bonch writes "Mozilla previously blocked the Firefox addons Microsoft included with .NET, citing security concerns. After talking with Microsoft, they have now unblocked the .NET Framework Assistant addon and are working on a way for enterprise users to unblock the Windows Presentation Foundation addon as well."
FAQ for HTML Component Handling Vulnerability - CVE-2009-2529
If I use Firefox, which Internet Explorer update do I need to install? If a computer system is configured for Automatic Update, the correct update will be downloaded and made available for installation depending on the Automatic Update configuration. In the event that a computer system is not configured for Automatic Update, users should verify which version of the Windows operating system and Internet Explorer is on their system and download the appropriate update.
If I install this security update, do I need to disable the Windows Presentation Foundation Plug-in in Firefox to be protected from this vulnerability? No. Customers who have installed the security updates associated with this security bulletin are protected from this vulnerability.
If I have not yet applied this security update, how do I disable the Windows Presentation Foundation plug-in in Firefox? If you have not yet applied this update, you can disable the Windows Presentation Foundation plug-in in Firefox to block this vulnerability. To do this, launch the Firefox browser, select the Tools pull-down menu, and then click Add-ons. Select the Plugins icon at the top of the Add-ons window. In the list of Plugins, select Windows Presentation Foundation 3.5.30729.1 and click Disable.
If I uninstall the.NET Framework Assistant extension, does it disable or remove the Windows Presentation Foundation plug-in? If the.NET Framework Assistant extension is uninstalled it does not disable or remove the Windows Presentation Foundation plug-in. The.NET Framework Assistant and Windows Presentation Foundation plug-in are controlled through different screens in the Firefox Add-ons management window.
Somebody has to file a bug against FireFox that plugins/add-ons are even allowed to prevent user from disabling them.
There's a name for programs that prevent the OS from modifying their files, rootkits. Firefox is not a rootkit. Microsoft update installed the plugin by modifying the filesystem, it didn't use firefox API's.
If you don't trust microsoft update, frankly you shouldn't be using windows.
Somebody has to file a bug against FireFox that plugins/add-ons are even allowed to prevent user from disabling them.
This whole scandal brings up an interesting point. For "Plug-ins", Firefox has no obvious way to disable the feature. However, because MS's stuff was an "Add-on", people are angry there isn't a one-click UI. (The difference between the two is some technical nonsense which is of no interest to the end user.)
So the moral of the story is if you want to make it hard to uninstall, write a plug-in (like Apple/Adobe) and not an add-on.
Anyway, if anyone knows of an easy way to permanently disable Apple's crappy Qui
The was dome debate on Mozillazine and probably a bug or two submitted to create a proper UI for this stuff and have a way of blocking new plugins, but the devs seem to be ignoring it for now. The have made a schoolboy error here - trying to blacklist all "bad" plugins instead of just having a UI and allowing the user to whitelist plugins as they see fit.
According to the (very long!) discussion [mozilla.org] on the bug in question, Mozilla is working on such a UI.
Mozilla should block the plugin simply on the grounds that a user can't uninstall it from within the approved Mozilla add-ons panel. That should be the case for any plugin that doesn't play by the rules, no matter who it's from or what its use is.
If I can't delete it, it's malware. Oh, wait, I *can* delete it, if I google for some crazy instructions that involve registry editing? Isn't that how I delete malware?
'Ubuntu firefox modifications' plugin also can't be deleted from within firefox. I'm not arguing for or against your proposal, just that it would need to be consistently applied.
Perhaps not "as bad as the registry hell", but I would still prefer if Firefox blocked both of them until they were deletable like all other addons. I mean, have some backbone mozilla, if people don't do things properly, give them a nice big "FAIL" and send them on their merry way.
Given that the Ubuntu addon is installed system-wide and has root:root owner (as a result of being installed via APT), how, exactly, would you go about enabling the button when the user in question may or may not have root privileges?
Note that that one's bundled with the Launchpad package. I downloaded the binaries directly from Mozilla to get the Minefield trunk, and I see no Ubuntu addon listed in there.
In this case, MS added the plugin to the self-installed version of Firefox, not a version of Firefox they distributed (not that they'd likely be able to cut a branding agreement the way Ubuntu did, so MS would have to distribute it under a different name).
When you download Firefox on Windows, you're downloading it from Mozilla. When you download Firefox in Ubuntu via apt, by default, you're downloading it from Canonical, which struck a deal with Mozilla to package their plugins with it and redistribute it. If you don't want them, you can uninstall firefox and reinstall it from Mozilla's repo, or just uninstall the plugins directly from apt. With Windows, Microsoft installs their plugin into the user installed installation of Firefox without asking permission
This might surprise you, but a lot of people use the net for more than:-
Watching the latest lolcat video - check Browsing their mail for the latest penis enlargement offer - check Posting uninformed comments to Slashdot - check
Point taken ?
What specific, popular website (other than *.microsoft.com) is nonfunctional or seriously crippled without ClickOnce?
It's a PLUGIN, not an ADD-ON. There is no way to uninstall ANY Plugins in Firefox. You can disable Add-Ons, you can uninstall Add-Ons and you can disable Plugins. But you cannot uninstall Plugins from within Firefox. Firefox simply loads all files in a specific Internet Plugins folder (not a Firefox-only plugin folder) and if it detects a plugin, it uses it.
Plugins are add-ons in the Mozilla universe. The term "add-on" is used by Mozilla to mean extensions, themes, and plugins. Saying "plugin" instead is merely being more specific as to what type of add-on is being discussed.
It's a component of your OS. Whether it's crucial to you is an entirely different discussion - if you want your OS to be as bare as possible, Windows is not for you. MS has decided that it is needed on every system so they can make certain assumptions on system usage and updates. Would you like to be able to delete, say, your kernel executable? Is that malware too?
What, you're not like all the other/.ers who are using XP or Windows 2000?
Seriously though, this thing is being blown out of proportion./.ers are in a minority. Firefox is a main stream browser (through choice), and most people don't care for these political shenanigans, and just want it to behave properly (no global blocking of a standard part of the Windows experience).
"No. You can still use the Win32 API, MFC, ATL, WMI, vbscript, jscript etc."
They go pretty far out of their way to make your life difficult if you do though.
All the current developer tools are targeted towards.NET and newer technologies. That includes things like the shiny new interface elements they introduced with Vista, as well as stuff like the new (hardware accelerated) video decoding/rendering system or the re-designed taskbar in Windows 7. From Vista onwards anything that boils down to Win32 APIs fo
Now I'll admit that there are only a few posts above mine, but already they are generally negative. Which I don't get. Isn't this a good thing?
Microsoft releases a couple of Firefox plug-ins. A security vulnerability was discovered in the plug-ins. Mozilla disables the plug-ins. Microsoft and Mozilla has a talk about the the vulnerability and it appears that one of the plug-ins aren't vulnerable. The plug-in is re-enabled.
As far as I can tell, this is the system working properly.
The system isn't working perfectly. Mozilla is taking Microsoft's word that these plugins, which install in their software without notice, don't have any vulnerabilities and are working just fine.
Microsoft's plugins should be required to behave as every other responsible plugin. It shouldn't install with stealth, there should be a way to easily disable, and there should be a way to easily uninstall.
Mozilla is taking Microsoft's word that these plugins, which install in their software without notice, don't have any vulnerabilities and are working just fine.
Just like every other plugin on the market. Apparently the.Net plug-in isn't vulnerable, the WPF one is. I know we like to bash Microsoft here, but the plug-in safety process (in FF) seems to work fine. How do you know that there aren't unknown vulnerabilities in another plug-in somewhere?
Microsoft's plugins should be required to behave as every other responsible plugin. It shouldn't install with stealth, there should be a way to easily disable, and there should be a way to easily uninstall.
You disable it by going to Tools > Add-ons >.Net plugin -> click either 'Disable' or 'Uninstall' I works fine for me, I just uninstalled the plugin.
And Microsoft aren't the only ones who install by stealth. I don't remember installing Nokias 'PC Sync2 synchronisation' extension. It just installed itself with some other software.
And Microsoft aren't the only ones who install by stealth.
Bonnie and Clyde weren't the only ones to rob banks, either. So does that mak bank robbery OK? The former head of NASDAQ ran a Ponsi scheme for decades, does that make fraud ok? Personally, if I find a vendor doing any kind of stealth installation, I no longer use that vendor's wares. That's why I no longer buy anything with Sony's name on it, and why I'm running Linux at home. As well as why I won't deal with a host of other vendors.
If you're the default Free Tech Support Guy for a friends and family circle, and you've mandated Mozilla apps as a condition of said support, then you might get a bit tired of getting worried calls asking about their "internets popup point net problem".
Granted, that's pretty much what you signed up for, but it does worry Joe and Josephine User when their internets start acting up. Yes, Mozilla, I'm looking at you here [mozillazine.org].
Now I'll admit that there are only a few posts above mine, but already they are generally negative. Which I don't get.
Isn't this a good thing?
Microsoft releases a couple of Firefox plug-ins.
A security vulnerability was discovered in the plug-ins.
Mozilla disables the plug-ins.
Microsoft and Mozilla has a talk about the the vulnerability and it appears that one of the plug-ins aren't vulnerable.
The plug-in is re-enabled.
As far as I can tell, this is the system working properly.
I bolded two things I don't agree with. You skipped an important statement: Microsoft forcibly installed said plug-in, and prevented its removal.
Microsoft forcibly installed said plug-in, and prevented its removal.
The first statement is debatable, since the plugin is a part of the.NET Framework, and people can choose not to install the.NET Framework — although I realize newer versions of Windows have it preinstalled, so there's less of a choice there, which is why I say it's debatable.
However, the second statement is just wrong. It's not Microsoft who prevented removal of the plugin, it's Mozilla. Firefox does not provide a mechanism for removing any plugins.
Except Java and Acrobat ask me if I want to install Firefox plugins during install.
Except they do not.
In fact, Java, at least, also does a system-wide plugin install [mozillazine.org], meaning that it cannot be uninstalled from Firefox extension manager; not sure about Adobe Reader, but I think it does that too.
Why would Microsoft submit its extension to Mozilla and follow the standard operating procedures as far as the dot net thingie is concerned? The user base and use cases for Mozilla/Firefox has always been, you get extensions from one authorized source. That is mozilla.org. If Microsoft wants an enabler they should just submit it to mozilla.org. Installing it in stealth mode is not expected from mozilla user base.
Further, why is Mozilla.org is allowing a mode where any Tom Dick or Harry can drop in a bunch of files in the install directory and suddenly all the users get the extension on by default? Since it is in the instal dir, individual users cant even disable them or uninstall them. The existence of such a mode itself is a big security hole.
If IE has a hole and allows a drive by download of a file into Firefox install dir, boom, you get a vulnerability in Firefox. Already there are reports that installing an HP printer gives and unwanted, unasked for and unpermitted extension added to Firefox. Now every software you install is going to want to add a tool bar or an extension to Firefox.
I wish Firefox will just disallow such a way of installing extensions. The cardinal rule, as for as Firefox is concerned, is that the users rule. They control their browser, they decide which extensions are allowed, which scripts are allowed to run, which user agent string is sent out, whether or not to allow java, applet, or javascript or flash or silverlight or whatever. For corporate deployment, the Mozilla team might allow a script based instal on all machines in a corporate network using proper authentication procedures, like Corportate IT dept has local sysadmin privilege, so they come in and install an extension, and even disable its uninstall option, but that is all done outside the browser using the standard corporate deployment procedures. Allowing anyone to dump cruft in a particular folder and suddenly everybody gets the cruft is totally against the expectations of the standard mozilla firefox user.
How exactly do you propose to stop a process from doing so when it is running outside the scope of firefox? Whatever files Firefox updates to indicate an extension has been installed can also be modified by an outside process. Want to make the file digitally signed? Well, Firefox has to get the signing key from somewhere, but then the other app could just go and get it from the same place. Want to move stuff like this off the local system and have it stored in some network repository...well, no, almost nobo
Seriously -- I have FAR more of an issue with Firefox disabling a plugin *that I want there* and not providing a way to re-enable it (or at least any obvious way).
Microsoft may choose to say that Firefox integration is part of the.NET framework, and if I choose to have a problem with it, I can uninstall it. But where does the Mozilla organization get off disabling an extension I have, and may be using, without any ability to opt out?
The double standard on this would be funny if people weren't so serious about it.
Simply enter the address 'about:config' and then do a search for blocklist.
There, you'll see a setting called 'extensions.blocklist.enabled'. Set it to False if you don't want Mozilla to decide what plugins/add-ons you shouldn't use. Restart Firefox after making changes to take effect.
Sure it isn't obvious for majority of users, but then again on Windows it isn't obvious what registry entries to hack in order resolve issues either. Firefox does have its own (evil?) registry too.
Didn't Mike Shaver [slashdot.org] spend hours yesterday defending FF's stance in the original article? Now they've backtracked from blocking an already patched vulnerability, but he's still sleeping! We require your insight!
Because of course blocking a program the user chose to install is completely comparable to a program the user chose to install blocking a plugin they didn't choose to install or even knew had installed and was just as difficult to get rid of as most malware.
If Microsoft were to "block" Firefox from running due a security vulnerability it had, the sheer level of rage released from Slashdot would probably be enough to melt monitors on the other side of the world.
If you're going to draw parallels, at least learn to do it properly. If Mozilla would sneak in a plugin inside IE when you're doing something which you assume should not indulge in that behaviour, say e.g. updating Firefox, upon which Microsoft blocks this snuck piece of software, nobody in their right mind would say a thing. But yes, in your example, which is incorrect and irrelevant, people would -- and they would because they would be completely right in doing so, just like people are now with the.NET p
They're just sayin'... (Score:2)
Microsoft's updated advisory (Score:5, Informative)
MS09-054 [microsoft.com]
FAQ for HTML Component Handling Vulnerability - CVE-2009-2529
If I use Firefox, which Internet Explorer update do I need to
install?
If a computer system is configured for Automatic Update, the
correct update will be downloaded and made available for installation depending
on the Automatic Update configuration. In the event that a computer system is
not configured for Automatic Update, users should verify which version of the
Windows operating system and Internet Explorer is on their system and download
the appropriate update.
If I install this security update, do I need to disable the Windows
Presentation Foundation Plug-in in Firefox to be protected from this
vulnerability?
No. Customers who have installed the security updates
associated with this security bulletin are protected from this
vulnerability.
If I have not yet applied this security update, how do I disable the
Windows Presentation Foundation plug-in in Firefox?
If you have not yet
applied this update, you can disable the Windows Presentation Foundation plug-in
in Firefox to block this vulnerability. To do this, launch the Firefox browser,
select the Tools pull-down menu, and then click Add-ons. Select
the Plugins icon at the top of the Add-ons window. In the list of
Plugins, select Windows Presentation Foundation 3.5.30729.1 and click
Disable.
If I uninstall the .NET Framework Assistant extension, does it disable or .NET .NET Framework Assistant and
remove the Windows Presentation Foundation plug-in?
If the
Framework Assistant extension is uninstalled it does not disable or remove the
Windows Presentation Foundation plug-in. The
Windows Presentation Foundation plug-in are controlled through different screens
in the Firefox Add-ons management window.
The real FAQ (Frequently Asked Question... (Score:4, Informative)
Why did it take 7 long months for Microsoft to issue this patch? Fixes using Registry hacking were available on theweb immediately then...
Parent
Re:The real FAQ (Frequently Asked Question... (Score:4, Funny)
Why did it take 7 long months for Microsoft to issue this patch? Fixes using Registry hacking were available on theweb immediately then...
7 is the answer!
Parent
Re: (Score:3, Insightful)
Somebody has to file a bug against FireFox that plugins/add-ons are even allowed to prevent user from disabling them.
There's a name for programs that prevent the OS from modifying their files, rootkits. Firefox is not a rootkit. Microsoft update installed the plugin by modifying the filesystem, it didn't use firefox API's.
If you don't trust microsoft update, frankly you shouldn't be using windows.
Re: (Score:3, Interesting)
Somebody has to file a bug against FireFox that plugins/add-ons are even allowed to prevent user from disabling them.
This whole scandal brings up an interesting point. For "Plug-ins", Firefox has no obvious way to disable the feature. However, because MS's stuff was an "Add-on", people are angry there isn't a one-click UI. (The difference between the two is some technical nonsense which is of no interest to the end user.)
So the moral of the story is if you want to make it hard to uninstall, write a plug-in (like Apple/Adobe) and not an add-on.
Anyway, if anyone knows of an easy way to permanently disable Apple's crappy Qui
Re: (Score:3, Informative)
The was dome debate on Mozillazine and probably a bug or two submitted to create a proper UI for this stuff and have a way of blocking new plugins, but the devs seem to be ignoring it for now. The have made a schoolboy error here - trying to blacklist all "bad" plugins instead of just having a UI and allowing the user to whitelist plugins as they see fit.
According to the (very long!) discussion [mozilla.org] on the bug in question, Mozilla is working on such a UI.
Re: (Score:3, Interesting)
Microsoft installed it without asking, without me even knowing.
They modified a third-party software installation without my permission.
The third-party software maker was within perfect rights to put a stop to that bullshit. They even notified you about it. That's damned good service.
However, through that very same system I see something that could have the potential for severe exploit.
Re: (Score:3, Insightful)
If I use Firefox, which Internet Explorer update do I need to install?
Replace Firefox with Honda Civic and Internet Explorer with Ford Focus.
"If I use Honda Civic, which Ford Focus update do I need [to install]?"
Question is... (Score:2, Insightful)
Re: (Score:3, Informative)
Will they allow users to uninstall it normally at any point?
Uninstall has been enabled for several months now. There had been a /. story [slashdot.org] about that
Re:Question is... (Score:4, Insightful)
That was fixed ages ago. How did this get modded up?
Parent
In related news (Score:2, Funny)
Still can't uninstall? (Score:2, Insightful)
Mozilla should block the plugin simply on the grounds that a user can't uninstall it from within the approved Mozilla add-ons panel. That should be the case for any plugin that doesn't play by the rules, no matter who it's from or what its use is.
If I can't delete it, it's malware. Oh, wait, I *can* delete it, if I google for some crazy instructions that involve registry editing? Isn't that how I delete malware?
Re:Still can't uninstall? (Score:5, Insightful)
'Ubuntu firefox modifications' plugin also can't be deleted from within firefox.
I'm not arguing for or against your proposal, just that it would need to be consistently applied.
Parent
Re:Still can't uninstall? (Score:5, Informative)
It can, however, be removed via the package manager.
Can the .NET addon be removed at all, without hacking the registry?
No, using the package manager is not even remotely comparable to hacking the registry.
Parent
Re:Still can't uninstall? (Score:4, Informative)
Actually, the most recent version (not sure of the number) has the normal Uninstall button enabled, and overall it seems to be behaving pretty well.
Parent
Re: (Score:3, Interesting)
Perhaps not "as bad as the registry hell", but I would still prefer if Firefox blocked both of them until they were deletable like all other addons. I mean, have some backbone mozilla, if people don't do things properly, give them a nice big "FAIL" and send them on their merry way.
Given that the Ubuntu addon is installed system-wide and has root:root owner (as a result of being installed via APT), how, exactly, would you go about enabling the button when the user in question may or may not have root privileges?
Re: (Score:3, Informative)
Note that that one's bundled with the Launchpad package. I downloaded the binaries directly from Mozilla to get the Minefield trunk, and I see no Ubuntu addon listed in there.
In this case, MS added the plugin to the self-installed version of Firefox, not a version of Firefox they distributed (not that they'd likely be able to cut a branding agreement the way Ubuntu did, so MS would have to distribute it under a different name).
Not really (Score:3, Insightful)
That flies in the face of the difference in expectations.
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
Parent says it all.
Just because Mozilla caves, do not shut up. Make MicroSloth play by the rules.
Please: Post how to make Microsloth get out of my Firefox.
Mod parent up.
Re: (Score:3, Interesting)
This might surprise you, but a lot of people use the net for more than :-
Watching the latest lolcat video - check
Browsing their mail for the latest penis enlargement offer - check
Posting uninformed comments to Slashdot - check
Point taken ?
What specific, popular website (other than *.microsoft.com) is nonfunctional or seriously crippled without ClickOnce?
Re:Still can't uninstall? (Score:5, Informative)
Oh come on. As anyone who's following this story is aware, Mozilla has an "approved" method of installing plugins without using the add-ons panel [mozilla.org]. So pick your bone with them.
Parent
Re:Still can't uninstall? (Score:5, Informative)
Is this a failed attempt at trolling?
It's a PLUGIN, not an ADD-ON. There is no way to uninstall ANY Plugins in Firefox. You can disable Add-Ons, you can uninstall Add-Ons and you can disable Plugins. But you cannot uninstall Plugins from within Firefox. Firefox simply loads all files in a specific Internet Plugins folder (not a Firefox-only plugin folder) and if it detects a plugin, it uses it.
Delete the file and you're good to go.
Parent
Re: (Score:3, Informative)
Plugins are add-ons in the Mozilla universe. The term "add-on" is used by Mozilla to mean extensions, themes, and plugins. Saying "plugin" instead is merely being more specific as to what type of add-on is being discussed.
Re: (Score:3, Interesting)
> If I can't delete it, it's malware.
It's a component of your OS. Whether it's crucial to you is an entirely different discussion - if you want your OS to be as bare as possible, Windows is not for you. MS has decided that it is needed on every system so they can make certain assumptions on system usage and updates. Would you like to be able to delete, say, your kernel executable? Is that malware too?
Re:.NET comes preinstalled (Score:4, Insightful)
What, you're not like all the other /.ers who are using XP or Windows 2000?
Seriously though, this thing is being blown out of proportion. /.ers are in a minority. Firefox is a main stream browser (through choice), and most people don't care for these political shenanigans, and just want it to behave properly (no global blocking of a standard part of the Windows experience).
Parent
Re:.NET comes preinstalled (Score:4, Insightful)
slashdotters represent the crowd that companies like MS would like to deny when it is convenient to them.
They represent a group that enterprise and abusive corporations basically try to ignore/minimize to make them sound irrelevant.
Basically, the informed consumer. This is every abusive enterprise's nightmare.
Parent
You don't know what you're talking about (Score:3, Informative)
"MS forced everybody to adopt it by simply dropping support for all other development technologies."
No. You can still use the Win32 API, MFC, ATL, WMI, vbscript, jscript etc.
Re: (Score:3, Insightful)
"No. You can still use the Win32 API, MFC, ATL, WMI, vbscript, jscript etc."
They go pretty far out of their way to make your life difficult if you do though.
All the current developer tools are targeted towards .NET and newer technologies. That includes things like the shiny new interface elements they introduced with Vista, as well as stuff like the new (hardware accelerated) video decoding/rendering system or the re-designed taskbar in Windows 7. From Vista onwards anything that boils down to Win32 APIs fo
Re: (Score:3, Insightful)
The most annoying thing on the internet by far, is the shenanigans of "internet tough guys"
Isn't this a good thing? (Score:5, Insightful)
Now I'll admit that there are only a few posts above mine, but already they are generally negative. Which I don't get.
Isn't this a good thing?
Microsoft releases a couple of Firefox plug-ins.
A security vulnerability was discovered in the plug-ins.
Mozilla disables the plug-ins.
Microsoft and Mozilla has a talk about the the vulnerability and it appears that one of the plug-ins aren't vulnerable.
The plug-in is re-enabled.
As far as I can tell, this is the system working properly.
Re:Isn't this a good thing? (Score:4, Insightful)
Parent
Re:Isn't this a good thing? (Score:4, Interesting)
Mozilla is taking Microsoft's word that these plugins, which install in their software without notice, don't have any vulnerabilities and are working just fine.
Just like every other plugin on the market. Apparently the .Net plug-in isn't vulnerable, the WPF one is.
I know we like to bash Microsoft here, but the plug-in safety process (in FF) seems to work fine.
How do you know that there aren't unknown vulnerabilities in another plug-in somewhere?
Microsoft's plugins should be required to behave as every other responsible plugin. It shouldn't install with stealth, there should be a way to easily disable, and there should be a way to easily uninstall.
You disable it by going to Tools > Add-ons > .Net plugin -> click either 'Disable' or 'Uninstall'
I works fine for me, I just uninstalled the plugin.
And Microsoft aren't the only ones who install by stealth. I don't remember installing Nokias 'PC Sync2 synchronisation' extension. It just installed itself with some other software.
Parent
Re: (Score:3, Interesting)
And Microsoft aren't the only ones who install by stealth.
Bonnie and Clyde weren't the only ones to rob banks, either. So does that mak bank robbery OK? The former head of NASDAQ ran a Ponsi scheme for decades, does that make fraud ok? Personally, if I find a vendor doing any kind of stealth installation, I no longer use that vendor's wares. That's why I no longer buy anything with Sony's name on it, and why I'm running Linux at home. As well as why I won't deal with a host of other vendors.
Too bad there ar
Depends on who you are (Score:2)
If you're the default Free Tech Support Guy for a friends and family circle, and you've mandated Mozilla apps as a condition of said support, then you might get a bit tired of getting worried calls asking about their "internets popup point net problem".
Granted, that's pretty much what you signed up for, but it does worry Joe and Josephine User when their internets start acting up. Yes, Mozilla, I'm looking at you here [mozillazine.org].
Re: (Score:3, Insightful)
Now I'll admit that there are only a few posts above mine, but already they are generally negative. Which I don't get. Isn't this a good thing?
Microsoft releases a couple of Firefox plug-ins.
A security vulnerability was discovered in the plug-ins.
Mozilla disables the plug-ins.
Microsoft and Mozilla has a talk about the the vulnerability and it appears that one of the plug-ins aren't vulnerable.
The plug-in is re-enabled.
As far as I can tell, this is the system working properly.
I bolded two things I don't agree with. You skipped an important statement: Microsoft forcibly installed said plug-in, and prevented its removal.
Re:Isn't this a good thing? (Score:5, Informative)
Microsoft forcibly installed said plug-in, and prevented its removal.
The first statement is debatable, since the plugin is a part of the .NET Framework, and people can choose not to install the .NET Framework — although I realize newer versions of Windows have it preinstalled, so there's less of a choice there, which is why I say it's debatable.
However, the second statement is just wrong. It's not Microsoft who prevented removal of the plugin, it's Mozilla. Firefox does not provide a mechanism for removing any plugins.
Parent
Re: (Score:3, Informative)
Except Java and Acrobat ask me if I want to install Firefox plugins during install.
Except they do not.
In fact, Java, at least, also does a system-wide plugin install [mozillazine.org], meaning that it cannot be uninstalled from Firefox extension manager; not sure about Adobe Reader, but I think it does that too.
MS hand wave (Score:5, Funny)
Microsoft: *waving hand* We do not need any identification.
Mozilla: You do not need any identification.
Why is not Microsoft playing by the same rules? (Score:5, Insightful)
Further, why is Mozilla.org is allowing a mode where any Tom Dick or Harry can drop in a bunch of files in the install directory and suddenly all the users get the extension on by default? Since it is in the instal dir, individual users cant even disable them or uninstall them. The existence of such a mode itself is a big security hole. If IE has a hole and allows a drive by download of a file into Firefox install dir, boom, you get a vulnerability in Firefox. Already there are reports that installing an HP printer gives and unwanted, unasked for and unpermitted extension added to Firefox. Now every software you install is going to want to add a tool bar or an extension to Firefox.
I wish Firefox will just disallow such a way of installing extensions. The cardinal rule, as for as Firefox is concerned, is that the users rule. They control their browser, they decide which extensions are allowed, which scripts are allowed to run, which user agent string is sent out, whether or not to allow java, applet, or javascript or flash or silverlight or whatever. For corporate deployment, the Mozilla team might allow a script based instal on all machines in a corporate network using proper authentication procedures, like Corportate IT dept has local sysadmin privilege, so they come in and install an extension, and even disable its uninstall option, but that is all done outside the browser using the standard corporate deployment procedures. Allowing anyone to dump cruft in a particular folder and suddenly everybody gets the cruft is totally against the expectations of the standard mozilla firefox user.
Re: (Score:3, Insightful)
How exactly do you propose to stop a process from doing so when it is running outside the scope of firefox? Whatever files Firefox updates to indicate an extension has been installed can also be modified by an outside process. Want to make the file digitally signed? Well, Firefox has to get the signing key from somewhere, but then the other app could just go and get it from the same place. Want to move stuff like this off the local system and have it stored in some network repository...well, no, almost nobo
Why is everyone targeting MS on here? (Score:5, Insightful)
Seriously -- I have FAR more of an issue with Firefox disabling a plugin *that I want there* and not providing a way to re-enable it (or at least any obvious way).
Microsoft may choose to say that Firefox integration is part of the .NET framework, and if I choose to have a problem with it, I can uninstall it. But where does the Mozilla organization get off disabling an extension I have, and may be using, without any ability to opt out?
The double standard on this would be funny if people weren't so serious about it.
Re:Why is everyone targeting MS on here? (Score:4, Informative)
Simply enter the address 'about:config' and then do a search for blocklist.
There, you'll see a setting called 'extensions.blocklist.enabled'. Set it to False if you don't want Mozilla to decide what plugins/add-ons you shouldn't use. Restart Firefox after making changes to take effect.
Sure it isn't obvious for majority of users, but then again on Windows it isn't obvious what registry entries to hack in order resolve issues either. Firefox does have its own (evil?) registry too.
Parent
Mike Shaver (Score:3, Insightful)
Re:Imagine if the situation were reversed (Score:5, Insightful)
Because of course blocking a program the user chose to install is completely comparable to a program the user chose to install blocking a plugin they didn't choose to install or even knew had installed and was just as difficult to get rid of as most malware.
Parent
Re: (Score:3, Insightful)
If Microsoft were to "block" Firefox from running due a security vulnerability it had, the sheer level of rage released from Slashdot would probably be enough to melt monitors on the other side of the world.
If you're going to draw parallels, at least learn to do it properly. If Mozilla would sneak in a plugin inside IE when you're doing something which you assume should not indulge in that behaviour, say e.g. updating Firefox, upon which Microsoft blocks this snuck piece of software, nobody in their right mind would say a thing. But yes, in your example, which is incorrect and irrelevant, people would -- and they would because they would be completely right in doing so, just like people are now with the .NET p
Re:Why not click "Enable"? (Score:4, Funny)
Would you be referring to the "Enable" button that is greyed out? Click on it as much as you like, but it's not doing anything.
Parent
Re:Shit! (Score:5, Informative)
Parent