Firefox Disables Microsoft .NET Addon
448
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
Great (Score:3, Interesting)
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
Re:Great (Score:5, Funny)
Microsoft has put billions of dollars into developing the most effective and efficient security vulnerabilities to date. I can only watch in awe and wonder.
It is nothing compared to VPC (Score:3, Interesting)
That issue is nothing (they asked for it in fact).
The issue which should make to books about the tech irony is Virtual PC for Mac 7.x (if anyone uses, UPDATE!). MS found a theorotical (not sure) issue which Virtual PC's emulated X86/Hypervisor can MODIFY the OS X memory from "there".
While they were decent to fix it very quickly and shipped an update (7.0.3) confusing Mac users, that is one big amazing issue for you. Imagine by running (emulating in fact) a Windows, you risk your OS X memory locations with o
It's part of the Microsoft business model, IMO. (Score:5, Interesting)
Vulnerability is a business model for Microsoft, in my opinion and that of many people.
But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers [channelregister.co.uk]. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.
But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.
Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.
So, maybe just being evil is another part of Microsoft's business model.
The real reason why they want to hack user agent (Score:4, Insightful)
While some slashdotters think otherwise, Java/Windows install base is huge thanks to couple of very popular apps and tiny games. Since companies these days looks for multi platform, multi arch; MS needed to show that their herd has been installed/infected by .NET too.
So, they haxor the user agent to show that clueless CTO that their 90% of users have .NET so they should use it instead of massively multi platform Java.
Anyway, as you see, karma is a real bitch and if Sun had a real management, they could milk this issue but... Lucky for MS, Sun is under auto pilot, even under Larry Ellison's Oracle.
Re:Great (Score:5, Informative)
Re:Great (Score:5, Informative)
Re: (Score:3, Insightful)
First off, if you install Java even if you wanted to install it just for IE, or just to run a local program that runs java, it installs the Java Plugin for FireFox as well as ask you for the toolbar of the day. The same goes for Adobe Acrobat Reader if you just wanted to view a PDF, and is actually worse since the earlier installers would install Adobe AIR Without permission. Flash doesn't install to both by default, but the problem with Flash for FireFox is that it does not automatically update. (don't kn
Re:Great (Score:5, Informative)
Not exactly. It also allows you to run .Net and WPF apps inline in the browser, hosting a CLR instance. Not to mention mapping the ClickOnce file type.
Re: (Score:3, Insightful)
because it lets you bring in the same .net vulnerabilities that IE has? Nobody asked for these to be brought into firefox. The issue is that they were installed without any confirmation. It was "installed for you".
duh. Go home you fucking shill.
Re:Great (Score:5, Informative)
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
For anyone curious as to the real state of affairs behind this MS plugin issue, you might be interested in a few things. For everyone else just enjoying a good anti-Microsoft circle-jerk, ignore this post.
The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications [wikipedia.org] to run in Firefox and ClickOnce [wikipedia.org] program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?
This is the bug [mozilla.org] in question. There is a lot of interesting comment there, including the fact that while everyone is crying about Microsoft "secretly" adding the plugin and preventing users from disabling it, Mozilla doesn't even give users an option to enable it! Their blocklist is all or nothing. Why doesn't that bother anyone here? One poster [mozilla.org] is very insightful:
But perhaps the best thing about this entire issue, is that Mozilla didn't block the plugins until AFTER they were patched and the mechanism of the block is retarded. Mozilla is claiming [mozilla.com] that Microsoft agreed to issuing the block of the affected plugins, and that might be true, but only to an extent. Mozilla is currently blocking the plugins based on the name of the plugin, not the version, which means users who have installed the patched version of the plugs (at this point almost everyone using Windows Update) are still unable to use the plugins and have no way to re-enable them.
So essentially, by issuing this patch, Mozilla is doing nothing but hurting its business customers. Slashdotters can scratch their heads trying to figure out who uses these technologies, but the answer is a lot of businesses do. This absolute, non-scriptable and non-changeable block of these plugins will just remind corporations that open source isn't ready for the big leagues and they should just stick with Microsoft and IE. The sad thing is that if this kind of knee-jerk, carte-blanche blocking behavior becomes the norm for Mozilla, they will probably be right! Taking this kind of control away from the users is simply unacceptable, doubly so for businesses.
If you're wondering what MS says about this, you might take a look at this [technet.com]:
So there it is -- pretty much everyone
Re:Great (Score:5, Insightful)
I consider any plugin installed without my consent to be malicious, especially if it's a plugin FOR SOMEONE ELSE'S SOFTWARE.
Re:Great (Score:5, Insightful)
Especially when it disables the friggen "uninstall" button!
Re:Great (Score:5, Informative)
There is no version difference for the plugin or add-on between patched and unpatched systems. That's one reason that this is so messy right now; if we had known about the Firefox aspect of the vulnerability before the SRD blog post, we would have suggested just that sort of version bump.
Re:Great (Score:4, Insightful)
No, actually, it is not. Not at all a good thing, quite the opposite. If you are using firefox to run "content" via a closed, windows-only system like .net, you might as well be using IE. In fact that would be better - at least no one would be fooled into thinking they were writing something that would work on firefox when in fact it would only work on Windows/Firefox.
Because MS forced the plugin out without user consent and without even a disable option to begin with. Either of which is sufficient in and of itself to classify this bug as malware and remove it whenever encountered without further fuss.
Oh, indeed it is. MS nonetheless has been doing it regularly for decades, and usually get away with it.
Good to see Mozilla give them what they deserve, even if I do suspect astroturfers like you will wind up sadly blunting the impact as usual.
Oops (Score:4, Informative)
I just checked my addons and whilst I don't have the Microsoft addon, I do have an AVG one which is disabled. Clicking on the more information link (https://en-gb.www.mozilla.com/en-GB/blocklist/) presents me with a page that says:
Whilst it is nice to see they've done it, it's a shame that they didn't test the end to end user flow.
Re: (Score:3, Insightful)
It's open source; you did the testing for them just then!
Now if only reporting these types of issues could be done from within Firefox without having to jump through hoops.
Plugin-checker (Score:3, Interesting)
You have JavaScript disabled or are using a browser without JavaScript. This Plugin Check page does not work without the awesome power of JavaScript. Please enable this Content Preference and reload the page. Or disable all your plugins and keep JavaScript disabled... you'd be in good company, that's how RMS rolls [lwn.net].
Re:Plugin-checker (Score:5, Funny)
The TFA makes a reference [...]
You mean The TFA Article.
Bad for Firefox in the long run? (Score:5, Interesting)
Re:Bad for Firefox in the long run? (Score:5, Informative)
Oh, I think not. The "functionality" added is Windows specific. Websites _should not_ be OS specific. And Microsoft had _no business_ shoving their plug-in silently into Firefox. And most of all. .NET is now a security nightmare: Brian LaMacchia, one of the authors of ".NET Framework Security", resigned from .NET development rather than continue with it. (LaMacchia's career is fascinating: if you'd like to follow a trail of an expert engineer getting involved in projects that are doomed for mishandling security, perhaps in spite of his best efforts, check out his career.)
Re:Bad for Firefox in the long run? (Score:5, Interesting)
Do you have a link for that? I'd be very interested to show more flaws in the design of .NET.
I know Chris Brumme's excellent weblog [msdn.com] about the CLR has quite a few interesting things to say, and even more if you read between the lines in places, you know he wants to say "we screwed this up big time" and he does say that occasionally. With hindsight, they did make some technical mistakes - throwing objects instead of just exceptions, allowing .Net apps to run in IIS [msdn.com] at all, thinking GC would remove the need for reference counting [msdn.com], and several marketing mistakes - telling everyone exceptions were very inexpensive (I recall one particularly misinformed MS drone telling me exceptions were free because it was all handled by the CLR... d'oh)(read the blog)
If ever there was an example of keeping it simple, .NET is it - as an example of what not to do. Hats off to Chris who I think is very intelligent and talented, but the scope and spec of what they asked of him was too awkward to make a perfect job of.
Re: (Score:3, Interesting)
The modern CLR seems fairly sensible to me; definitely several steps ahead of the JVM (e.g., compare how parametric polymorphism is handled).
The article you link to on GC is an in-depth discussion on the cost of implementing finalisation in the GC. These problems are well known and, more to the point, are only some of the reasons why implicit (nondeterministic) finalisation is a Bad Thing. Reference counting memory allocators are much slower than mark-and-sweep memory management for most programs, mainly
Re: (Score:3, Interesting)
If ever there was an example of keeping it simple, .NET is it - as an example of what not to do.
I don't think the design goal of .NET was ever to "keep it single". It could be a lot simple if its design goals were like JVM - a VM specifically designed to run a single language that is very restrictive in terms of what one can do with it. .NET, however, was originally designed as VM for which you could write a full-featured ISO C++ compiler producing strictly bytecode (not necessarily verifiable - can't really do it with C++ - but 100% "managed"). Because of that, it's far more feature-rich than JVM fro
Re: (Score:3, Insightful)
So your argument against the fact that a plugin replicating IE-specific tech for firefox doesn't matter in intranet environments is... ... that it's windows specific?
Are you kidding?
Re: (Score:3, Interesting)
Re: (Score:3)
Yup. Basically. I'm going to be super pissed if I have to walk around to 100+ machines tomorrow morning and uninstall Firefox. Seriously. That'll be the end of that.
Re:Bad for Firefox in the long run? (Score:5, Informative)
You better check again, as the plugin tries to re-install itself silently when a .NET service is called from a website in Firefox, and also via the recent batch of patches from Microsoft. The only way to be sure is to double-check and not only nuke the appropriate registry entry, but the entire sub-folder of your .NET installation the plugin is installed to, as well as resetting the ID string in About:Config. Then you should proceed to disable that update from being downloaded or displayed via Automatic Updates.
The really disturbing thing I found, is that after sneakily re-installing itself via the latest patch from MS, the plugin is not displayed at all in the Addons/Extensions portion of the Firefox configuration screen. The only reason I even found it reinstalled, was that warning from Firefox when the nasa.gov site attempted to load the plugin while viewing their photo galleries.
Yes, it was my fault to have updates set on Automatic/Automatic, which has since been remedied on this system. I was irresponsibly lazy on the matter.
Re: (Score:3, Informative)
MS kinda overstepped its bounds on this one. (Score:4, Insightful)
Microsoft has deservedly taken a LOT of sh*t for forcing this addon into Firefox unannounced - AND preventing you from disabling or uninstalling it - unless you yank it out of the registry. It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"
Re:MS kinda overstepped its bounds on this one. (Score:4, Insightful)
It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"
You seem quite lost. They're not blocking it for that reason, but because it had a security vulnerability.
Re: (Score:3, Insightful)
Furthermore, Microsoft agreed with the plan of disabling it. (RTFA)
So it's more like
It's nice to see the Mozilla folks say
Mozilla> "NOPE, you...'re NOT doing this to our browser, now get lost!".
Mozilla> that is, if it is OK with you, Microsoft, we would like to temporarily disable the addon until you come up with a fix
Microsoft> we see we get some bad press, so yeah, its OK
Mozilla> Ooh thank you for talking with me
FOSS people> Yeah, Mozilla, take them! M$ is buggy and insecure!
Re: (Score:3, Informative)
A vulnerability which has already been patched. I use this functionality on over 100+ machines at the office. I've already deployed the patch. As far as I can tell, there's no easy way for me to disable the block list. I'm going to get into work tomorrow and switch 100+ boxes back to IE, if they don't reverse it. And I won't be switching them back to FF.
Re:MS kinda overstepped its bounds on this one. (Score:4, Insightful)
The .NET installer/updater that forces this addon into Firefox is running as administrator or even system rights. How should a non-running app protect itself against a code injection in their home directory done by a process with system privileges? Without creating another mess of cryptographic signing, super-super user and files undeletable when Joe Sixpack decides to uninstall?
I'm sure the Firefox team is working on hardening their application against scummy plugins that disallow being uninstalled, but I fear it's not exactly trivial protecting against administrator privileged malware without breaking a whole lot of other stuff.
Re: (Score:3, Insightful)
This makes sense for example in a company, where you deploy Firefox to desktops - you'll want for addons to be installed on a system, and not a per-user base.
It doesn't make sense that Steve Balmer administrates your company's systems.
Read the TFA, MS suggested this! (Score:5, Informative)
From the TFA, it is clear that Microsoft approves of this particular move. I quote
It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.
I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article [microsoft.com] and implement it themselves. At least, not my mom.
Re:Read the TFA, MS suggested this! (Score:5, Insightful)
and Microsoft is recommending that all users disable the add-on.
Well gosh, that "unable-to-be-disabled" feature seems really quite stupid now, doesn't it?
Re: (Score:3, Insightful)
Why are you surprised? Microsoft isn't like some kind of cartoon supervillain... if they have a bug in the add-on, and no fix ready yet, then of course they want people to disable it.
Why was the MS plugin again legal? (Score:5, Interesting)
Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).
Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.
I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..
Anyone else an explanation why that plugin avoided legal consequences?
Re:Why was the MS plugin again legal? (Score:5, Insightful)
Re:Why was the MS plugin again legal? (Score:4, Interesting)
I'm sure whatever it was you installed from Sony that snuck the rootkit in had similar wording in its smallprint too.
I guess its ok if MS does it, but not Sony?
Re: (Score:3, Insightful)
So, yes, it's OK when Microsoft installs functionality into Firefox that Firefox should, by all rights, already include compared to Sony installing software designed explicitly to disable existing features on your computer.
No.
Microsoft, if I allow them, can update the code they wrote on my system. But what you are talking about is no different from somebody over in Redmond deciding that your private documents were written poorly and needed to be re-done according to their preferences and took the liberty o
Re:Why was the MS plugin again legal? (Score:4, Insightful)
Try again anonymous Microsoft fanboi.
As far as I can see there is nothing special special in Firefox for Java to function unless you are referring to the standard plugin architecture that Firefox/Mozilla provides for all plugins.
Java is installed at the choice of the user where the .NET plugin is installed by a Windows update without informing the user. Once installed the Java plugin can easily be removed by the user via the Firefox configuration GUI but the .NET plugin can not be installed without doing some complicated registry and configuration hacks.
To me this looks like an attempt to drag Firefox down to the level of IE by silently adding .NET holes into Firefox and then they can say, "It's not us because Firefox has the same problems we do".
Re:Why was the MS plugin again legal? (Score:4, Informative)
Java is installed at the choice of the user where the .NET plugin is installed by a Windows update without informing the user.
Whoa, whoa, whoa... There's an imbalance in your equation here. You're comparing Java itself to the .NET Framework plugin.
Yes, Java itself requires that the user explicitly install it, but the Java Quick Starter extension for Firefox is also silently injected. Now, with the exception of Windows Vista and Windows 7, the .NET Framework must also be explicitly installed by the user.
Also, the Java Quick Starter extension can not be removed through Firefox's UI; it can only be disabled. This may actually be the better option, though, because even if you remove it through the Java Control Panel applet, it's reinstalled with the next Java update (which is pretty heinous, in my opinion). Disabling it may leave it disabled across updates, but I haven't tested that.
To me this looks like an attempt to drag Firefox down to the level of IE by silently adding .NET holes into Firefox and then they can say, "It's not us because Firefox has the same problems we do".
Not to defend Microsoft, but that is unbelievably paranoid. In fact, I'd say it qualifies as an outright conspiracy theory.
Re: (Score:3, Interesting)
Now, with the exception of Windows Vista and Windows 7, the .NET Framework must also be explicitly installed by the user.
Here's an interesting question. If you start with a clean Vista or Win7 install (which already has .NET), and then put Firefox on it, then it won't get the .NET extension in it, right? because .NET installer doesn't get a chance to run and put it there...
My surreal experience (Score:4, Funny)
Nuke it with regedit... (Score:5, Informative)
For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions
Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'
Rule 1: Don't talk about the registry (Score:5, Funny)
Re:Nuke it with regedit... (Score:4, Insightful)
Only nukes the addon, the plugin is hiding in C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (and C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll if you have the .NET 4.0 beta).
Remove HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5
And HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF, version=4.0 if you have the 4.0 beta
Re:Nuke it with regedit... (Score:5, Funny)
Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'
Be careful. If you accidentally delete key {20a82645-c095-46ed-80e3-08855760534b}, your machine explodes.
Imagine this from the other side (Score:5, Insightful)
Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."
Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.
That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...
Re: (Score:3, Insightful)
Bigger shitstorm than the one which happened when MS installed browser extensions without consent from end user?
Company abused its position and put malware on users' machines. Good thing that Mozilla has some options to handle such behavior.
Re: (Score:3, Insightful)
Two wrongs doesn't make a right.
Microsoft installing the plugin without the user's explicit concent, and no (easy) way to uninstall was, indeed, wrong.
But Mozilla unilaterally disabling it on the users' machines without an option not to is wrong too.
What about those who have:
What they see is that Mozilla goes in and deletes functionality on their machines. From a logical point of view, it's no better than, say, Amazon going i
Re:Imagine this from the other side (Score:5, Interesting)
Forget about the names involved and examine the situation more closely. A company took it upon itself to introduce an unknown security risk into a competitor's product by way of a stealth install. Said company further complicated the matter by making it next to impossible for average users to uninstall - provided they even became aware of the issue - and compounded it even further by having subsequent updates reinstall the software by stealth again.
I think that given this situation Mozilla did the right thing. Until Microsoft learns to work above board where Firefox plugins are concerned, Mozilla can and should disable them. It would be nice in the future if Mozilla offered users the option - and I think they will - to retain use of a plugin after being told it poses a security risk, but the only action I see in need of correction at the moment is for Microsoft to ask users explicitly for permission to install an add-on to non-Microsoft software on a system.
Re:Imagine this from the other side (Score:4, Informative)
Re:Imagine this from the other side (Score:4, Insightful)
Re:Imagine this from the other side (Score:4, Insightful)
If Mozilla had been installing Firefox without the users' consent and prevented the same users from uninstalling it, then yes, Microsoft would have been justified to hit the kill switch. The same way, if it was just a regular Firefox Addon that MS distributed (that the user explicitly installs and can uninstall at any time), I doubt Mozilla would have made a fuss about it.
Re: (Score:3, Informative)
Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."
Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.
That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...
Well, since you asked I'll describe the order of priorities of what we are against:
.NET framework.
1. Installing software without our consent, that includes sneaking in software in methods that classify as "gray zones". The ask.com bar is a good example of this, and also the
2. Kill-switches
So you see, as described above, the installation of such applications is far more dangerous than the kill-switch. Also since this kill-switch can be turned off. If you don't think MS did anything wrong, th
This is very annoying for me (Score:3, Insightful)
I like to play games through http://2dfighter.com/default.aspx [2dfighter.com] and this extension let me do so through firefox, now I can't reactivate it at all, and I can't install a new version because it's been removed from the website. Thanks Mozilla, now I have to go back to IE to use 2df.
Re: (Score:3, Insightful)
Lessee. . . By default a secure browser for a few hundred thousand users who didn't want an invasive add-on in the first place or. . , your ability to play video games.
You know, there are some other fun websites out there which will also try to trick you into installing malware. You might enjoy visiting those as well. --Hey, they even have boobies!
-FL
Re: (Score:3, Interesting)
Hey I agree with it not being installed by default, but I can't install it at all.
Re:This is very annoying for me (Score:5, Informative)
Is There a Conspiracy? (Score:4, Interesting)
This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.
After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.
(1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.
Outrage (Score:3, Insightful)
Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?
While they're at it... (Score:5, Informative)
It's proprietary and full of ads! Just what I wanted, an extension that checks for updates of my Adobe Reader software. Uninstalled. The Firefox team should send a message. Firefox add-ons are not yours to take over like the Windows startup.
Re: (Score:3, Informative)
Does anybody actually use these forced plugins? (Score:4, Insightful)
Is there any software which actually uses these .NET Helper and Windows Presentation Foundation plugins? Do these expose an API to let javascript code interact with the .NET framework or something? Do they let people write Firefox extensions in a .NET language? Do they let specially crafted Microsoft websites run .NET code in Firefox?
If users have nothing to gain from these plugins, then there is no reason they should exist.
What the hell, people?.. (Score:4, Interesting)
I think this was a real fumble for MS, and Mozilla took steps to prevent critical problems--don't know about the best steps, but at least they were quick to action. Imagine if this had not been done, and exploits for the problem started popping up like wildfire, or widespread browser/OS crashes became common; how many users would firefox lose, due to a problem entirely of someone else's making? Let's not get confused over who's the bad guy. MS has the most to gain from any perceived flaws in a competing product, and their track record isn't exactly one that shows overwhelming care and concern for the end user. Even if not malicious, and chances are it's not, it still is another mark of incompetence on the overall company that they're releasing flawed software and forgetting courtesies like asking the user if they actually want the changes, not to mention not allowing them to revert it without 'popping the hood'.
Wait, its okay for Firefox to have a kill switch? (Score:3, Insightful)
Given all the past fuss about Amazon, Apple, and Microsoft to have the ability to remotely disable features, software or addons it's suddenly not an issue that Firefox has the capability of pushing changes? While I think the Firefox devs gave some serious thought before throwing this switch, I don't think this is a no-brainer. What about environments where they need the .net add-on? Are they forced to go back to using IE? Do you see Microsoft disabling the old versions of Firefox or Adobe Flash?
If you want to read a mix of retarded, informative, and stupid comments have a look at the bug report https://bugzilla.mozilla.org/show_bug.cgi?id=522777 [mozilla.org]. For example - "Firefox shouldn't have to rely on IE patches for security" - this is not related to IE. It also seems to be political as they have no interest in determining if they have the .net update that negates the vulnerability (the vulnerability is not in the firefox add-on, its in .net which becomes accessible from within Firefox if the addon is enabled).
Re: (Score:3, Informative)
We have interest in determining if the Firefox user in question has applied the IE patch in question, but we do not have the means.
It is related to IE, because the patch in question is explicitly labelled as affecting Internet Explorer, and makes no mention of the fact that it can impact Firefox users who have not gone out of their way to disable part of .NET Framework 3.5 SP1. (That's one of the things we're working on getting fixed, as it happens.)
The Real Question is... (Score:3, Interesting)
Re:How about just disabling Microsoft? (Score:5, Funny)
FYI, it doesn't help at all !!!
I have Microsoft disabled (I run Gentoo Linux), and my Firefox failed miserably to disable the .Net plug-in. I spent a day clicking on the menus and recompiling updates, and I still don't get the pop-up :(
On the bright side, my system now runs 1.27% faster compared to yesterday. It feels like 10% faster, really.
Re:How about just disabling Microsoft? (Score:4, Funny)
"On the bright side, my system now runs 1.27% faster compared to yesterday."
Which means that time you spent recompiling everything should pay for itself after about 90 more days of straight Firefox usage.
Re: (Score:3, Funny)
> Now if I could only learn how to get that damn make-kpkg to work right in .dep file... What is a .dep file
> Debian so the modules get included in the
> anyhow?
".dep"? Never heard of it. Nothing to do with Debian, certainly.
Re: (Score:3, Funny)
Two words (Score:4, Interesting)
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Chrome Frame.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Except that Chrome Frame is doing this via modern standards (HTML5). So it can be used for more than just a single website, and if you don't like Chrome Frame, there's always another browser.
Google is NOT competing for browser share (Score:5, Insightful)
People, please let this idea die VERY quickly. Chrome is NOT there to get an install base for Chrome. It is there to get an install base for modern browsers with fast javascript/DOM.
Googles operates in the browser and in order to be able to get the next generation products out there, it needs to ensure that those products can be run. IE/MS ain't capable of this, so they both push MS by making them scared to completly loose the browser AND by capabilities to IE to make it play catch up with the real browsers.
In a way, what Google is doing is installing electricity cabling into every house. NOT because it wants to be in the utility business but because it has all these design for electric machines and they ain't going to be selling them to people who use candles and woodstoves.
MS on the other hand does NOT want people to have modern browsers, or rather not browsers that act like browsers. Its business relies on activex and .net and the like to keep apps closely tied to their windows OS.
MS fears projects like gmail and worse wave. It knows that its software is increasingly a major cost of computers (check it, hardware prices go down, MS prices go up) and while so far its software offers a lot more features, the sign of netbooks is that, a lot of them ain't needed. I got a netbook (with linux) that is not nearly as capable as a full PC. I can't game on it, its office tools are simplistic but guess what, it is all I really need.
MS has been selling XP, a lot, for netbooks but it has been doing it at a fraction of the price it would like to charge and really, it only sold XP so cheaply because else Linux would have been installed. You would be right in assuming a LOT of people would replace Linux with an OLD XP copy (license of an old PC you threw away is still valid) but MS doesn't even want the idea that there maybe yet another OS out there. An OS that while not perfect is good enough. People are already getting dangerously exposed to this idea by their cellphones. Quick poll, who has Windows Mobile and is willing to admit it? Everyone knows that an iPhone gets you the girls, this even goes for girls.
MS ideally wants to sell you their OS for 300+ dollars, that doesn't fit well for a 300- netbook or indeed a mobile phone, but that is MS business model, and ideally, you should spend another 300 for the office suit. (please, MS fanboys, do NOT link to student discounts or OEM versions. Full price for the box in the MS store.)
Google is doing something completly different. It is saying. Nah, you don't need a 300 dollar OS with a 300 dollar productivity suite. Just a browser (free) on free/cheap OS and you got all you really need. For free. Sure, there are some angles (your data is on the google servers) but for a lot of people, it is good enough.
AND that, is what scares MS. Because... even if people would still use windows, the window sthey would be using is their old XP. This is already the case in a many companies. And without the cashcows of Windows/Office, how can MS afford all its other attempts to control markets?
The browser wars are back, but they are being fought for a different reason. Chrome is NOT netscape 2.0
Re:How about just disabling Microsoft? (Score:4, Insightful)
So your argument against people switching away from MS, is that people use MS??
That's the classical excuse of to beta human: I can't do it, because nobody does it.
And why does "nobody" do it? Because everybody uses that "argument" to not do it!
The best thing is, that it isn't even remotely true that nobody does it. You're reading a comment from someone doing it right now. But it's so convenient to ignore it that, isn't it?
Maybe that's the difference between alphas and betas. Alphas have no problem being the first in the club, to start dancing. No they even grab a girl and make a show out of it! ^^ (Because they know that that makes them the leader. Something that is very handy and feels great. Killing any insecurity-based awkwardness.)
So if one person can do it, then two can too. Including handling MS file formats. Including the ability to be in a MS (SMB) network. And so on.
So if two can do it, everybody can.
Which means nobody needs to use MS software. But they want it! Why? Because it's less effort. One can be lazy. And the excuses "always work", to lie even to oneself, about wanting to switch.
"Oh, if only others would use it! Then I would too! But in this situation? No way!" Except that you wouldn't. Or if you would, then I wonder what a pathetic kind of cattle you are, for always trying to conform, even if it's not what you like.
Hell, I'd even prefer to hear that you actually prefer Windows, and that this is mostly because you don't like all the work required to switch. That would at least be honest. And while not agreeing with the view, I could absolutely comprehend and accept it.
Do yourself a favor, stop imitating others just to be "accepted", stop caring what others think of you, build your own set of values, be you, do what you like, and strongly stand behind your reality. That is a basic human right of everybody. And we will not hate you for it. No, we will love you for it. (Isn't it strange, how doing the opposite of what you did, will give you what you always wanted? ^^)
P.S.: If anywhere you found that my assumptions are wrong, *of course* you can tell me how wrong I am. But only if. ^^ (And moderation is no replacement.)
Re: (Score:3, Insightful)
Re:How about just disabling Microsoft? (Score:5, Insightful)
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Not really if you look at where the real competition is occurring.
The REAL product that Microsoft is trying to protect is the Windows platform. This is how Microsoft maintains their monopoly. IE is merely a means to try to control the web market to use Windows only across the board. The windows platform maintains much of its monopoly power by controlling the software to run on only Windows. Microsoft has long known that 3rd party developers were a big factor in building their monopoly, and keeping them on Windows maintains that monopoly.
This plugin lets you run parts of .Net on Firefox, correct? .Net is largely Windows only software, correct? So by having Firefox (an increasingly popular web browser on Windows) run .Net software, Microsoft is trying to maintain .Net on web browsers as a viable platform. By doing this they try to ensure that you'll need a Windows computer to run .Net software on a browser. The alternative is that Web developers increasingly reject .Net components because of the increasing popularity of FireFox (and .Net not running on FireFox, thus developers don't want to lose the market share and choose non .Net alternatives). That's bad for Microsoft, since it means more inter-operability with other OS's, which would decrease the relevance of Windows.
Pretty clever, really. Frankly I think the Firefox developers should stop this nonsense not only because of the security concerns, but mainly because it's an attempt to control Firefox by Microsoft. Does Mozilla really want to answer to whatever Microsoft decides to inject into Firefox this week?
I also think it's a anti-competitive move by Microsoft and an abuse of their monopoly power. I doubt anyone will do anything about it though.
Re: (Score:3, Interesting)
Re:Ha ha (Score:4, Insightful)
Re:Ha ha (Score:5, Interesting)
Re: (Score:3, Interesting)
Mike,
Hi.
I have over 100+ boxes at work that depend on this plugin. When I get into work tomorrow, if they're not working (they run FF), then I'm not going to have much choice but to switch back to IE, am I?
I frankly did not know you guys had this ability to unilaterally disable things I depend on. That is a bit disturbing. It's going to unexpectedly cost me HOURS tomorrow.
Can you at least switch the block to only block unpatched versions? I'd agree with that.
Re:Ha ha (Score:5, Informative)
I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.
(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)
Re:Inconsistent logic (Score:5, Informative)
Re:Inconsistent logic (Score:4, Insightful)
While I was angry at Microsofts silent installation of this component in Firefox and there is part of me that is ready to cheer on Mozilla for disabling it, I also feel disappointed by the reaction to this.
Not only are they vulnerable versions of Microsoft's add-on disabled, but also all versions indiscriminately, including the patched version that Microsoft rolled out last this Tuesday. Just as some people may have been impacted by Microsoft's original silent installation, how does Mozilla know whether an end user actually uses sites that depend on that add-on or not?
Imagine what would have happened if Mozilla remotely disabled everyone's Flash plug-in each time a new vulnerability was discovered in it? There have been 0-day exploits in the wild for Flash and just think about it's install base. Or the Adobe Reader plug-in? Lord knows it's a more deserving candidate given its history.
In this case there may be some justification in that the unrequested component might pose yet unknown risks, but now I have to wonder what Microsoft's strategy will be during their next update cycle - to re-enable it given that they've fixed the hole in question? Did Mozilla just give Microsoft precedent that would support it disabling Chrome Frame in future?
As a customer of both parties I feel that I've been dragged into someone else's war, which is being waged with my computer as the battle field.
Re:Inconsistent logic (Score:5, Insightful)
Mike, I haven't seen anyone else say this, so allow me. As a grateful firefox user and evangelist, thanks for your efforts, contributions, and patience in putting up with all of us. Please pass this thanks on to your co-team members.
Re:Inconsistent logic (Score:5, Informative)
I can't believe this. (Score:4, Insightful)
my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.
You did the right thing. Please ignore silly comments from the peanut gallery.
All diplomacy aside, I appreciate any efforts to lock down the walls against invasive bullshit I was tricked into installing and had to crawl through my registry with a flashlight and hip waders in order to kill. Further, anybody who doesn't have a problem with Microsoft tampering with third party software they have no business touching is probably not the sort of person whose complaints are worth clogging up your conscience with.
Cheers!
-FL
Re:Inconsistent logic (Score:4, Informative)
Re: (Score:3, Informative)
As I said elsewhere, a lot of plugins seem not to report their version information. Why don't you disable them too?
According to your plugin checker [mozilla.com] the following plugins on my system don't report version information:
Java(TM) Platform SE 6 U13 Java(TM) Platform SE binary
Microsoft Office Live Plug-in for Firefox Office Live Update v1.4
Java Deployment Toolkit 6.0.150.3 NPRuntime Script Plug-in Library for Java(TM) Deploy
Re: (Score:3, Insightful)
I know I didn't intentionally install most of these, and the Acrobat and Windows Media Player ones are, I believe, the only ones I specifically installed or agreed to.
Recent versions of the Windows Presentation Foundation plug-in have enable/disable, so that can't be the reason for it.
I stand by my subject line: Mozilla is being inconsistent here.
Re:Inconsistent logic (Score:4, Interesting)
Re:Cat and mouse (Score:5, Informative)
Re: (Score:3)
Re:and people wonder why MS has security problems (Score:4, Insightful)
And this is why more and more people don't trust software that isn't open source. Sure, your browser may be free software, but since the operating system is closed source, others can still play dirty tricks on you. If there is any non-free software on your computer, you don't really control it.
Re: (Score:3, Insightful)
A car analogy: If Ford could decide to add a part to your car next time you took it to be serviced, without asking or telling you what it did, and they had a history of shitty engineering, would you really want to have to take your car back in a week because the unauthorized add-on was found to cause the vehicle to burst into flames, or the doors not to be able to latch shut?