Firefox Disables Microsoft .NET Addon
448
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
Great (Score:3, Interesting)
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
Plugin-checker (Score:3, Interesting)
You have JavaScript disabled or are using a browser without JavaScript. This Plugin Check page does not work without the awesome power of JavaScript. Please enable this Content Preference and reload the page. Or disable all your plugins and keep JavaScript disabled... you'd be in good company, that's how RMS rolls [lwn.net].
Bad for Firefox in the long run? (Score:5, Interesting)
Two words (Score:4, Interesting)
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Chrome Frame.
will MS release patch sooner (Score:2, Interesting)
Blocklist banned both of plugins without any version limits. Even if MS release updated plugin versions, plugins will remain blocked. I suspect that MS will create new plugs and try to sneak them back to Firefox with .NET "security" updates.
I think Mozilla team even considers removing features abused by MS plugs.
It is nothing compared to VPC (Score:3, Interesting)
That issue is nothing (they asked for it in fact).
The issue which should make to books about the tech irony is Virtual PC for Mac 7.x (if anyone uses, UPDATE!). MS found a theorotical (not sure) issue which Virtual PC's emulated X86/Hypervisor can MODIFY the OS X memory from "there".
While they were decent to fix it very quickly and shipped an update (7.0.3) confusing Mac users, that is one big amazing issue for you. Imagine by running (emulating in fact) a Windows, you risk your OS X memory locations with overwrite.
Why was the MS plugin again legal? (Score:5, Interesting)
Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).
Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.
I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..
Anyone else an explanation why that plugin avoided legal consequences?
Re:Great (Score:2, Interesting)
Re:Bad for Firefox in the long run? (Score:5, Interesting)
Do you have a link for that? I'd be very interested to show more flaws in the design of .NET.
I know Chris Brumme's excellent weblog [msdn.com] about the CLR has quite a few interesting things to say, and even more if you read between the lines in places, you know he wants to say "we screwed this up big time" and he does say that occasionally. With hindsight, they did make some technical mistakes - throwing objects instead of just exceptions, allowing .Net apps to run in IIS [msdn.com] at all, thinking GC would remove the need for reference counting [msdn.com], and several marketing mistakes - telling everyone exceptions were very inexpensive (I recall one particularly misinformed MS drone telling me exceptions were free because it was all handled by the CLR... d'oh)(read the blog)
If ever there was an example of keeping it simple, .NET is it - as an example of what not to do. Hats off to Chris who I think is very intelligent and talented, but the scope and spec of what they asked of him was too awkward to make a perfect job of.
Re:Why was the MS plugin again legal? (Score:4, Interesting)
I'm sure whatever it was you installed from Sony that snuck the rootkit in had similar wording in its smallprint too.
I guess its ok if MS does it, but not Sony?
Is There a Conspiracy? (Score:4, Interesting)
This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.
After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.
(1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.
Re:Bad for Firefox in the long run? (Score:2, Interesting)
I forgot to mention in my previous post: It always shows up in the Plugin section of Addons (as it always did, found it odd to be displayed in both Plugins and Extensions sections, but whatever), even after the Plugin is uninstalled manually and the system and Firefox are restarted. Anyone know how to fix that?
Re:Inconsistent logic (Score:4, Interesting)
Re:Ha ha (Score:5, Interesting)
It's part of the Microsoft business model, IMO. (Score:5, Interesting)
Vulnerability is a business model for Microsoft, in my opinion and that of many people.
But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers [channelregister.co.uk]. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.
But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.
Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.
So, maybe just being evil is another part of Microsoft's business model.
Re:This is very annoying for me (Score:3, Interesting)
Hey I agree with it not being installed by default, but I can't install it at all.
Re:Ha ha (Score:3, Interesting)
Mike,
Hi.
I have over 100+ boxes at work that depend on this plugin. When I get into work tomorrow, if they're not working (they run FF), then I'm not going to have much choice but to switch back to IE, am I?
I frankly did not know you guys had this ability to unilaterally disable things I depend on. That is a bit disturbing. It's going to unexpectedly cost me HOURS tomorrow.
Can you at least switch the block to only block unpatched versions? I'd agree with that.
Re:Oops (Score:1, Interesting)
Re:Bad for Firefox in the long run? (Score:3, Interesting)
What the hell, people?.. (Score:4, Interesting)
I think this was a real fumble for MS, and Mozilla took steps to prevent critical problems--don't know about the best steps, but at least they were quick to action. Imagine if this had not been done, and exploits for the problem started popping up like wildfire, or widespread browser/OS crashes became common; how many users would firefox lose, due to a problem entirely of someone else's making? Let's not get confused over who's the bad guy. MS has the most to gain from any perceived flaws in a competing product, and their track record isn't exactly one that shows overwhelming care and concern for the end user. Even if not malicious, and chances are it's not, it still is another mark of incompetence on the overall company that they're releasing flawed software and forgetting courtesies like asking the user if they actually want the changes, not to mention not allowing them to revert it without 'popping the hood'.
Re:Imagine this from the other side (Score:5, Interesting)
Forget about the names involved and examine the situation more closely. A company took it upon itself to introduce an unknown security risk into a competitor's product by way of a stealth install. Said company further complicated the matter by making it next to impossible for average users to uninstall - provided they even became aware of the issue - and compounded it even further by having subsequent updates reinstall the software by stealth again.
I think that given this situation Mozilla did the right thing. Until Microsoft learns to work above board where Firefox plugins are concerned, Mozilla can and should disable them. It would be nice in the future if Mozilla offered users the option - and I think they will - to retain use of a plugin after being told it poses a security risk, but the only action I see in need of correction at the moment is for Microsoft to ask users explicitly for permission to install an add-on to non-Microsoft software on a system.
Re:How about just disabling Microsoft? (Score:3, Interesting)
The Real Question is... (Score:3, Interesting)
Re:Bad for Firefox in the long run? (Score:3, Interesting)
The modern CLR seems fairly sensible to me; definitely several steps ahead of the JVM (e.g., compare how parametric polymorphism is handled).
The article you link to on GC is an in-depth discussion on the cost of implementing finalisation in the GC. These problems are well known and, more to the point, are only some of the reasons why implicit (nondeterministic) finalisation is a Bad Thing. Reference counting memory allocators are much slower than mark-and-sweep memory management for most programs, mainly because all of the bookkeeping the mutator (i.e., your application) has to do.
With regards to exception handling being slow, this is something that has always made me curious: why would anyone use exceptions in a situation where they expect exceptions to be thrown frequently (i.e., not exceptionally!)?
For both these points, yes I can come up with examples where reference counting would be sensible and where fast exception handling would be useful, but these would be very special cases that are not representative of most programs.
The .NET CLR is surely not perfect, but I can't think of any competing schemes that do better (C-- is a possibility, but that project has unfortunately been stuck in first gear for a while).
Re:Bad for Firefox in the long run? (Score:3, Interesting)
If ever there was an example of keeping it simple, .NET is it - as an example of what not to do.
I don't think the design goal of .NET was ever to "keep it single". It could be a lot simple if its design goals were like JVM - a VM specifically designed to run a single language that is very restrictive in terms of what one can do with it. .NET, however, was originally designed as VM for which you could write a full-featured ISO C++ compiler producing strictly bytecode (not necessarily verifiable - can't really do it with C++ - but 100% "managed"). Because of that, it's far more feature-rich than JVM from its user's perspective, and that, of course, means "more complicated".
In fact, one of the recent .NET vulnerabilities specifically has to do with an obscure CLR feature [microsoft.com] that, so far as I know, was originally added to it solely for the sake of C++.
Re:Why was the MS plugin again legal? (Score:3, Interesting)
Now, with the exception of Windows Vista and Windows 7, the .NET Framework must also be explicitly installed by the user.
Here's an interesting question. If you start with a clean Vista or Win7 install (which already has .NET), and then put Firefox on it, then it won't get the .NET extension in it, right? because .NET installer doesn't get a chance to run and put it there...
Re:and people wonder why MS has security problems (Score:3, Interesting)
> In what universe is it acceptable for vendor A to modify vendor B's software on User C's
> (i.e. my) computer?
This one. Various antivirus software hooks into Firefox and modifies its behavior (in Kaspersky's case by activating normally inactive codepaths that make DOM manipulation 100x slower or so in many case). Various software (Adobe, etc) drop binary plug-ins into both IE and Firefox (and anything else they can). Various software of dubious provenance throws various dlls into the Firefox process that do ... something. Mostly crash a lot, given the lists of dlls and the crash correlations to those in the mozilla crash database....
I agree that this behavior sucks, but it seems to be the norm, at least on Windows.