mostly crash a lot, given the lists of dlls and the crash correlations to those in the mozilla crash database....

I agree that this behavior sucks, but it seems to be the norm, at least on Windows.