6466307
story
Comments:
448
+-
Technology: Firefox Disables Microsoft
Comments:
448
+-
Technology: Firefox Disables Microsoft .NET Addon on Sunday October 18, @07:06AM
Posted
by
kdawson
on Sunday October 18, @07:06AM
from the with-their-consent-of-course dept.
from the with-their-consent-of-course dept.
background: url(//a.fsdn.com/sd/topics/topicmozilla.gif); width:80px; height:64px;
mozilla
background: url(//a.fsdn.com/sd/topics/topicms.gif); width:75px; height:55px;
microsoft
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
Related Stories
Duct tape is like the force. It has a light side, and a dark side, and
it holds the universe together ...
-- Carl Zwanzig
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
Oops (Score:4, Informative)
I just checked my addons and whilst I don't have the Microsoft addon, I do have an AVG one which is disabled. Clicking on the more information link (https://en-gb.www.mozilla.com/en-GB/blocklist/) presents me with a page that says:
Whilst it is nice to see they've done it, it's a shame that they didn't test the end to end user flow.
Bad for Firefox in the long run? (Score:5, Interesting)
Re:Bad for Firefox in the long run? (Score:5, Informative)
Oh, I think not. The "functionality" added is Windows specific. Websites _should not_ be OS specific. And Microsoft had _no business_ shoving their plug-in silently into Firefox. And most of all. .NET is now a security nightmare: Brian LaMacchia, one of the authors of ".NET Framework Security", resigned from .NET development rather than continue with it. (LaMacchia's career is fascinating: if you'd like to follow a trail of an expert engineer getting involved in projects that are doomed for mishandling security, perhaps in spite of his best efforts, check out his career.)
Parent
Re:Bad for Firefox in the long run? (Score:5, Interesting)
Do you have a link for that? I'd be very interested to show more flaws in the design of .NET.
I know Chris Brumme's excellent weblog [msdn.com] about the CLR has quite a few interesting things to say, and even more if you read between the lines in places, you know he wants to say "we screwed this up big time" and he does say that occasionally. With hindsight, they did make some technical mistakes - throwing objects instead of just exceptions, allowing .Net apps to run in IIS [msdn.com] at all, thinking GC would remove the need for reference counting [msdn.com], and several marketing mistakes - telling everyone exceptions were very inexpensive (I recall one particularly misinformed MS drone telling me exceptions were free because it was all handled by the CLR... d'oh)(read the blog)
If ever there was an example of keeping it simple, .NET is it - as an example of what not to do. Hats off to Chris who I think is very intelligent and talented, but the scope and spec of what they asked of him was too awkward to make a perfect job of.
Parent
Re:Bad for Firefox in the long run? (Score:5, Informative)
You better check again, as the plugin tries to re-install itself silently when a .NET service is called from a website in Firefox, and also via the recent batch of patches from Microsoft. The only way to be sure is to double-check and not only nuke the appropriate registry entry, but the entire sub-folder of your .NET installation the plugin is installed to, as well as resetting the ID string in About:Config. Then you should proceed to disable that update from being downloaded or displayed via Automatic Updates.
The really disturbing thing I found, is that after sneakily re-installing itself via the latest patch from MS, the plugin is not displayed at all in the Addons/Extensions portion of the Firefox configuration screen. The only reason I even found it reinstalled, was that warning from Firefox when the nasa.gov site attempted to load the plugin while viewing their photo galleries.
Yes, it was my fault to have updates set on Automatic/Automatic, which has since been remedied on this system. I was irresponsibly lazy on the matter.
Parent
MS kinda overstepped its bounds on this one. (Score:4, Insightful)
Microsoft has deservedly taken a LOT of sh*t for forcing this addon into Firefox unannounced - AND preventing you from disabling or uninstalling it - unless you yank it out of the registry. It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"
Re:MS kinda overstepped its bounds on this one. (Score:4, Insightful)
It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"
You seem quite lost. They're not blocking it for that reason, but because it had a security vulnerability.
Parent
Re:MS kinda overstepped its bounds on this one. (Score:4, Insightful)
The .NET installer/updater that forces this addon into Firefox is running as administrator or even system rights. How should a non-running app protect itself against a code injection in their home directory done by a process with system privileges? Without creating another mess of cryptographic signing, super-super user and files undeletable when Joe Sixpack decides to uninstall?
I'm sure the Firefox team is working on hardening their application against scummy plugins that disallow being uninstalled, but I fear it's not exactly trivial protecting against administrator privileged malware without breaking a whole lot of other stuff.
Parent
Read the TFA, MS suggested this! (Score:5, Informative)
From the TFA, it is clear that Microsoft approves of this particular move. I quote
It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.
I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article [microsoft.com] and implement it themselves. At least, not my mom.
Re:Read the TFA, MS suggested this! (Score:5, Insightful)
and Microsoft is recommending that all users disable the add-on.
Well gosh, that "unable-to-be-disabled" feature seems really quite stupid now, doesn't it?
Parent
Why was the MS plugin again legal? (Score:5, Interesting)
Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).
Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.
I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..
Anyone else an explanation why that plugin avoided legal consequences?
Re:Why was the MS plugin again legal? (Score:5, Insightful)
Parent
Re:Why was the MS plugin again legal? (Score:4, Interesting)
I'm sure whatever it was you installed from Sony that snuck the rootkit in had similar wording in its smallprint too.
I guess its ok if MS does it, but not Sony?
Parent
My surreal experience (Score:4, Funny)
Nuke it with regedit... (Score:5, Informative)
For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions
Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'
Rule 1: Don't talk about the registry (Score:5, Funny)
Parent
Re:Nuke it with regedit... (Score:4, Insightful)
Only nukes the addon, the plugin is hiding in C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (and C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll if you have the .NET 4.0 beta).
Remove HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5
And HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF, version=4.0 if you have the 4.0 beta
Parent
Re:Nuke it with regedit... (Score:5, Funny)
Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'
Be careful. If you accidentally delete key {20a82645-c095-46ed-80e3-08855760534b}, your machine explodes.
Parent
Imagine this from the other side (Score:5, Insightful)
Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."
Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.
That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...
Re:Imagine this from the other side (Score:4, Insightful)
Parent
Re:Imagine this from the other side (Score:4, Insightful)
If Mozilla had been installing Firefox without the users' consent and prevented the same users from uninstalling it, then yes, Microsoft would have been justified to hit the kill switch. The same way, if it was just a regular Firefox Addon that MS distributed (that the user explicitly installs and can uninstall at any time), I doubt Mozilla would have made a fuss about it.
Parent
Re:Imagine this from the other side (Score:4, Informative)
Parent
Re:Imagine this from the other side (Score:5, Interesting)
Forget about the names involved and examine the situation more closely. A company took it upon itself to introduce an unknown security risk into a competitor's product by way of a stealth install. Said company further complicated the matter by making it next to impossible for average users to uninstall - provided they even became aware of the issue - and compounded it even further by having subsequent updates reinstall the software by stealth again.
I think that given this situation Mozilla did the right thing. Until Microsoft learns to work above board where Firefox plugins are concerned, Mozilla can and should disable them. It would be nice in the future if Mozilla offered users the option - and I think they will - to retain use of a plugin after being told it poses a security risk, but the only action I see in need of correction at the moment is for Microsoft to ask users explicitly for permission to install an add-on to non-Microsoft software on a system.
Parent
Is There a Conspiracy? (Score:4, Interesting)
This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.
After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.
(1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.
While they're at it... (Score:5, Informative)
It's proprietary and full of ads! Just what I wanted, an extension that checks for updates of my Adobe Reader software. Uninstalled. The Firefox team should send a message. Firefox add-ons are not yours to take over like the Windows startup.
Re:Great (Score:5, Funny)
Microsoft has put billions of dollars into developing the most effective and efficient security vulnerabilities to date. I can only watch in awe and wonder.
Parent
It's part of the Microsoft business model, IMO. (Score:5, Interesting)
Vulnerability is a business model for Microsoft, in my opinion and that of many people.
But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers [channelregister.co.uk]. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.
But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.
Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.
So, maybe just being evil is another part of Microsoft's business model.
Parent
The real reason why they want to hack user agent (Score:4, Insightful)
While some slashdotters think otherwise, Java/Windows install base is huge thanks to couple of very popular apps and tiny games. Since companies these days looks for multi platform, multi arch; MS needed to show that their herd has been installed/infected by .NET too.
So, they haxor the user agent to show that clueless CTO that their 90% of users have .NET so they should use it instead of massively multi platform Java.
Anyway, as you see, karma is a real bitch and if Sun had a real management, they could milk this issue but... Lucky for MS, Sun is under auto pilot, even under Larry Ellison's Oracle.
Parent
Re:Great (Score:5, Informative)
Parent
Re:Great (Score:5, Informative)
Parent
Re:Great (Score:5, Informative)
Not exactly. It also allows you to run .Net and WPF apps inline in the browser, hosting a CLR instance. Not to mention mapping the ClickOnce file type.
Parent
Re:Great (Score:5, Informative)
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
For anyone curious as to the real state of affairs behind this MS plugin issue, you might be interested in a few things. For everyone else just enjoying a good anti-Microsoft circle-jerk, ignore this post.
The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications [wikipedia.org] to run in Firefox and ClickOnce [wikipedia.org] program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?
This is the bug [mozilla.org] in question. There is a lot of interesting comment there, including the fact that while everyone is crying about Microsoft "secretly" adding the plugin and preventing users from disabling it, Mozilla doesn't even give users an option to enable it! Their blocklist is all or nothing. Why doesn't that bother anyone here? One poster [mozilla.org] is very insightful:
But perhaps the best thing about this entire issue, is that Mozilla didn't block the plugins until AFTER they were patched and the mechanism of the block is retarded. Mozilla is claiming [mozilla.com] that Microsoft agreed to issuing the block of the affected plugins, and that might be true, but only to an extent. Mozilla is currently blocking the plugins based on the name of the plugin, not the version, which means users who have installed the patched version of the plugs (at this point almost everyone using Windows Update) are still unable to use the plugins and have no way to re-enable them.
So essentially, by issuing this patch, Mozilla is doing nothing but hurting its business customers. Slashdotters can scratch their heads trying to figure out who uses these technologies, but the answer is a lot of businesses do. This absolute, non-scriptable and non-changeable block of these plugins will just remind corporations that open source isn't ready for the big leagues and they should just stick with Microsoft and IE. The sad thing is that if this kind of knee-jerk, carte-blanche blocking behavior becomes the norm for Mozilla, they will probably be right! Taking this kind of control away from the users is simply unacceptable, doubly so for businesses.
If you're wondering what MS says about this, you might take a look at this [technet.com]:
So there it is -- pretty much everyone
Parent
Re:Great (Score:5, Insightful)
I consider any plugin installed without my consent to be malicious, especially if it's a plugin FOR SOMEONE ELSE'S SOFTWARE.
Parent
Re:Great (Score:5, Insightful)
Especially when it disables the friggen "uninstall" button!
Parent
Re:Great (Score:5, Informative)
There is no version difference for the plugin or add-on between patched and unpatched systems. That's one reason that this is so messy right now; if we had known about the Firefox aspect of the vulnerability before the SRD blog post, we would have suggested just that sort of version bump.
Parent
Re:How about just disabling Microsoft? (Score:5, Funny)
FYI, it doesn't help at all !!!
I have Microsoft disabled (I run Gentoo Linux), and my Firefox failed miserably to disable the .Net plug-in. I spent a day clicking on the menus and recompiling updates, and I still don't get the pop-up :(
On the bright side, my system now runs 1.27% faster compared to yesterday. It feels like 10% faster, really.
Parent
Two words (Score:4, Interesting)
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Chrome Frame.
Parent
Google is NOT competing for browser share (Score:5, Insightful)
People, please let this idea die VERY quickly. Chrome is NOT there to get an install base for Chrome. It is there to get an install base for modern browsers with fast javascript/DOM.
Googles operates in the browser and in order to be able to get the next generation products out there, it needs to ensure that those products can be run. IE/MS ain't capable of this, so they both push MS by making them scared to completly loose the browser AND by capabilities to IE to make it play catch up with the real browsers.
In a way, what Google is doing is installing electricity cabling into every house. NOT because it wants to be in the utility business but because it has all these design for electric machines and they ain't going to be selling them to people who use candles and woodstoves.
MS on the other hand does NOT want people to have modern browsers, or rather not browsers that act like browsers. Its business relies on activex and .net and the like to keep apps closely tied to their windows OS.
MS fears projects like gmail and worse wave. It knows that its software is increasingly a major cost of computers (check it, hardware prices go down, MS prices go up) and while so far its software offers a lot more features, the sign of netbooks is that, a lot of them ain't needed. I got a netbook (with linux) that is not nearly as capable as a full PC. I can't game on it, its office tools are simplistic but guess what, it is all I really need.
MS has been selling XP, a lot, for netbooks but it has been doing it at a fraction of the price it would like to charge and really, it only sold XP so cheaply because else Linux would have been installed. You would be right in assuming a LOT of people would replace Linux with an OLD XP copy (license of an old PC you threw away is still valid) but MS doesn't even want the idea that there maybe yet another OS out there. An OS that while not perfect is good enough. People are already getting dangerously exposed to this idea by their cellphones. Quick poll, who has Windows Mobile and is willing to admit it? Everyone knows that an iPhone gets you the girls, this even goes for girls.
MS ideally wants to sell you their OS for 300+ dollars, that doesn't fit well for a 300- netbook or indeed a mobile phone, but that is MS business model, and ideally, you should spend another 300 for the office suit. (please, MS fanboys, do NOT link to student discounts or OEM versions. Full price for the box in the MS store.)
Google is doing something completly different. It is saying. Nah, you don't need a 300 dollar OS with a 300 dollar productivity suite. Just a browser (free) on free/cheap OS and you got all you really need. For free. Sure, there are some angles (your data is on the google servers) but for a lot of people, it is good enough.
AND that, is what scares MS. Because... even if people would still use windows, the window sthey would be using is their old XP. This is already the case in a many companies. And without the cashcows of Windows/Office, how can MS afford all its other attempts to control markets?
The browser wars are back, but they are being fought for a different reason. Chrome is NOT netscape 2.0
Parent
Re:How about just disabling Microsoft? (Score:4, Insightful)
So your argument against people switching away from MS, is that people use MS??
That's the classical excuse of to beta human: I can't do it, because nobody does it.
And why does "nobody" do it? Because everybody uses that "argument" to not do it!
The best thing is, that it isn't even remotely true that nobody does it. You're reading a comment from someone doing it right now. But it's so convenient to ignore it that, isn't it?
Maybe that's the difference between alphas and betas. Alphas have no problem being the first in the club, to start dancing. No they even grab a girl and make a show out of it! ^^ (Because they know that that makes them the leader. Something that is very handy and feels great. Killing any insecurity-based awkwardness.)
So if one person can do it, then two can too. Including handling MS file formats. Including the ability to be in a MS (SMB) network. And so on.
So if two can do it, everybody can.
Which means nobody needs to use MS software. But they want it! Why? Because it's less effort. One can be lazy. And the excuses "always work", to lie even to oneself, about wanting to switch.
"Oh, if only others would use it! Then I would too! But in this situation? No way!" Except that you wouldn't. Or if you would, then I wonder what a pathetic kind of cattle you are, for always trying to conform, even if it's not what you like.
Hell, I'd even prefer to hear that you actually prefer Windows, and that this is mostly because you don't like all the work required to switch. That would at least be honest. And while not agreeing with the view, I could absolutely comprehend and accept it.
Do yourself a favor, stop imitating others just to be "accepted", stop caring what others think of you, build your own set of values, be you, do what you like, and strongly stand behind your reality. That is a basic human right of everybody. And we will not hate you for it. No, we will love you for it. (Isn't it strange, how doing the opposite of what you did, will give you what you always wanted? ^^)
P.S.: If anywhere you found that my assumptions are wrong, *of course* you can tell me how wrong I am. But only if. ^^ (And moderation is no replacement.)
Parent
Re:How about just disabling Microsoft? (Score:5, Insightful)
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Not really if you look at where the real competition is occurring.
The REAL product that Microsoft is trying to protect is the Windows platform. This is how Microsoft maintains their monopoly. IE is merely a means to try to control the web market to use Windows only across the board. The windows platform maintains much of its monopoly power by controlling the software to run on only Windows. Microsoft has long known that 3rd party developers were a big factor in building their monopoly, and keeping them on Windows maintains that monopoly.
This plugin lets you run parts of .Net on Firefox, correct? .Net is largely Windows only software, correct? So by having Firefox (an increasingly popular web browser on Windows) run .Net software, Microsoft is trying to maintain .Net on web browsers as a viable platform. By doing this they try to ensure that you'll need a Windows computer to run .Net software on a browser. The alternative is that Web developers increasingly reject .Net components because of the increasing popularity of FireFox (and .Net not running on FireFox, thus developers don't want to lose the market share and choose non .Net alternatives). That's bad for Microsoft, since it means more inter-operability with other OS's, which would decrease the relevance of Windows.
Pretty clever, really. Frankly I think the Firefox developers should stop this nonsense not only because of the security concerns, but mainly because it's an attempt to control Firefox by Microsoft. Does Mozilla really want to answer to whatever Microsoft decides to inject into Firefox this week?
I also think it's a anti-competitive move by Microsoft and an abuse of their monopoly power. I doubt anyone will do anything about it though.
Parent
Re:Ha ha (Score:4, Insightful)
Parent
Re:Ha ha (Score:5, Interesting)
Parent
Re:Ha ha (Score:5, Informative)
I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.
(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)
Parent
Re:Plugin-checker (Score:5, Funny)
The TFA makes a reference [...]
You mean The TFA Article.
Parent
Re:Inconsistent logic (Score:5, Informative)
Parent
Re:Inconsistent logic (Score:5, Insightful)
Mike, I haven't seen anyone else say this, so allow me. As a grateful firefox user and evangelist, thanks for your efforts, contributions, and patience in putting up with all of us. Please pass this thanks on to your co-team members.
Parent
Re:Inconsistent logic (Score:5, Informative)
Parent
Re:Inconsistent logic (Score:4, Interesting)
Parent
Re:Cat and mouse (Score:5, Informative)
Parent
Re:This is very annoying for me (Score:5, Informative)
Parent