Sneaky Microsoft Add-On Put Firefox Users At Risk

CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."

except Windows 7

[nurb432]

Best upgrade then ya lusers!.. Here is an online form to order your shiny new pc with Windows 7..

Re:except Windows 7

[Penguinisto]

...depends - the Windows 7 beta and RC had that nasty little habit as well. The RTM is (so far) not doing it.

In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).

To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft... just look at how they're blaming ORacle and Sun for the Sidekick data loss (in spite of the fact that it was lost because their management apparently forgot how to spell "backup").

Re:except Windows 7

In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).

FTFS:

What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7

Emphasis mine.

Re:except Windows 7

What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out ...

As is the add-on "Ubuntu Firefox Modifications"; that you get - whether you want it or not - when installing Ubuntu.

Re:except Windows 7

[SilverHatHacker]

sudo aptitude remove ubufox?

Re:except Windows 7

[netsharc]

Strangely this wasn't the case for me in XP, in both home and work PCs, with Firefox 3.5.3 and the latest .NET .. uninstall worked just fine. So what's the truth? This is also a fresh (re-)install of the whole system, and last Tuesday Windows Update did say there's an update for .NET 3.5, so maybe the latest update made it uninstall-able?

Re:except Windows 7

[edwardsdl]

I don't understand the question.

Re:except Windows 7

[PopeRatzo]

I don't understand the question.

That's OK, neither did he.

Re:except Windows 7

[SilverHatHacker]

Removing the ubufox package is supposed to leave you with a vanilla Firefox, as far as I know. I don't know anything about the 'Ubuntu Firefox Modifications' add-on; I have nothing of the sort on my Ubuntu Jaunty system as far as I can tell.

Re:except Windows 7

or ... here's a novel idea ... get ready ...

maybe microsoft could try making good quality products that people want to use instead of spending all their money on subversive, childish, and frankly idiotic, endeavors to stem the flow of users away from their products.

they have been doing the same crap for years with every piece of software in the market that's not theirs. they release an update that makes it insecure or unstable.

not that they care, but i have no respect whatsoever for the poor excuses for businessmen that run Microsoft.

nothing new though i guess ... rather than come out with something useful that makes the world better they just keep churning out the same old crap and bulldoze anyone who gets in their way just like the insurance industry, petroleum industry etc. /sigh

Re:except Windows 7

[Lord+Bitman]

and just try reporting that as a bug- You'll get shouted down because it wouldn't make sense for normal users to be able to uninstall system-wide plugins- as if firefox didn't have user-specific settings at all
(of course, every time firefox upgrades, it forgets my custom menu configuration, so maybe user-specific settings are being phased out?)

Re:except Windows 7

[VGPowerlord]

In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).

FTFS:

What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7

Emphasis mine.

You should learn to read the article, too.

FTFA:

Microsoft reacted to criticism about the method it used to install the Firefox add-on by issuing another update in early May that made it possible to uninstall or disable the .NET Framework Assistant.

Emphasis mine.

Also, note that this plugin update was pushed out via Windows Update.

Re:except Windows 7

Since Ubuntu is the best Linux has to offer, the other distributions must be absolute shit.

Re:except Windows 7

Try, Firefox --> Tools --> Add-ons
It's a prerequisite for Firefox 3.0.14 (current Ubunutu supported release)

Re:except Windows 7

[KrimZon]

Or if Ubuntu is the unstable and annoying one out of distros, the rest must be utterly amazing.

Re:except Windows 7

[shentino]

Which is exactly what makes it outrageous.

What the fuck kind of business does MS have with patching someone else's friggin software?

I'd say that MS is illegally making a derivative binary work and should get nailed for infringing on mozilla copyrights.

Additionally, I also say that MS is engaging in anti-competitive behavior by sabotaging a rival product.

Re:except Windows 7

[zach_the_lizard]

Don't know about you, but "Disable" is not grayed out on my Ubuntu box for that add-on.

Re:except Windows 7

[zach_the_lizard]

I believe they patched their extension, not Firefox. As far as sabotage, they've done it before with Word Perfect IIRC.

Re:except Windows 7

[Eudial]

Except in Nebraska.

Re:except Windows 7

[ub3r+n3u7r4l1st]

fdisk /dev/hdb

restart the machine and pop in Windows 7 Pro RTM available free on MSDNAA

Problem solved!

Re:except Windows 7

[alanmoore78]

Interestingly enough, my Firefox 3.5.3 on XP Home did not have the buttons grayed out, but a fresh install of Vista Home on my Acer laptop downloaded the plugin and had it grayed out. A fresh install of Home Premium on my Asus also had grayed out buttons once the plugin forced its way in. I can't get rid of those without editing the registry. Yuck. Maybe I should put XP Home on my laptops. Oh, wifey's 7 Ultimate RC box has them grayed out as well. Annoying, to say the least.

Re:except Windows 7

Ubuntu, any version of Ubuntu, even 5 year old versions of Ubuntu are upgrades from windows7. There is your upgrade baby! Go hard! Microsoft sabotaging their own users? What the hell is up with that? How many times has it happened before? Serious! There is something seriously manic about this whole process. The company keeps bitching its customers. Screwing them over, fucking them up. It doesn't give the slightest shit about them. Bitch slaps them, and makes them pay more every time. Bend over baby! And the customers? THEY KEEP COMING BACK FOR MORE! Something seriously mental is going on here! Its not healthy. Seriously, its time to take a strong coffee, grow a pair, and take a long hard look at whats going on. Makes you wonder how many of the botnets are run by microsoft.

Re:except Windows 7

[srmalloy]

To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft...

Well, of course it is... After all, isn't being unable to prevent the company that controls the OS your program runs under from automatically installing unremovable exploit code a severe security hole in your program? So clearly it's a problem with Mozilla, and has nothing to do with Microsoft at all.

Re:except Windows 7

[agnosticnixie]

Why am I not surprised the attitude of the Ubuntu dev list wouldn't be so far from its genitor Debian... tree falling close to the tree much?

Re:except Windows 7

How on earth does this become insightful? Of course they didn't patch Firefox, just their own add-on.

Re:except Windows 7

[Dorsai65]

That's just one of the reasons that I quit using Ubuntu -- for reasons known only to themselves, they just have to piss in perfectly good 3rd-party packages so they can brand them "Ubuntu".

Trying to install Open Office 3 when Ubuntu was still stuck at OOo2 finally revealed to me just how bad Ubuntu is about scattering crap all to hell-and-gone; it reminded entirely too much of how Microsoft operates.

Re:except Windows 7

[CrossChris]

Those MS bastards also did it to two of my products (Stacker) back in the 1990s. My company sued them, and they tied us up in court for nearly three years. At that point, we were almost broke, and the board sold the company to MS. We each got a lot of cash from the sale, but it still rankles today.

Remember - if MS like your product, or if it poses a threat to them, they'll either kill you off in court or they will buy / steal the technology (Doublespace) and still tie you up in legal knots.

Nowadays, they screw around with other company's products, and there's (effectively) nothing that anyone can do.

Remember - anyone who can afford to buy the judge can get whatever "legal" ruling they want!

Re:except Windows 7

[Zontar+The+Mindless]

Ubuntu is the only distro I've encountered that appears to specifically disallow my standard practice of putting FF (and other user programs that IMO have no business being run as root) in my ~/bin. WTF??

As far as I'm concerned, that makes Ubuntu != Linux. Period.

Re:except Windows 7

[Hurricane78]

Uum, you said:

In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).

But the article says:

The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7

So in case you did not mean Win7 (which would make no sense, because that's the point), one of you is lying here. ^^

Re:except Windows 7

Not so. There are two points in time; after the first "fix" it wasn't uninstallable. After the second, which fixed the fix, it was. Dumb kraut.

Re:except Windows 7

> As far as I'm concerned, that makes Ubuntu != Linux. Period.

No true scotsman?

Re:except Windows 7

[ectotherm]

For what it is worth, I am running XP (Kubuntu as my dual boot!) and was able to either disable or uninstall with no problem. Nothing greyed out...

Re:except Windows 7

[thejynxed]

Go attempt to browse the picture galleries on nasa.gov. That plugin will rear its ugly head even if you 'disabled' it. At least FF 3.5.3 puts up a big warning about it and allows you to cancel the plugin from loading/reinstalling itself.

You need to eradicate it completely from your system.

Personal Anecdote: Gave me an unpleasant surprise this morning when I was showing my wife recent pictures from Hubble, the Carina Nebula, and from the Swift project. The plugin is not listed in my Addons - Extensions list. I thought I had it 'disabled'. Learned the hard way that you have to eradicate it from your system.

Re:except Windows 7

[conureman]

Working on the ol' Ladie's Vista machine, here, Firefox just up and disabled a coupla MS extensions for acting dangerous. The word must have gotten out.

Re:except Windows 7

[Zontar+The+Mindless]

I was wrong.

I do know what the execute bit is.

Too much info, too little brain, and some of the info leaked out, I guess.

One of the few times I really wish I could delete a comment, because that was just stupid.

Re:except Windows 7

[lazybeam]

Just after I read this comment Firefox popped up a warning dialog that there were dangerous add-ons installed and told me it had blocked the two Microsoft ones. So clearly Mozilla has figured it out, so it's all Microsoft.

(BTW I got your sarcasm (hopefully))

Re:except Windows 7

[BitZtream]

Dear moron,

The way this hooks in is a FEATURE OF FIREFOX. MS didn't do anything special. It takes 1 registry key to do this. Please shut the fuck up about stuff you don't know anything about.

They aren't modifying Firefox, they are adding a registry key, which firefox checks, that tells it to load a plugin as if you installed the plugin yourself.

Its made so you can install firefox plugins globally, to all users rather than one specific user. Its a way that sysadmins can roll out a plugin to an entire organization.

They aren't sabotaging a rival product, the added a plugin which had a bug in it.

Again, please shut the fuck up about things you completely don't understand, its not outrageous, its not unique, its not special, its just a fucking bug. God damn, I've been a fan of OSS for years, I am however, beginning to get incredibly tired of hearing morons like yourself shoot off at the mouth as if you have a clue and talking about how evil some non-OSS software package is.

Get a fucking clue or shut the fuck up, you're just making yourself and the rest of the OSS look like morons to anyone with even half a clue about how this works. The world isn't out to get your favorite pet OSS project, really, no one really gives a fuck, not even Microsoft. God, ignorant loud mouths like yourself need to be hung up by your balls until you learn to get a clue before running your trap.

Re:except Windows 7

[gtall]

Hear, hear! You get this year's Rory Award for Gratuitous use of the Word 'Fuck' in on the Intarwebs.

And why is MS producing plugins for a rival web browser? I know, Ballmer got all warm and fuzzy one day and decided to let Mozilla feel the love.

Re:except Windows 7

[Meski]

To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft...

Well, of course it is... After all, isn't being unable to prevent the company that controls the OS your program runs under from automatically installing unremovable exploit code a severe security hole in your program? So clearly it's a problem with Mozilla, and has nothing to do with Microsoft at all.

There's a degree of humour here. Wasn't Microsoft crying the same thing about the Chrome addin for IE?

Re:except Windows 7

[tzot]

Where are the Snowdens of yesteryear? And WHERE ARE THE FRAKING MODERATORS when you need 'em? Parent is as insightful as can be.

Sabotage?

[Reyendo]

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

Re:Sabotage?

[Voulnet]

On the other hand MS shouldn't want Windows machines to be anymore vulnerable.

Re:Sabotage?

[noundi]

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?

Re:Sabotage?

[e2d2]

Yeah, that sounds like the most likely scenario. It's not just piss poor code, no no. It's definitely a nefarious plan concocted by the Illuminati and put into action by the secret lab they have at Microsoft. First step - fuck up Firefox. Second step - Destroy national borders.

Too many movies makes you think strange things. For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP. Real life: rotary phones, paperwork in triplicate, and a gigantic fucking bureaucracy that thinks pagers are still useful.

Re:Sabotage?

[Ethanol-fueled]

RTFA, It's a Microsoft vulnerability running on top of (within?) Firefox. Like ActiveX v2.0 for FireFox.
Microsoft owns Windows and so they can make whatever the hell they want work with it as annoyingly and as unsafely as possible, in any way that they wish.

Re:Sabotage?

[Captain+Spam]

Not really, not when it's due to a plugin they themselves installed and have their name all over. I mean, you don't consider Flash vulnerabilities to be the fault of IE or Firefox, do you? If anything (and that's a big "if" in this case), it'll be a black eye for Microsoft.

Nah, if you're going the paranoid route, it'd have been a better idea if they made this plugin under the guise of a shell company or something, then when the vulnerabilities hit the fan, have the shell complain about how "hard" it is to make a secure plugin for the "obviously inferior" Firefox, then have Microsoft suddenly pipe up about how much more secure the .NET plugin is under IE. Bonus points if the shell claims to be open-source with their reimplementation of .NET so Microsoft can attempt to discredit open-source software, too!

But we're not THAT paranoid. Are we?

Re:Sabotage?

[FlyingBishop]

This is a .NET vulnerability, on MS Windows. Firefox being the vehicle is entirely Microsoft's fault as the maintainer of the .NET plugin.

Re:Sabotage?

Even if it is regular incompetence, there will be people at Microsoft who will be delighted the add-on has the advantage of discrediting Firefox, and will be considering how best to use it. That's just the nature of any large corporation. Corporations don't blush. They maximize opportunity.

Whether initial malicious intent existed or not is pretty academic now, and likely unprovable in any case. What matters is the lever is inserted, and Microsoft will definitely be considering how much weight to put on it.

(And it doesn't mean you're not paranoid if they are out to get you.)

Re:Sabotage?

[hairyfeet]

And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions. There you will find both it and the Java extension, just delete and voila! No more Dotnet or Java plugins.

Re:Sabotage?

[Naturalis+Philosopho]

Thanks for the laugh. I'm not sure that the guy who modded you "informative" really got that one though.

Re:Sabotage?

[Thinboy00]

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?

Because if it looks deliberate, the FTC gets mad at you. They never actually do anything, though.

Re:Sabotage?

[Thinboy00]

Given that Nintendo is legally required to warn you prior to updating your Wii that such updates break homebrew, I cannot possibly imagine that Microsoft is allowed to break your software without your consent.

Re:Sabotage?

[jamstar7]

Too many movies makes you think strange things. For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP. Real life: rotary phones, paperwork in triplicate, and a gigantic fucking bureaucracy that thinks pagers are still useful.

Or the idea of NSA 'agents' running around shooting up everything in sight (because the CIA isn't the big Boogie Man anymore). Real life: Bunch of bureaucrats overseeing a bunch of pastyfaced nerds and cubicle rats busy doing signal intercepts and codebreaking. Though the bandwidth and internet access is great, I hear...

Re:Sabotage?

That pretty much was what they aimed to achieve.
Dent the apparent security of your competitors.

Usual FUD attacks really.

Re:Sabotage?

[Korin43]

I consider flash vulnerabilities the fault of any browser that doesn't support the canvas, video and audio tags (requiring people to use flash).

Re:Sabotage?

[Ethanol-fueled]

It's not broken if it still works, even if it is a gaping security hole.

Re:Sabotage?

[shutdown+-p+now]

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional - the vulnerability itself is a fairly obscure corner case in .NET bytecode validator/verifier, and, so far as I can tell, it has been there for a very long time, seemingly before WPF was even released. All in all, it looks like a genuine bug.

A testament to its obscurity is the way I encountered it - I was designing an Algol-60 compiler targetting .NET, and was looking for an efficient way to pass Algol function-type function arguments (which are effectively vararg on the caller side) without having to lift outer locals used by captured functions to heap. Only after coming up with an efficient design and testing that it works, I realized the implications of what I had just done to the verifier.

I cannot comment on CVE-2009-2529 (the second Firefox-affecting vulnerability), but I don't see how it would be any different. Really, the idea of MS deliberately adding vulnerabilities to its products in hope of marginally affecting Firefox by them (remember that IE is hit much worse...) is pretty absurd - even if you disregard the notion of business reputation when it comes to MS, it poses a very high legal liability. No-one in a sane mind would even contemplate doing such a thing.

Disclaimer: I do work for Microsoft at present, though not on the affected products. I did not work for Microsoft when I discovered and reported that vulnerability.

Re:Sabotage?

[SleazyRidr]

If your security is that bad, you should really consider switching to Linux.

Re:Sabotage?

[dave562]

Not surprisingly this comment is sitting here unmoderated. Thanks for sharing the real tale of how the vulnerability was discovered.

Re:Sabotage?

[SplashMyBandit]

And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions. There you will find both it and the Java extension, just delete and voila! No more Dotnet or Java plugins.

Whoa, there partner! There hasn't been even a theoretical remote Java exploit for quite some time. The Java plugin is actually useful (especially on the corporate desktop where there are a lot of enterprise-internal Java apps not made available to the public) so might be worth leaving it on.

Re:Sabotage?

[mysidia]

It discredits MS and MSIE even more.

Firefox is a secure browser... hackers couldn't run arbitrary code in it and the one major vulnerability turns out to be an unauthorized, unsupported modification to the browser by Microsoft.

Re:Sabotage?

[Ilgaz]

Or could it be the reason why Apple wants to keep Safari, the default (also last resort) OS X browser "extension free"?

Re:Sabotage?

[PopeRatzo]

For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP.

That's how those bastards did me, too!

Re:Sabotage?

[PopeRatzo]

Who gave Glenn Beck a webcam?

Re:Sabotage?

[BikeHelmet]

Handy - but for me the Java plugin wasn't there.

Not a problem though - I don't mind Java. It's certainly more secure than anything dotNet.

Re:Sabotage?

[PopeRatzo]

I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090 [microsoft.com]) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional...remember that IE is hit much worse

You're spoiling everyone's fun, you know that?

Re:Sabotage?

[Evil+Shabazz]

Oh come on, mods.. that was funny!

Re:Sabotage?

[Ilgaz]

Users can't use regedit. Apple knows it for the tiny plist files (which are text) so they did a "plutil" (plist utility) command included in OS which they (or developers) can tell users to run Terminal and "paste that command _exactly_ as it appears".

While there are 3.500.000 results for "run regedit" at Yahoo, can't they steal that idea from Apple so it would be basically "regutil --remove HKLM_Software_Mozilla_Firefox_Extensions .net"?

The most insane idea of all is entering Firefox on Windows, you know, the browser which its users use rejecting your built in browser. I wouldn't touch a byte on Firefox dir if I was MS. Even Apple who isn't that "hated" doesn't do anything regarding extensions, they merely install a basic browser plugin which they still get flamed for.

Re:Sabotage?

[koro666]

[...] can't they steal that idea from Apple so it would be basically "regutil --remove HKLM_Software_Mozilla_Firefox_Extensions .net"?

Isn't this exactly what reg.exe does already?

Re:Sabotage?

[interkin3tic]

Not surprisingly this comment is sitting here unmoderated

Only for half an hour. An hour later, it is up to +5. I guess the "nucleation" for moderations is the slow step, it has seemed to me that most moderations are done on posts already moderated once. Looking over my comments, I usually notice that most of my posts are unmoderated, the ones that are are usually moderated more than once. I don't really think my posts are either +5 great or +0 meh. Most people with mod points must be lazy and don't browse in full.

Re:Sabotage?

[shutdown+-p+now]

Ah, but you're missing the golden opportunity that I may be specifically sent here on /. to spread lies and FUD on the subject! ~

Re:Sabotage?

[jareth-0205]

And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions.

Your definition of easy differs from mine.

Re:Sabotage?

This is a .NET vulnerability, on MS Windows. Firefox being the vehicle is entirely Microsoft's fault as the maintainer of the .NET plugin.

Except that the browser should be sandboxed as a vehicle for running arbitrary code that should only work on the brower's own data sets.

Re:Sabotage?

[VGPowerlord]

Hats, get your tinfoil hats! $10, cash only!

Re:Sabotage?

[Nethemas+the+Great]

As far as I can tell Microsoft isn't horribly concerned about the FTC or their analogs. I don't think upfront discomfort in the form of fines and/or legal maneuvers aren't horribly important to them if they can sway public opinion in favor of their products.

Re:Sabotage?

[Nethemas+the+Great]

Users aren't the best at tracking problems to the source for the purpose of casting blame...

Re:Sabotage?

I don't get it. Spoil the joke for the rest of us.

Re:Sabotage?

[zach297]

Because people that use Firefox probably have heard about this patch and realize it is Microsoft's doing, thereby shifting the blame correctly to Microsoft.

Re:Sabotage?

Of course you are, everyone on Slashdot knows people who work at Microsoft aren't human and are all entirely malicious. They know anyone supporting Microsoft's viewpoint is just a paid shill, in fact they know you made the whole story up to cover up the real story.

Unfortantely, what people "know" on Slashdot is never actually the truth but a disturbingly paranoid cocktail of ignorance and idiocy.

Thanks for the write up, it's always really interesting to hear how people stumble across bugs like this in the first place, because I don't think the obscurity if your story was unique to bug reports- there's an interesting story behind many such bugs and they're all worth hearing as they generally involve something deeply technical and frankly, I'd rather hear such deeply technical stories than a bunch of OSS/Mac zealots whinging about how Microsoft did it intentionally so that when Steve Jobs has a pacemaker installed running Windows it instantly crashes killing him off and destroying Apple's share price, or whatever the fuck crazy story said zealots decide to conjure up in their paranoid minds next.

Of course, what said zealots miss, is that their zealotry and ignorance is more often than not what leads to the vast majority of users being put off their preferred platform.

Re:Sabotage?

But this is exactly the kind of crap instructions you get when you try to anything in Linux. I would have thought Slashdot would be singing the praises of this kind of obtuse set of instructions!

Re:Sabotage?

[Anachragnome]

"Not really, not when it's due to a plugin they themselves installed and have their name all over. I mean, you don't consider Flash vulnerabilities to be the fault of IE or Firefox, do you?"

There is some grain of truth to this. You can't blame everything on Firefox OR Microsoft.

My father-in-law managed to install Firefox after I recommended it to him in a phone call. Only when I see him using his laptop on a camping trip months later, he had somehow managed to make the the shortcut to Firefox a BOOKMARK in Internet Explorer, thus requiring him to boot Internet Explorer in order to fire up Firefox. Weeee.

Sometimes you need look no further then then the end-user if your looking to hang blame on someone.

Re:Sabotage?

Cash? Bah! Precious metals only. Whole-family tinfoil hat protection services available here for one gram of gold or one ounce of silver per person. subGenius members eligible for Bob's discount.

(anonymous to duck the inevitable offtopic mod)

Re:Sabotage?

[JimboFBX]

Nah, the instructions are missing a reference to an obscure library somewhere that the user was some how already supposed to have with no link as to where to download it.

Re:Sabotage?

[Interoperable]

I don't think Microsoft would write bad code to try to make Mozilla look bad. When you hear that MS patched an error it means it's an error in MS code and can in no way reflect well on MS.

Re:Sabotage?

You mean like the command line tool "reg" that's been included for eons?

Re:Sabotage?

Regedit does have command line arguments. But Microsoft seemingly has not learned that conventions help with this kind of thing. Running regedit.exe /help on this Windows XP system doesn't do anything (it doesn't start regedit, unlike other switches/arguments) and it doesn't give any help either.

Re:Sabotage?

[at_slashdot]

Most people with mod points must be lazy and don't browse in full.

If you browse in full you kind of lose the benefit of moderation, if everybody avoids to browse in full then we lose the benefit of moderation too...

Re:Sabotage?

[Gadget_Guy]

No, it is paranoid. How are you finding out about the vulnerability? Because Microsoft patched it last Tuesday. If they wanted to discredit Firefox they would have shipped something to take advantage of the security hole, not something to fix it. Besides, a security hole that only exists on the Windows version of Firefox (and will inevitably be traced back to their code) just makes it look like it is better to run FF on Linux rather than Windows - which would NOT be what they wanted.

The sad part is that this could have gone so well for them. This should have been remembered for Microsoft supporting alternate browsers under Windows so it would be one less reason to say how IE has an unfair advantage. I could (barely) forgive them for silently installing it the extension because from Microsoft's point of view they are adding support for Firefox to .NET rather than the other way around.

What was unforgivable was shipping this without the ability to disable the extension. Even if they had never contemplated the idea that anyone would want to uninstall it, it should have been blindingly obvious that a grayed out Disable button meant that this would stand out from other extensions. They couldn't just say that they didn't notice that it was not able to be uninstalled.

I would like to know how you disable those buttons. Is there some API call when installing the extension (meaning it is a deliberate feature, for which both Microsoft and Mozilla should be shot)? Is it caused by a lack of uninstall script (meaning Microsoft did a half-arsed job of writing the extension)? Or is it a permissions thing that the update was installed by the Administrator account and limited users were not allowed to delete the files/registry keys (meaning... I don't know what to think of that option)?

Re:Sabotage?

[hAckz0r]

You had me going there right up to the "Algol-60" part. In 2009? After all everybody her on SlashDot knows that Algol-68 is the most recent version! Why would anybody be using a back-dated version of a language?

Ok, seriously. Why Algol-60?

Re:Sabotage?

[whitehatlurker]

Yeah - the fact that MicroSoft screwed up on security is not news, but that someone is writing an Algol compiler (58/60/68 not withstanding) should be front page material on slashdot.

What's up with that?

Re:Sabotage?

[hairyfeet]

Uuuuhhh...never heard of a .reg file? If you have somebody who is afraid of using the reg they really ain't hard to cook up. if you need one here is a nice tutorial on how to modify and delete reg entries with a .reg file. Certainly a lot easier to go "clicky clicky" on a reg file than risk having the user bone something in CLI.

That is one of the nice things about the Windows registry-it really isn't hard to cook up a .reg file in notepad and send it to someone having a problem. Oh and if anybody needs it here is a page of the most common fixes for those little problems that pop up from time to time, and nearly all of them are nice simple .reg files that makes it simple to send to someone having trouble or keep on a flash in a misc tools folder. Despite all the hate out there for the reg is actually pretty simple to backup, fix, and maintain, with little effort.

Re:Sabotage?

[runningduck]

I would even go as far as to say it could fit the legal merits of a cyber crime. The "patch" installed into a 3rd party "system" called Firefox without explicit permission from either the "system administrator" or the other vendor. The result of the action potentially created a back door on the overall system. Hmmm, I have seen people become felons under cyber crime laws for much less.

Re:Sabotage?

[shutdown+-p+now]

Ok, seriously. Why Algol-60?

Because it is one of the three languages that started it all, and one that affected all existing mainstream languages most. Curly braces of C, and the block construct that they represent, began their life as "begin .. end" in Algol-60.

Because it is at the same time a very beautiful language - especially considering the time when it was designed - and one with some very advanced constructs, not found even in many modern languages, that can pose significant challenge to implement efficiently, especially in an otherwise constrained environment such as sandboxed CLR. To list a few such features: computed goto, label variables/function arguments and the associated nonlocal goto, arbitrarily nested functions with variable capturing, and call-by-name. Challenges are fun.

Because it's a very important milestone in history of CompSci in general, and language design in particular (in case it's not quite obvious yet, I'm a language design geek), a piece of it that I wish to preserve. Apparently, I'm not alone in that, either - there's also GNU Marst - curiously enough, written by another Russian dude.

Because Simula-67 (the first OOP language ever, and the ultimate ancestor of virtually every statically typed OO language today, including C++, Java and C#) is a strict superset of Algol-60, and I wanted to go after it next.

And, of course, just for fun. I mean, this is Slashdot, right? We routinely get people installing KDE2 on NetBSD running on toasters with 7-segment indicators here; I think my little fetish is relatively benign in contrast.

(To bring the above references to Algol-60 language features into some context for those not familiar with the subject, the final Algol-60 language spec is here; it's a fairly short read.)

After all everybody her on SlashDot knows that Algol-68 is the most recent version!

Algol-68 is an entirely different language from Algol-60. It's not evolutionary, but a complete, ground-up redesign, by very different people. It's also a very interesting one, and important in its own right, since C borrowed a lot of things from it, down to keywords (VOID, INT, SHORT, LONG, STRUCT and UNION are all Algol-68 keywords with virtually the same meaning they have retained in C).

It would be fairly interesting thing to implement as well, but in many ways it's a much more rationally designed language than Algol-60, dropping some overly exotic and complicated features, and, consequently, implementing it is less of a challenge (I guess they had had enough real-world experience writing compilers by then to conclude that some features of Algol-60 looked good on paper only...).

Re:Sabotage?

[interkin3tic]

I mean browsing in full while moderating: actually reading those posts which haven't been modded up yet so that you can spot good ones deserving a mod. Such as the one in question.

Re:Sabotage?

[daveime]

Yes, because YouTube and all the popular video sites already have HTML 5 pages with canvas and video tags right ?

Oh, wait ... no they don't. There's been a massive investment in Flash because it was the first viable solution available. They're not going to change all that just because you want to use libffmpeg in the background instead of the Flash Video Player, and ogg files instead of flv.

Blaming the browsers for not supporting an unfinished spec is crazy talk.

Re:Sabotage?

[the_womble]

What idiot modded that insightful?

It is weird how Windows advocates are quite happy to mess about the the Windows registry but claim that copying and pasting a fwe lines into a terminal window is dfficult.

Re:Sabotage?

[agnosticnixie]

No, you can actually copy paste them in terminal if they're complicated.

Navigating an obfuscating GUI to deal with configs is ridiculous in comparison.

Re:Sabotage?

Spitting into the ocean isn't going to make the water levels rise.

Re:Sabotage?

[OutOfMyTree]

Thanks for that.

Re:Sabotage?

[mrman18766]

Users can't use regedit. Apple knows it for the tiny plist files (which are text) so they did a "plutil" (plist utility) command included in OS which they (or developers) can tell users to run Terminal and "paste that command _exactly_ as it appears". While there are 3.500.000 results for "run regedit" at Yahoo, can't they steal that idea from Apple so it would be basically "regutil --remove HKLM_Software_Mozilla_Firefox_Extensions .net"?

The functionality exists, though I would say that if someone doesn't know how to delete a key in the registry - they are also very likely unable to know if it is safe or not to copy and paste a 'fix'...

To remove the Windows Presentation Foundation plugin - copy and paste the following(win7/vista need an admin prompt):

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\ /v {20a82645-c095-46ed-80e3-08825760534b} /f

Re:Sabotage?

[Hognoxious]

I was designing an Algol-60 compiler targetting .NET

You too? Small world or what?

Re:Sabotage?

[mpe]

Regedit does have command line arguments. But Microsoft seemingly has not learned that conventions help with this kind of thing. Running regedit.exe /help on this Windows XP system doesn't do anything (it doesn't start regedit, unlike other switches/arguments) and it doesn't give any help either.

They apparently like the idea of the registry being treated with mystique :)

Re:Sabotage?

[mpe]

Handy - but for me the Java plugin wasn't there.
Not a problem though - I don't mind Java. It's certainly more secure than anything dotNet.

The annoyance with Java is the installation of "Quickstarter" bits

Re:Sabotage?

[mpe]

Too many movies makes you think strange things. For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP. Real life: rotary phones, paperwork in triplicate, and a gigantic fucking bureaucracy that thinks pagers are still useful.

How exactly does that stop them being "bad asses"? They didn't need any of that movie technology to cause all sorts of problems the world still has to live with.

Re:Sabotage?

[hairyfeet]

Yeah about that? I've found those copy/pasta in the terminals don't...oh what is the word...oh yeah, actually work. Because it was cooked up by some guy with a hardware/software setup that was "kinda sorta like yours, but not really, oh and different revs on hardware firmware".

Contrast this to windows where the EXACT SAME reg file that worked on granny's XP works on little Timmy's gamer rig. That is what is nice about the reg-XP is XP is XP, no matter the hardware. You ever try to get one of those damned Broadcom wireless to WPA2 with those "easy to copy paste" commands in Linux? Yeah, good luck with that pal. It'll make you want to see how far you can chunk that laptop after a half day of dealing with that migraine creator. No thanks.

After 15 years of dealing with Windows as a PC repairman, from Win3.x on up, I can say without fear of exaggeration, that Windows on its worse day doesn't equal the bringing of the pain that is Linux. Linux guys like to talk about switching Windows users, but lets be honest here okay? Its bullshit. Linux is NO different than Mac. Linux is just hunky dory IF you have the right hardware, but that is a really big fucking IF, and of course finding out if that hardware you just bought is gonna work or not is a royal PITA. At least the Mac guys have the Apple store, and Windows has...well every other store, but Linux? Yeah enjoy those hours trawling forums there pal. No thank you, I spend all damned day fixing boxes, the LAST thing I want to do is spend a few hours in a fricking CLI trying to "tweak" a ton of Unix commands in the hopes I can get my soundcard unborked. Bleech!

Re:Sabotage?

[sjames]

Sure! They would love to have numbers showing that Firefox is just as vulnerable as IE. Even if they have to hack on it in order to get such numbers. It's much easier to introduce vulnerability than it is to remove or avoid it.

Re:Sabotage?

[sjames]

For some people it seems to be easy. For the rest, the registry is known as that thing that wipes out your entire computer if you look at it funny.

That's why there are so many stern warnings out there to "never use regedit"

Re:Sabotage?

[sjames]

At least in linux, there is little chance that pasting something into or deleting something from a config file will render the machine unusable until you re-install. The worst case is that the particular subsystem you were working on won't work (and apparently it already didn't, so not a big step backwards).

Even screwing up grub.conf or /etc/inittab can be recovered from without a re-install because there aren't a bunch of opaque and undocumented binary values to deal with.

It's also much easier to make a backup of the old state so you can always get back to what you had and try again.

Finally, there's no amount of tinkering you can do, including swapping all the hardware around that will cause Linux to declare you a thief and require you to beg forgiveness.

Re:Sabotage?

> What idiot modded that insightful?

The same one who says anonymous posts are obnoxious.

There: you can have a lot of signed up bullshit...

And now another fool wants to abolish anonimity. What next? Gravity?

Re:Sabotage?

[hydroponx]

Yes, I don't have this plugin (xp64) so I can't give the exact path but it should be something like this:

reg /f /va DELETE HKLM\Software\Mozilla\Extensions\.Net

the switches:

/f = force delete
/va = delete all values under this key

Re:Sabotage?

[BikeHelmet]

The annoyance with Java is the installation of "Quickstarter" bits

Yes! You have to manually turn those off in services.msc, or they keep coming back!

Re:Sabotage?

[Naturalis+Philosopho]

Uh, the way to "fix" this security flaw may be to remove JAVA and .NET (and that alone is a good joke in some crowds, maybe this one even), but for most people that'll cripple their browsing experience. It's one of those "We can stop the bleeding if we cut off his head!" type jokes.

Re:Sabotage?

[FlyingBishop]

It's an MS plugin. Sandboxing is Microsoft's responsibility, since they've chosen to link it with core OS functionality. That's the difference between plugins and extensions. It's reasonable to expect extensions to be sandboxed. Plugins are on level with userspace code.

Re:Sabotage?

[Trogre]

Unless you're joined to an AD domain, or using 64-bit XP. Then the rules change again.

Re:Sabotage?

What idiot modded that insightful?

It is weird how Windows advocates are quite happy to mess about the the Windows registry but claim that copying and pasting a fwe lines into a terminal window is dfficult.

I love you and want to have your babies.

Re:Sabotage?

[hairyfeet]

Sorry to burst your bubble, but I'm actually typing this from XP X64, been running it for a year now. The only thing I had to do was ensure that the motherboard had XP X64 drivers, which was as simple as looking under "supported Operating Systems" on Tigerdirect. Everything else? It all "just worked" with the exception of a 16bit disc catalog software from 1997 that I had been using. Switched to a nice Open XML based one and things were just gravy.

Compare that to Linux-will this motherboard work? Will ALL of the hardware on this new laptop function? What about the stuff on sale at Walmart this week? This is what is killing Linux on the desktop more than anything else. Because YOU don't know that answers to those questions, I don't know them either, and the poor kid making minimum wage working the counter sure as hell don't know the answer. With Windows it is as easy as looking for an X64 sticker, Mac is as easy as looking for the "OSX 10.x" logo, but Linux? Enjoy having to study just to buy some fricking hardware. And God help you if the "sure it works!" you find on a forum was written for firmware b and they are up to firmware g, because guess what? they don't label which rev it is on the box!!! Fun huh?

I repeat ANY Windows on its WORST day, be it 32 or 64bit, does not bring the pain in any way shape or form like Linux does. Sure Linux supports old crap, but when was the last time you saw old crap being sold at Best Buy? I got closets FULL of old crap that testifies that folks don't WANT old and busted, they want the new hotness. And by the time Linux supports the new hotness it is in the old and busted category. Until the "source code or nothing!" brigade dies in a fire so that manufacturers can just slap a driver on the CD and a penguin on the box expect Linux to stay its teeny tiny niche.

That ain't being mean, or trying to piss anybody off, it is just simple human behavior. Folks want to just walk into a store and put stuff in a basket WITHOUT having to "study" first. With Windows that is taking 2 seconds to look at the "Windows x" logo, with Mac the Apple logo, with Linux? Yeah Joe Average has no desire to spend hours dealing with CLI speak on some forum trying to figure out which piece of hardware to buy, especially when rev b might work and rev f might not. Until Linux is as easy to shop for as Windows and Mac then it is gonna be No Sale.

Re:Sabotage?

I can't remember the last time I used Java or .NET from my browser. Local applications, sure... but my browser? I thought Java Applets died a well-deserved death a long time ago.

Re:Sabotage?

[adolf]

Or is it a permissions thing that the update was installed by the Administrator account and limited users were not allowed to delete the files/registry keys

This, for the most part, is what happened.

I wrote about this back in the beginning of June. Firefox has more than one place where it looks for extensions to load, and one of them is system-wide. Users of Firefox (by Mozilla's choosing) are not allowed to uninstall system-wide plugins, and that's where Microsoft decided to install it.

Why did Microsoft do it this way? Malice? Arrogance? Naah. Probably just because it's easier to install one extension one time in one place, than to try to sort out how to install it into all Firefox users' extensions folders as needed.

The "uninstall" button was greyed out simply because that's how Firefox works. ("Disable" worked fine, though.)

One of the first things MSFT did after folks noticed this somewhat-guffaw, was to move the extension into the per-user extension folder where people can uninstall it for themselves from within Firefox.

Re:Sabotage?

Your comments put you in the "bad" admin category. Sounds like you favor the correct OS for your skill level.

Re:Sabotage?

[winwar]

"Most people with mod points must be lazy and don't browse in full."

Lazy isn't exactly the correct word. A strong desire not to go batshit crazy while being bored to death would be closer to the mark. Unless I am really interested and/or knowledgeable in the topic I tend to moderate only the stuff that is obviously good (or really bad) and I rarely mod stuff up higher than a 3 (you might call it drive by moderating...) I don't closely read subjects that bore me, confuse me and/or cause me indifference. I sure as heck don't subject the poor bastards in those categories to significant moderation-that would be cruel to all parties.

However, your informative post blends nicely into a large group of unremarkable posts. It is something that I would have modded up if I had noticed and had mod points. Might I suggest a title indicating something remarkable? We all hate wading through the crap :)

Re:Sabotage?

[BitZtream]

Users can't use regedit

What the hell are you talking about? I've had 75 year old hotel desk clerks (customers using our software) using regedit, if you can't explain how to use regedit, you''re just incapable of writing detailed instructions.

Alternatively, you can just send them a file, a .reg, that will remove the key, Google is your friend:

http://support.microsoft.com/kb/310516

REALLY

Not

hard

I wouldn't touch a byte on Firefox dir if I was MS.

They don't touch the firefox directory you moron. They add a single registry key. Firefox doesn't even need to be installed, installing it later and having the plugin work is another reason why it works this way. Likewise you can rm -rf the firefox and install it again later and the plugin will work. Please don't talk about what you don't have the slightest understanding of. Just because its related to MS doesn't mean they are out to eat your babies and share your wife with dingos and Steve Erwin. Please get a grip on reality, MS isn't out to get you, regardless of how many times Stallman screams it.

Can you be any more complete ignorant of whats going on and still talk like you have a clue? You don't even know what the right utility is on OS X, you're looking for 'defaults' not plutil.

Why is it that slashdot mods seem to think the more retarded a statement is, the higher rating it needs whenever MS involved. You want to bitch about MS, fine, but have a clue and know what the hell you are talking about, prevents you from being made out like a douchebag when everyone else pipes up to call you out on your ignorance.

Re:Sabotage?

[BitZtream]

Citation needed.

A few years ago, you would have had something about XP64 due to lack of drivers for random old shitty hardware.

AD has nothing to do with anything, you're just talking out your ass, unless you mean that you have a problem because your office PC doesn't let you do whatever you want because you aren't an admin.

Re:Sabotage?

[BitZtream]

I'm sorry how does 'Microsoft made a buggy/insecure plugin for Firefox' sound bad for Firefox in anyway? Are you so dumb that you can't understand the difference. My 60 year old father in law could understand the difference and he's in know way a techie, why is it that techies are the ones who think this is confusing?

Re:Sabotage?

[BitZtream]

Maybe when it first appeared, the joke is at LEAST 12 years old. Its only funny now if you're 14.

Re:Sabotage?

I've gotten instructions on editing regedit keys only to find that the entire branch mentioned just doesn't exist. So what do I do in that case? Reinstall windows yet again I suppose.

Also throw in the number of times I'm supposed to type regsvr32 "C:\really\long\path that has spaces so I have to use quotes\random.dll" Oh shit that dll isn't there so now I gotta hunt it down and hope like hell its not infected with some virus.

Ubuntu is far far far easier to set up than windows. All the drivers are there installed for me. I've had a lot more problems with random hardware problems with windows than I ever had under linux.

Yes 12 years ago it was a pain in the ass to get your soundcard working under linux. But that was a long long time ago.

All the commands on ubuntuguide work just by copy and pasting.

About the only things I use the command line is the hardcore system admin stuff like setting up mailservers, webservers, etc. Yeah I pop it open to run things like du and df to find out why I'm running out of hdd space, but I could do that by right clicking on folders and going to properties, but the command line is easier.

You can install and remove apps by pointing and clicking. unlike windows the add/remove programs actually does allow you to add programs, imagine that!

The command line is optional. When you ask for help on how to do something in linux they will prefer to give you the instructions on how to do it the command line way. Why? because its easier to just tell people to type "sudo apt-get remove whatever" than to say "click applications -> add/remove then type whatever in the search box, uncheck the box beside whatever then click apply changes".

Re:Sabotage?

[Evil+Shabazz]

It's never not funny to insult or make a joke at the expense of racist, fear-mongering bigots.

Re:Sabotage?

[Evil+Shabazz]

Oh, and Beck's only been on the radio nationally since 2002, only been a published author since 2003, and only been on television since 2006 - so there's no way this joke is more than 7 years old. :P

Re:Sabotage?

[hairyfeet]

How in the fuck is this flamebait? Show me a SINGLE instance where you can just walk into a Walmart and buy a device for Linux and have 100% assurance that it will work. With Windows you can look at the label, same with OSX, with Linux you are royally fucked without doing research. Hell read Ubuntu helpsites and see how fricking quick the word research pops into the conversation.

So if you want to get pissy Linux guys, don't blame me, blame your precious RMS and his "Source Code or Nothing!(SCoN!)" brigade who make damned sure you will NEVER have a stable ABI and therefor will never get to have the drivers on the fricking CD like any normal OS. Having to have the drivers maintained by the kernel devs is about the most fucked up back assed way you could possibly go, but because of the SCoN! you are trapped in the fucked up way of doing things, all because you listen to RMS who is about the WORST spokesman you could possibly have.

Having to research your ass off before making a purchase was fine and dandy ohh...about 25 fucking years ago, now the ONLY OS that has to do that is YOURS. Not OSX, not Windows, which BTW Win7 devices are already all over Best Buy and Walmart with helpful stickers that let you know it "just works". Where is the helpful Penguin stickers? Oh right, there isn't any, because you can't even put a single fricking driver on a CD and have it work 6 months later! Boy, gotta love that freedom!

So in conclusion, look at this post and the previous one oh clueless Linux zealots to see the difference between flamebait and answering a question, of course I have so much karma your wasting your time either way, but i do prefer to educate where I can. Oh, and notice that NOT A SINGLE FUCKING THING I said is in any way, shape, or form false. Now don't blame me if the truth hurts or you can't face reality. After all your OS is "free as in freedom" isn't it? So if reality sucks you can get together with your fellow basement dwellers and change it! But if you try? You'll find out that RMS and the SCoD! brigade will make sure that you are in fact NOT free, only their definition of free is allowed. That is why even Linus won't put the kernel under GPL V3, because even he knows that RMS is batshit. But hold onto those dreams of the masses studying their ass off just to buy a simple device at the Wallyworld, I'm sure your "year of the Linux desktop!" will be coming....ohh in about 40 years or so...BWA HA HA HA HA HA HA! Oh look, I made a funny!

Re:Sabotage?

[Stephen+Samuel]

You want to tout MS Hardware independence over Linux???? You must be somewhere between delusional and psychotic!

Yeah, I think it was a broadcom wireless that a friend of mine (Sunni) had on her laptop. For some reason it wouldn't work on Vista, no matter what she did.

I mentioned, out of frustration, the idea of installing Linux on the laptop, and she said "Is that the system you installed for father?" (I gave her 80 year old dad a Linux box earlier this year). I told her it was, and she said "Yeah, go for it". (Half his family has been playing with his Linux box since I installed it... It's been solid as a rock).

The broadcom wireless that Windows could't get working runs fine, and I now have 3 generations running Linux. (Sunni's daughter also got Ubuntu Ultimate on her desktop, but her grandson is autistic, so I'm not willing to upset him by replacing Windows -- even though it's got black-screen, and Dell want's $50 for a disk that will wipe his box clean and reinstall the OS with a 'proper' key).

But you want to know how I did the Linux install on their machines??? I did the install on a portable drive on my home machine, and then I took the newly installed disk and copied the partitions onto Sunni's laptop, and her daughter's desktop..... Install a new swap partition on the two machines, and boom, job done!

-------

If you don't think that that's enough proof of Linux's hardware independence, you should see how we do installations at Free Geek Vancouver. We start with completely wiped disks. We've got 4 machines that we do OEM installs on. Each install takes about 1/2 hour on a 2.4Gz celeron, and runs with almost NO user interaction (other than choosing 'automatic OEM install' from the network boot menu). .... then we take the installed drives, and plop them into random machines (truly random configurations ranging from a 800Mz Pentium 3s to higher end AMD multicores. ... then we test for hardware problems and send the machines out.

Compare that to Windows, where simply swapping out your hard drive can send the system into apoplexy and eat half your day's productivity by forcing you to beg Microsoft for permission to upgrade your machine.

I still remember my first Linux install. It was a dual-boot system. (Redhat 5.2 and Windows 98). I decided to upgrade the motherboard from a P2 to a P3 (OK: needed a new case, too). Linux was easy It asked to verify that I'd changed my mouse, and then it finished booting happy.

Windows was an entirely different matter. It took a few days of tweaking and downloading drivers (Using the Linux side, of course), before Windows was anywhere near stable.

---

The laptop I'm typing on also had WIndows XP hork on a simple hard drive upgrade. The Windows partition was copied from one drive to another. Linux on the other hand went from being installed on a file inside of NTFS, to a native Linux partition... No problems with Linux, but Windows was never the same again, even though the change was more trivial for WIndows.

So.... Windows hardware independent???? Give . Me . A . Break.

Re:Sabotage?

[Stephen+Samuel]

No, it is paranoid. How are you finding out about the vulnerability? Because Microsoft patched it last Tuesday.

Microsoft patched it because the Firefox people informed them that they were going to (out of frustration) explicitly disable it for having an 8 month old unpatched critical security bug.

With Microsoft now suddenly deciding to patch this bug, Firefox is only disabling a potentially unpatched security hole that Microsoft hoisted on their users.

Re:Sabotage?

[e2d2]

The majority of CIA employees are not field officers. Those are the minority, the elite of the CIA. The average CIA employee is just your standard manager/IT guy/whatever. But tell someone you work for the CIA and they assume you water board people for a living. That's why every employee has a cover story. That story is not to confuse foreign governments, but used to confuse the public who assumes every CIA employee is a "Boogeyman".

I would bet that most people would be quite underwhelmed if they saw the day to day at the CIA. That mystique is an advantage, and they like to use it to scare the bejesus out of people that would want to harm the US. But it works well.

remember the important part

[poetmatt]

the big deal here is they never uninstalled it off the people they shoved it on. They simply gave a way to uninstall it.

Thus, now it's harder for firefox to say it's safer while said plugin is installed.

Re:remember the important part

[abigsmurf]

The only thing worse than installing without asking is uninstalling without asking.

Re:remember the important part

[flynt]

..., and vice-versa.

Re:remember the important part

[poetmatt]

if the first happened, it doesn't hurt to do the second as opposed to leaving in said vulnerability.

Re:remember the important part

[jalefkowit]

That's what SHE said!

(sorry, couldn't resist)

Re:remember the important part

[Real1tyCzech]

...or allowing addons to be installed without asking? :)

Re:remember the important part

[asa]

If you allow someone (in this case Microsoft through Windows Update) to install software on your machine, you're hosed if they want to hose you. A bad actor could simply replace Firefox with an "updated" version that had their desired functionality. Once you let someone run code on your machine you're hosed in the case of bad actors. In the case of good actors, they shouldn't be adding unrelated software or modifying other software on your system without your permission.

Re:remember the important part

[Lehk228]

firefox can only control addons added via it's interface, if microsoft pushes a patch that edits the firefox config files and drops in an addon, the only way to prevent that would be with some sort of cryptographic protection on the config files, which would make manual offline editing (such as when you break something and can't get in via about:config) difficult or impossible.

Not true

[Voulnet]

That's not true, I have Win XP SP2, Firefox 3.5.3; and I just disabled this plugin. It CAN be disabled.

Re:Not true

[jargon82]

Agreed. I just brought it up in a firefox install on XP SP3. The disable and uninstall options are both available. Don't know if this is just poor reporting or if perhaps ANOTHER ms patch "fixed" the uninstall and disable options. Anyone know? Either way, it's retarded that they pushed it out in the first place.

Re:Not true

[Neon+Spiral+Injector]

That may not be entirely true. Have a look at this:
http://adblockplus.org/blog/the-return-of-net-framework-assistant

Re:Not true

[noundi]

Agreed. I just brought it up in a firefox install on XP SP3. The disable and uninstall options are both available. Don't know if this is just poor reporting or if perhaps ANOTHER ms patch "fixed" the uninstall and disable options. Anyone know?

Either way, it's retarded that they pushed it out in the first place.

The disable button has always been working for me on XP SP3, the uninstall however had not. I remember it wasn't working even months after it was installed on my work PC. Since then I've dumped a clone image and made sure to pick that update out so I wouldn't know the current status.

Re:Not true

[The+Moof]

Originally, you couldn't uninstall the extension. Microsoft did eventually release a patch that activated the Uninstall button, it's been out for a while now. I even think Slashdot had a story about the patch that enabled the button. Still patiently waiting for Sun to give me the same option with "Super Cool Java Firefox Extension"...

(Going to the Advanced Settings in Java under the Control Panel to uninstall a Firefox extension is unacceptable. I also wish they'd clean up their plug-ins when they update.)

Re:Not true

[Martin+Blank]

Original reporting from 09 Feb 09: Microsoft Update Slips In a Firefox Extension

Follow-up with removal instructions from 05 Jun 09: MS Issued a Fix For Its Unwanted FireFox Extension

The second article notes that the fix was actually issued in early May.

Re:Not true

[HereIAmJH]

Microsoft did eventually release a patch that activated the Uninstall button, it's been out for a while now.

Click on uninstall. Then, after Firefox restarts go back into Add-Ons and look at the Plugins tab instead of the Extensions tab if you really want a surprise.....

Re:Not true

[ameoba]

Even better - last time I restarted Firefox it popped up a message saying :

Firefox has determined that the following add-ons are known to cause stability or security problems:

• Microsoft .NET Framework Assistant
• Windows Presentation Foundation

These add-ons have a high risk of causing stability or security problems and have been blocked, but a restart is required to disable them completely

Re:Not true

[BitZtream]

I hate to burst your bubble, but most of whats written on that page is just flat out wrong or at a minimum misleading. Read the comments on the page for plenty of people pointing out everything.

Most importantly, he's talking about something entirely different than what this article is talking about.

I don't expect you to know either of the above however, you'd never have posted anything if you knew anything about it.

Almost

[Kell+Bengal]

I went through the process of removing the plug-in. While I was incensed that it was installed without so much as a by-your-leave, the removal method I used didn't require registry hacks or anything so high falutin.

That said, I should not have had to have gone to any such effort in the first place.

Re:Almost

This is why you should read the release notes before you install software. This is also why introducing new functionality through Windows Update is a bad idea.

Re:Almost

People want that functionality and cry when it's not in Firefox.

Regardless the plugin is very simple to disable by clicking the disable button in Addons. I can see how Linux users using Windows might be confused with it being in such an easy place to find.

Re:Almost

[Trigun]

What functionality I don't want is having to upgrade messenger, and finding that it switched a bunch of crap in my browser, like searching from the address bar, and having to go through the chrome settings to fix it.

I thought that I read the disclaimers, but apparently not well enough. But I'm sure that it never said "Replace the default search in Firefox with Bing!"

I know that it wasn't Ballmer stating to do this, but some marketing drone talked to some codemonkey about getting Bing out there, and the end result was that I had to remove what is essentially crap adware and corporate shenanigans from my browser.

Re:Almost

[v1]

This is why you should read the release notes before you install software.

And the 109 page EULA. Don't forget to read all of that too. Pay particular attention to the 215+ word long sentences with words so long they wrap the window and stump your dictionary.

Read everything

Re:Almost

[jamstar7]

This is why you should read the release notes before you install software. This is also why introducing new functionality through Windows Update is a bad idea.

That's all very well and good for legitimate software. Haven't noticed much malware with release notes and opt-outs. And from what I've seen of the previous 'patch', it installed it as part of the .NET upgrade. 'Consent' was implied by activating the 'Allow Upgrades' button at the system level.

Re:Almost

[PopeRatzo]

While I was incensed that it was installed without so much as a by-your-leave

The "by-your-leave" was when you enabled Automatic Windows Updates.

Re:Almost

[gbjbaanb]

Allow Upgrades != install new stuff I never wanted or asked for.

Re:Almost

[edxwelch]

I have automatic windows updates disabled and it was installed on my machine. To tell you the truth I found half a dozen microsoft addins and plugins installed stealthly

Re:Almost

[Kell+Bengal]

Also the case for me - I review each and every update to make sure it's something I really want/need.

Re:Almost

[jamstar7]

Allow Upgrades != install new stuff I never wanted or asked for.

Microsoft's opinion differs.

Re:Almost

[wampus]

Bullshit. Pure and simple. If you have updates disabled, how the fuck did it get there?

Re:Almost

[indi0144]

Bullshit? I have updated disabled and firefox shows me this pearls in the plugins page, note that I did not installed any of them by my own neither was I asked or informed about them:

-2007 Microsoft Office System
-Google Update (maybe the bits that mine my usage data so Chrome can know my Firefox habits?)
-Microsoft DRM 9.0.0.4503
-Microsoft DRM 9.0.0.4503 (yup, gain)

So, how did they get there? Also this is a fresh install of windows XP SP3 with nLite I haven't installed stuff like Java or .Net yet. Also theres no remove or uninstall button for those, just deactivate.

Yes Microsoft can be a jerk pushing crap in other software but what the hell is doing Mozilla to prevent any random motherfucker to drop a dll in the plugins folder? I can drag and drop a dll from anywhere into the plugins folder, restart firefox and there you go: installed and activated by default as I do for an obscure Quake2 server plugin. I'm bitter, I love FF I have made video tutorials in my language promoting and teaching how to use FF, preaching about security, clients trust in me so they take a test drive on FF and they like it but if FF is ever nailed hard and the PR dept. does it's job I'm going to get burned as a lot of other well intentioned people out there.

It's that fucking hard for Firefox to inform me that a new DLL is installed? How about a pop up window or Yellow bar.. or how about a fucking dancing stoned carebear waving frikin lazerz at animecokemeth speeds raping the motherfucking liquid cristals in my screen flashing @ over 9000Hz in 300pt RED Comic Sans font "NEW PLUGINS INSTALLED" OMG anything will do but please fix that crap or do I have to ask for it to the minister of agriculture of Japan?

I think it's clear than I'm kinda drunk, but the point, whatever it was, remains :D

Had no idea...

[Jaysyn]

I had no idea about this plug-in. Thanks for the links to getting it fixed / removed.

"Cripple the PC"

Isn't it crippled by definition? Just look at those Mac ads...

Re:"Cripple the PC"

Exactly, and if anyone knows about crippled platforms, it's Apple.

You didn't expect it?

[Random2]

After all, they've done this before. Unless we catch them ,they're going to do whatever they can to remove their competition.

Registry Danger!

[aster_ken]

Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.

Also, the ability to remove this plug-in was covered on Slashdot a few months ago when Microsoft released version 1.1. It was included in an earlier service release to the .NET Framework for Windows XP and Windows Vista. This plug-in doesn't even exist in Windows XP by default. You must have installed .NET Framework 3.0 or higher to get it. Windows Vista includes .NET Framework 3.0, but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand. Windows 7 allows you to do it because the earlier service release is part of the operating system.

Microsoft bashing is fun, but let's stick to facts.

Re:Registry Danger!

[Darkness404]

The difference is, its pretty easy to figure out what things do in the Program Files directory, the Windows directory is a bit more confusing, but a lot of it is still pretty easy to figure out. Good luck for an average computer user to figure out what /HKEY_LOCAL_MACHINE\ SOFTWARE\etc. is compared to Program Files and X program.

Re:Registry Danger!

[Frosty+Piss]

but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand.

You mean like this? That's *no* uninstalling.

Re:Registry Danger!

but let's stick to facts.

You don't belong here.

Re:Registry Danger!

[fhuglegads]

if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand.

no .NET on my windows box.
never installed a service pack or an update
my system works based on the os that was on it when i bought it 3 years ago. there is no reason to let microsoft go and mess up something I already don't like by changing it.

I only use windows for one game that doesn't run under Wine. As far as my work pc goes... that's filed under SEP.. Someone Else's Problem.

Re:Registry Danger!

[jellomizer]

Open up your firewall for say 20-30 minutes...

Re:Registry Danger!

[Penguinisto]

"It's no more dangerous to delete something from your registry"

Perhaps, but...

1. This kinda invalidates the argument that Windows fanboys have been spouting for years, namely "...but in Linux/BSD/Whatever, you have to edit files, which is too hard for Joe Sixpack to do!"
2. If you bork the registry, discover it's borked only after a full reboot/log-in, then try to reboot again thinking it's some other problem, that backup copy of the registry just went 'pfft!', and you may or may not be able to get to a point where you can use System Restore
3. The registry makes a great place to hide stuff in (see also half the malware to come down the pike in the past 9 years)

Re:Registry Danger!

Can we please stop with the "It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence" trolling sarcasm?

I think everyone already agrees both of these are bad ideas, I'm happy this wasn't a problem for you, and no one cares that you were forced to read the same exaggerated warning again. The horror!

Microsoft bashing is fun, and we're sticking to the facts.

Re:Registry Danger!

[Killer+Orca]

Looking at my add/remove programs list I have 4 different versions of the .Net framework installed, I wish all the programs that relied on them would be able to use the latest one, but unfortunately they do not.

Re:Registry Danger!

Go ahead and delete your entire filesystem..
Oh no, I'm sure you won't have any problems at all..

System Restore can be disabled, rely on it to save your incompetence, you can not.

Re:Registry Danger!

Can we please stop with the "registry editing will end the world" warnings?

I sure wish we would. One of my co-workers (Who's actually an IT support person and has been for a decade) completely and truly believes that editing the registry is one of the scariest and most dangerous things you could do. This is the same IT support guy who's afraid of anything that's not a nice GUI. Command line? Scripting? Ohh noes!

How editing something as simple as the registry has become a dangerous activity for IT personnel is beyond me.

Re:Registry Danger!

[jamstar7]

Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.

Joe Sixpack doesn't have a clue about editing the registry, he just wants something 'That Just Works(tm)'. Anything else, he'll let his 'computer geek kid' screw up for him til it needs to go to the shop, then bitch when they charge him an arm & a leg to fix it. Having done several years of those kinda repairs, I can categorically tell you that a lot of the registry repair software isn't made for the regular user, it's made for us geeks.

System Restore in XP takes you back to your restore point. If your restore point includes the 'patch', you're gonna have to start all over again.

Re:Registry Danger!

[drsmithy]

This kinda invalidates the argument that Windows fanboys have been spouting for years, namely "...but in Linux/BSD/Whatever, you have to edit files, which is too hard for Joe Sixpack to do!"

The big difference is that Registry editing is extremely uncommon in Windows. Trawling through textfiles in Linux (or BSD) is - ironically - something you're almost certainly going to have to do as soon as you step off the narrow path of basic setup and usage.

If you bork the registry, discover it's borked only after a full reboot/log-in, then try to reboot again thinking it's some other problem, that backup copy of the registry just went 'pfft!', and you may or may not be able to get to a point where you can use System Restore

If it booted far enough the first time to delete the backup, then it booted far enough to get to System Restore.

The registry makes a great place to hide stuff in (see also half the malware to come down the pike in the past 9 years)

No more so (and probably far less so) than the maze of rc scripts in your average Linux or BSD.

Re:Registry Danger!

[Vancorps]

Actually no, when you reboot you still have previous backups. Windows keeps several registry backups in several files so you can always restore whatever is broken. This is the Windows XP or greater area of course. That is of course on top of system restore which can retain many backups by default depending on how much installing and uninstalling you are doing.

Registry hacks are not friendly for regular folk which is why it is so discouraged and is the same reason that editing text files is considered unfriendly. Modifying fstab is far from friendly especially if you are new to the world. Yeah it gets easy when you realize everything is a file and certain consistencies expose themselves but for the new people it is highly inaccessible exactly like the registry. The only difference is that Microsoft does all it can to prevent you from having to go in and manually edit anything. This is why a patch was created enabling the disable and uninstall functions.

You're right that the registry is a great place to high malware as much of it is not very well documented. I can't imagine why any application developer would want to use it.

Re:Registry Danger!

[Ilgaz]

The "fact" is, nobody wants their lame ass Flash wannabe junk. Nobody wants to hand edit a multi megabyte sized database file either. If you have installed Firefox, you have REJECTED Microsoft browser technology to begin with.

You must have installed 3.0? They drive Developers like sheep for new versions, Developers drive users. Find me a single Windows without .NET 3.x+ installed. .NET is pre 3.x only in Icaza&Friends weird, sold out mind. All uses "3.5" because it pops up in Windows update.

Re:Registry Danger!

[PopeRatzo]

turns out having a particular antivirus installed (mcaffee if I recall)

There's your problem, right there.

Re:Registry Danger!

[JesseMcDonald]

The registry also suffers from the common problem of all single-use binary formats: you can't examine or manage it with existing tools. For example, how would you go about comparing two copies of the registry for incremental changes (without first exporting both to plain text)? Can you place it into any of the excellent free, off-the-shelf version control systems, and still take full advantage of their change tracking and merging features?

The mass of plain-text configuration files used on Unix systems may have some flaws--they could certainly be made more uniform--but at least you have a wide variety of general-purpose tools available to help manage the complexity. With the registry you have ... RegEdit. That's fine for reading and writing specific keys, but not much else.

Re:Registry Danger!

[BikeHelmet]

You're absolutely correct. It's far more dangerous editing a linux conf file than it is editing the registry. (I should know - all my mounts vanished when I used spaces rather than tabs in fstab)

But some stupid person will go crazy and delete everything in the registry if you don't put up those scary warnings.

In all my years of windows use, and frequent registry editing, I've never caused a serious problem by deleting stuff. I always make a backup of keys, just in case, but I've never needed to restore one.

Re:Registry Danger!

[PopeRatzo]

he just wants something 'That Just Works(tm)

Well then, he should just install OSX on his PC.

Oh wait...

Re:Registry Danger!

Sorry, but I think everyone competent who came above a almost completely undocumented configuration file on a Linux/Unix system would find the idea of making any change of it really scary.
Given that the registry comes with no documentation at all directly included, only partial documentation from Microsoft (at least a lot of it is near impossible to find even if it exists) and some unreliable stuff "from the internet", and no clear rules on which programs are supposed to use which parts of it and which they shouldn't, editing the registry in general definitely should be considered dangerous.
Of course, there are cases where you know quite well what you are doing and that are well tested, that's something different...

Re:Registry Danger!

"The registry makes a great place to hide stuff in (see also half the malware to come down the pike in the past 9 years)"

I'm not aware of any OS config system that doesn't have this trait so it's hardly something specific to the registry.

Are you seriously suggesting the mess of config files hidden spread across various random and ambiguously named directories is somehow less hard to hide Malware in? At least in Windows you can be fortunate enough to know it's more likely than not, hidden in the registry. You don't have that with Linux, it could be hidden anywhere throughout the file system in the depths of numerous long, text based config files.

Re:Registry Danger!

[LifesABeach]

I believe the warnings are based on m$ catering to Soccer Moms, and Baseball Dads. These parental units have excellent curvilinear insights, and a need to "go it alone".

Re:Registry Danger!

[Rennt]

Go with me on this one. *ahem*

"Windows will NEVER be ready for the desktop until you can remove a plugin without hacking the registry. If a user has to open regedit.exe MS has already failed."

Re:Registry Danger!

A number of UNIX variants have ended up with Registry like functionality over the years. NeXTStep has NetInfo (which OS X inherits), AIX had the ODB, and to a lesser extent, some Linux variants store what packages are installed in a binary database (which can get corrupted pretty easily, and make updating the OS very difficult without manual surgery.)

The advantage of a Registry in an OS -- one can assign it permissions, it can be made transactional to minimize corruption, for some things, it can be faster than rereading text files, and it can be made secure.

The disavantage is exactly what the parent poster mentioned. On RedHat, I make a RCS directory and check in any config file I edit. This way, should I scrozzle something critical (sendmail.mc, apache's conf files), I can check out a previous version of the file and be fine. If I screwed up past that, I can check out the original, unmodified conf file and start from a known good set.

Personally, I'd love it to see operating systems go back to config files, perhaps in a well organized directory structure so both UNIX permissions as well as additional ACLs (AIX and Solaris support more than user/group/other, Linux and BSD sort of do). This way, a program just can only have settings it can see running as its own user, but be fixable by root should crap happen.

Re:Registry Danger!

[StuartHankins]

No more so (and probably far less so) than the maze of rc scripts in your average Linux or BSD.

I don't know if you're an accidental or intentional troll, but there you go.

The Windows "search" feature by default will not search all the files to find by content, in fact it ignores a considerable number of file types. Linux (or cygwin) will happily -- and very quickly -- find portions of a config quite easily. The Windows registry is significantly more difficult to use, has significantly more entries, and you can prevent the machine from booting all too easily.

If the relatively simple rc files confuse you, and you don't understand the differences in complexity between the Windows registry and a few simple text files, you should probably find another line of work. The more difficult concepts will be far beyond you.

Re:Registry Danger!

Given that the registry comes with no documentation at all directly included, only partial documentation from Microsoft (at least a lot of it is near impossible to find even if it exists) and some unreliable stuff "from the internet", and no clear rules on which programs are supposed to use which parts of it and which they shouldn't

This misconception is commonly bandied about on slashdot, but it's mostly crap. True, there is no "directly included" documentation and there is plenty of unreliable registry information on the internet in general (of course, that applies to just about any topic). The parts of the registry which administrators and developers can use has been mostly well-documented by MS in MSDN and/or TechNet since at least the release of Windows 2000, nearly all of it publicly available to anyone with an internet connection. Any home user is effectively an "administrator", whether he likes it or not and regardless of operating system, so that information is there for him, too. The registry is arranged hierarchically much like the file system, so anyone who can grok a file system tree structure (and admittedly, some cannot) can understand the structure of the registry.

Every MSDN/TechNet article that discusses modifying the registry has a warning about the consequences of mistakes, along with advice to back it up first. That's a good thing - it's where such warnings belong. The idea that modifying the registry in general is "a potentially dangerous chore, since a misstep could cripple the PC" is hyperbole, but it's no surprise to find it in TFS. While possible, there are few missteps that could "cripple" Windows, and none of them are likely to be recommended even in an unreliable internet source. Finally, the sort of user who is likely to be bothered, let alone aware, of issues like the MS FF extension, is likely to be the kind of user who knows enough to ensure the registry is backed up so he can fix things if it gets hosed.

We don't see repeated dire warnings to anyone who might perform his own vehicle maintenance, including for typically trivial things like changing the oil, that a misstep potentially renders the car inoperable - and you can't make a backup of your car. I think we can do without them for discussions about registry modification, too.

- T

Re:Registry Danger!

[the_womble]

The big difference is that Registry editing is extremely uncommon in Windows. Trawling through textfiles in Linux (or BSD) is - ironically - something you're almost certainly going to have to do as soon as you step off the narrow path of basic setup and usage

What do you mean by a "narrow path"? Most things that a non-geek user is expected to do for themselves is doable though a GUI in most versions of Linux meant for that market - e.g. Ubuntu or Mandriva, not Arch or Gentoo.

For example, a Linux desktop (especially, but not only) KDE is more customisable through the GUI than Windows is by any means. Software installation is easier than on Windows. What exaclty do you have in mind?

Re:Registry Danger!

[natxo+asenjo]

The big difference is that Registry editing is extremely uncommon in Windows. Trawling through textfiles in Linux (or BSD) is - ironically - something you're almost certainly going to have to do as soon as you step off the narrow path of basic setup and usage.

I beg to differ. As a windows/linux/esx sysadmin I edit the registry of the windows machines on a daily basis.

The registry is the configuration system of windows, so even if you are clicking bottoms, the settings will be saved in hives. My point is: even if you do not know it, if you use windows, you edit the registry with nearly every mouse click.

Manufacturers bring out "updates" to fix problems that are in fact just modifiying a few registry keys. But users can apparently not use regedit to do that, so companies bring a hotfix out with autoit as an executable to just change the value of a key. The customer just clicks on the installer and follows a wizard, that is what he/she is used to.

Re:Registry Danger!

Ouch, you just brought back a painful repressed memory of something that has been a tragic disappointment in UNIX for decades. Yes, as you mention, you CAN THEORETICALLY put UNIX text config files in version control easily enough. So, here we are 30 years later, and, hmm, THERE AREN'T ANY DONE THAT WAY BY DESIGN/DEFAULT! In fact I remember way back when investing some considerable time on old FreeBSD/Solaris boxes starting to put many of the system configuration files under SCCS or RCS so that I could diff my edits and look at change logs and revert changes easily and all that. My efforts became frustrated just due to the frequency with which my configurations would conflict with or be obviated by new versions of files or the OS coming from upstream creating a whole new round of merges, checkins, et. al. mostly unnecessarily (if it had been supported by the distribution itself).

In fact in a lot of cases doing it the 'simple way' wouldn't work at all due to the horribly unhelpful design of a lot of the scripts themselves which INSIST that *anything* in a certain config directory MUST be itself a configuration file. Not an emacs backup file. Not a version control subdirectory. Not a version control file. Not a vc lock file. Etc. So basically doing anything that generates another sort of file/directory under, say, /etc/cron, or /etc/init.d, /etc/sysconfig, whatever is probably unsafe since the "find..blah.. -type f ... | grep .. blah" or whatever logic in the scripts will pick up your unrelated files via some kind of wildcard expression and cause havoc. It isn't even safe to have a BACKUP file of say ifcfg.eth0 called something like ifcfg.eth0.000 or whatever for these reasons. In some directories you MIGHT get away with having a "hidden" ".backups" subdirectory that doesn't mess things up by getting globbed in with a pattern/file search, but forget about SCCS or whatever.

I really can't understand why UNIX distributions that live by version control are SO unfriendly to USING version control for their own config files, or, for that matter, programs themselves. Yes, RPM/APT/Yast/YUM is OK, but typically it still doesn't act as any kind of useful VC system for packages. If I have spare disc space, why not make it quickly possible to roll back an entire set of package updates according to a certain date or whatever if I haven't purged the history of old versions? It is odd that they invent all these new package version management systems and yet ignore many basic principles of the VC roots of it all.

It is also ridiculously hard to export any useful metadata about the sysadmin 'state' of a given UNIX box. If, say, you've installed the default "workstation" distribution of the OS, but you've added in the non-default packages emacs, gcc, wget, and you've made a custom hosts, hostname, domainname, smb.conf, resolv.conf set of files, would it be THAT hard to have an automated medatata database that tracked your preferred customizations and exported them (possibly VCed and otherwise tagged) so you could use those templates as a default to install another system or an updated major OS version of the same system in the future? Yes you can write scripts to look at what packages are installed and install a list of packages from a script, but typically that commingles hundreds of things that are just dependencies you don't directly care about with some of the core packages you do -- e.g. I ALWAYS want emacs, wget, and 40 other packages on whatever workstation I install, whatever the latest versions of those are.

UNIX can be very sysadmin unfriendly with how little facility it provides "by default" for such VC and use of metadata about sysadmin settings.

Re:Registry Danger!

[drsmithy]

I don't know if you're an accidental or intentional troll, but there you go.

Speaking the truth is not trolling, intentionally or otherwise.

The Windows "search" feature by default will not search all the files to find by content, in fact it ignores a considerable number of file types. Linux (or cygwin) will happily -- and very quickly -- find portions of a config quite easily.

This is what's called irrelevant.

The Windows registry is significantly more difficult to use, has significantly more entries, and you can prevent the machine from booting all too easily.

You can stop a Linux box from not booting quite easily as well. The difference, as I already said, is that on a Windows machine messing directly in the Registry is extremely uncommon. On UNIX machines, messing with text config files is business as usual.

It's vastly more common for an inexperienced user to render a Linux machine unbootable during normal behaviour, than a Windows one.

Re:Registry Danger!

[drsmithy]

What do you mean by a "narrow path"? Most things that a non-geek user is expected to do for themselves is doable though a GUI in most versions of Linux meant for that market - e.g. Ubuntu or Mandriva, not Arch or Gentoo.

That's exactly what I mean by narrow path. As soon as you're trying to do something even vaguely different to whatever the distro maintainer has envisaged (and the people maintaining Linux distros generally aren't particularly good at putting themselves into the shoes of the average Joe), then you're going to have to start messing inside textfiles. When I'm messing with Linux-distro-of-the-week, I find this typically happens at the point I want to configure multiple monitors, but that's far from the only example.

The same is true of Windows (and OS X), of course - but the difference is that the path is far, far wider.

Re:Registry Danger!

[drsmithy]

The registry is the configuration system of windows, so even if you are clicking bottoms, the settings will be saved in hives. My point is: even if you do not know it, if you use windows, you edit the registry with nearly every mouse click.

Congratulations. You have won today's "I'm a facetious twat" award.

Re:Registry Danger!

[mpe]

The registry also suffers from the common problem of all single-use binary formats: you can't examine or manage it with existing tools. For example, how would you go about comparing two copies of the registry for incremental changes (without first exporting both to plain text)?

There are tools to do this. But it isn't so easy if you are only interested in changes related to application X...

The mass of plain-text configuration files used on Unix systems may have some flaws--they could certainly be made more uniform--but at least you have a wide variety of general-purpose tools available to help manage the complexity.

Having lots of different files also means that it is considerably harder to break the whole OS by altering things.

With the registry you have ... RegEdit. That's fine for reading and writing specific keys, but not much else.

Must be one of the few "editors" which lacks a find/replace feature :)

Re:Registry Danger!

[sjames]

That sounds exactly like the typical Rube Goldberg programming style that causes most of MS's other problems. The two groups most likely to install an installer to be run by default are MS and virus writers. Draw your own conclusions!

Re:Registry Danger!

[Penguinisto]

"Are you seriously suggesting the mess of config files hidden spread across various random and ambiguously named directories is somehow less hard to hide Malware in?"

Google for AFICK (or similar utils). Install it (on *nix). Point it to monitor /etc and /usr/local/etc.

Now you can see exactly what changes were made to the vital config files on your system.

If you did something similar for a Windows Registry, your hard drive would quickly fill up with diffs before you could even see the first report.

Re:Registry Danger!

[BitZtream]

I can delete program files, my PC will still work.

Delete HKEY_LOCAL_MACHINE (which you can't just do in regedit, but it can be cleared out for the most part with a custom app or script) and tell me how your next boot goes.

I'd wait for you to try it, but since you don't realize how bad it can get, I'm not sure that you'd realize you can safe boot and use system restore to recover from it.

I agree, for most of slashdot, registry editing isn't an issue, but you are talking about throwing someone into an app that has the capability to do rm -rf /etc ; rm -rf /usr/local/etc (or where it might be in Linux). That most certainly has the potential to be dangerous for the uninitiated.

Re:Registry Danger!

[BitZtream]

So let me get this straight ...

Firefox uses the registry to locate globally installed plugins. IT reads these keys when it boots to look for plugins it should load ... and that is MS's fault?

Do you realize that MS only utilized the interface Firefox created to register plugins globally?

MS doesn't require that you 'hack the registry', Firefox does.

So, if you correct all the inaccuracies in your statement and make it correct, it turns into something like:

Firefox will NEVER be ready for the desktop until you can remove a plugin without hacking the registry.

Wow, that sounds retarded doesn't it, and that statement is actually pointing to the right person.

Riddle me this, what SHOULD be used to find plugins? How do apps that want to install plugins for Firefox find its install? What happens when you install a PDF reader before Firefox, do you want to have to reinstall the PDF reader so that NOW it can install the Firefox plugin?

People about 100 times more clueful than you, at Mozilla, decided to use the registry for good reason, do a little research before you start telling others they did it wrong, or at the bear minimum, stop blaming Joe the Janitor in Kansas for Tsunami wiping out some islands in the Pacific.

Re:Registry Danger!

I just modded you 'Troll', because you are lying. From the fstab manual page:

Each filesystem is described on a separate line; fields on each line are separated by tabs or spaces.

Posting anonymously to preserve my mod points

Re:Registry Danger!

[BikeHelmet]

Posting anonymously does not preserve mod points - unless you do it from a different IP.

Also, I'm not lying - there's a long thread on the Ubuntu Forums where people are trying to help me figure out why.

But like a typical linux elitist, you take the stance that the documentation must be infallible, and it's always the user's fault.

Re:Registry Danger!

[natxo+asenjo]

Well, I am no native speaker so I had to google what you meant about 'twat'.

I was quoting your remark about how "unusual" registry editing was in windows and you start calling me names. I guess that says it all about you and your 'arguments'.

I will repeat it (you just try to read it slowly so that your synaptic pathways do not get damaged in the meantime): if you use windows, you edit the registry all the time (even if you do not know that you do so).

Did you survive it? Good for you.

Have a nice day you too.

Re:Registry Danger!

[drsmithy]

I was quoting your remark about how "unusual" registry editing was in windows and you start calling me names. I guess that says it all about you and your 'arguments'.

No, you were being facetious. The discussion is (or was) about editing the Registry directly.

I will repeat it (you just try to read it slowly so that your synaptic pathways do not get damaged in the meantime): if you use windows, you edit the registry all the time (even if you do not know that you do so).

Great, but that's not what the discussion was about. Ergo, trying to equate it to what the discussion *was* about, is disingenuous.

Re:Registry Danger!

[goarilla]

several backups of the registry ?

exactly one iirc (that i know of)

in %systemroot%\repair

they are split in different files for the different hives tho

and it's exactly the backup after the mini setup, eg it contains a blank slate which isn't what you would want in most repair situations

if i'm wrong please tell me so since it would be very useful to know for further troubleshooting/fixing purposes

They said it

It was intended to provide a "uniform Windows experience"...

Amazing

[gmuslera]

This is from the same people that claimed that the Google Chrome Render plugin for IE6+ will make the browser less secure?

Re:Amazing

[mdm-adph]

Same company -- not the same people. I swear there's whole nations worth of people in companies the size of Microsoft that aren't even on the same page, ever.

Re:Amazing

[matzahboy]

The other funny thing is that the firefox plugin was installed without the user's permission. The user has to go to the chrome website and click the button that say "install".

Re:Amazing

[Tranzistors]

See, they know what they are talking about.

Re:Amazing

[Pollardito]

It'll be ok though, because Google is making a plugin for this plugin

Re:Amazing

[shutdown+-p+now]

If anything, this case further reinforces that claim. Any new functionality (including plugins) added to a browser increases its attack surface, unless it completely replaces part of the existing code. In this case, the increased surface was due to WPF being exposed. In case of Chrome plugin, it's Chrome rendering engine.

If Chrome completely replaced IE renderer, with no means to re-activate it, then it would be reasonable to argue that it does improve security. However, Chrome renderer is opt-in, which means that any attack site willing to exploit an IE vulnerability will happily work in IE with Chrome plugin installed, but at the same time any site willing to exploit a Chrome vulnerability - and it's not like there aren't, or will never be, any - can request IE with Chrome plugin to use Chrome for rendering.

Re:Amazing

[frank_adrian314159]

Page? Try planet...

Re:Amazing

[orngjce223]

So now you're telling me MS's marketing department is on Venus, and their programmers live on Mars. Ohh, I get it now.

Re:Amazing

Listen up, Balmer's bitch. If the Chrome plug-in increases my attack surface then so does Silverlight. Thanks for reminding the world not to install the crap you fucks shit out. You 'softies couldn't code youselves out of a wet paper bag. Piece of shit motherfucker.

CrippleWare

[cosm]

There are already a bajillion (non-technical term) of other platforms that can provide dynamic content without needing to get compiled languages like VisualWhatever.NET involved. AJAX is extremely powerful, one among plenty more great cross-code web design patterns, and is more secure than bringing the herpes in the intertubes that much closer to your kernal. Why in the heck would they wan't to put WPF (more like WTF) in Firefox, besides sabotage any feelings of safety one used to have. Integrating .NET that closely to the Internet is shady at best. It becomes no better a situation than getting an ActiveX driveby from unpatched IE (or IED if you will).

IMHO, I don't see the need to shove .NET down web users throats, making them vulnerable to more 'root'-owned style attacks by placing the internet one step closer to your local Just In Time (to pwn you) compilers.

Re:CrippleWare

[DAldredge]

How do I do threads in AJAX?

Re:CrippleWare

You seem to know so little about .net

Re:CrippleWare

This plugin doesn't do anything other then just report your currently installed .net version to the server, and make the clickonce installation more seamless. Nothing nefarious.

Re:CrippleWare

[cosm]

If your trying to instantiate multiple client-side threads, count me out. Talk about exploitability! If your using ASP you can run server side threads no problem, but otherwise a bunch of threads started within a web-page would be a terrible idea, sloppy programmers and bad websites would bring your browser to its knees, choking anything that acts asynchronously.

Re:CrippleWare

[cosm]

And another note, threads are powerful in their nature, and so is .NET, do you really want TCP/UDP & the Internet to be able to create threads on your processor. A dropped packed, a tampered connection; what is to stop things like unsafe code with pointers, and a few crossed threads from crashing your computer, instead of just crashing your browser from some javascript issues? Windows can go nuclear easy enough on its own.

Re:CrippleWare

[causality]

IMHO, I don't see the need to shove .NET down web users throats, making them vulnerable to more 'root'-owned style attacks by placing the internet one step closer to your local Just In Time (to pwn you) compilers.

Two reasons come to mind. 1) AJAX and other alternatives tend to be open standards, so vendorlock (a favorite MS tactic) doesn't apply or doesn't easily apply. There is one thing Microsoft really does not like to do, and that's competing on merit in a level playing field that has low barriers to entry for competitors. If it were otherwise, then they would use completely open, unencumbered standards wherever possible (i.e., for every protocol and every file format they create) but this, obviously, is not the case. 2) It's not like Microsoft is ever going to have any legal liability for placing their .NET marketshare ahead of user security. If a customer's machine gets compromised that would not have been compromised without MS's unilateral decision to install the .NET component, that customer has no recourse whatsoever. They can make you as vulnerable as they like in order to advance their marketing goals and they can do it with impunity.

So, Microsoft has something to gain, namely further adoption of .NET and the control that comes with that, and they have nothing to lose. From a business perspective they have no reason not to do this. The only thing that would stop them would be for the average user to both understand these things and demand something different.

Re:CrippleWare

[SplashMyBandit]

Use the Google Web Toolkit, it will give you an asynchronous programming model where threads aren't really needed client-side (although they are certainly possible server-side, of course).

ps. Is your Slashdot ID really that low? and you're asking this question? lol

Re:CrippleWare

Who was it that came up with XMLHttpRequest object?

Re:CrippleWare

[base3]

Yes, that was Microsoft, for OWA. And if they had had any idea how useful it would be to everyone else, they would have encumbered it legally or crippled it technically or both.

FUD

[sexconker]

"What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7."

Disable and uninstall were there and working on day fucking 1 for my XP machines.

Re:FUD

[SydShamino]

Disable and uninstall were there and working on day fucking 1 for my XP machines.

Anecdote.

Both are grayed out TODAY on my fully-patched XP work machine. Anecdote #2.

We cancel out.

Re:FUD

[recoiledsnake]

My anecdote... even better, actually a screenshot from Vista. http://imgur.com/WyehG.png

So the score is no longer zero.

Re:FUD

My anecdote... even better, actually a screenshot from Vista. http://imgur.com/WyehG.png

So the score is no longer zero.

I went to that link, clicked on the buttons, and nothing happened.

So, the uninstall IS broken.

Probably deliberately, too, knowing Microsoft.

Deja-vu

[Dishwasha]

Is it just me, or were we just talking about this

Re:Deja-vu

[Culture20]

Is it just me, or were we just talking about this

It is just you. The story you linked to was about the "fix" that allows removal of the sneaky add-on. This story is about the fact that the sneaky add-on just had a verified security flaw.

Microsoft is DEAD

according to Paul Graham, Microslop inherited its monopoly from I.B.M.

Yours In Yaznogorsk,
Kilgore T.

Sony's rootkit trick lighty modified?

[Kbac]

This kinda reminds my of Sony's rootkits from music CDs a little. If I remember correctly installing programs without user permission/knowledge is bad, doing so and making it as imposable to remove or disable as possible is really bad. And the fact that Windows 7 is the only OS that has the option to disable it seems like MS is once again trying to force users to upgrade. "We know 7 is safer than XP because we booby trapped XP!".

WPF not Assistant

[NoYob]

The Adblock guy is talking about the Assistant. Unless I'm misunderstanding the issue, the problem is with the WPF plugin. Windows Presentation Foundation - that's the vector.

Not this shit again.

[jim_v2000]

There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.

Re:Not this shit again.

[asa]

There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.

No. Wrong. Installing plug-ins or extensions without asking is bad. Period. Full stop. End of story.

Re:Not this shit again.

[aztracker1]

I personally get really sick of having to double-take when installing FOSS builds that include ASK/Google/(insert others) toolbar for my browser(s).. used to be it was only in IE.. now they target FF as well... Maybe Chrome is better off without plugins/extensions/toolbars... I'd be happy if Chrome used the OS's theme and window wrap... Adding in F12 developer tools like firebug and an adblock plus like feature would be enough for me.

Re:Not this shit again.

But only bad enough to warrant SIX FUCKING STORIES ABOUT THE SAME THING on Slashdot when Microsoft is involved vs. no stories for the other vendors that do it of course?

Re:Not this shit again.

[Culture20]

There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.

No. This was an auto-install of a new plugin during an auto-update for .NET framework. It's like a car shop installing a GPS device in your car unasked when you go in for a routine oil-change. Maybe you want to use it, maybe you don't. Maybe they shouldn't have drilled holes in your dashboard and riveted it in place. Oh, and it seems to make your car a target for smash 'n grab thieves...

Re:Not this shit again.

[Keeper]

Of course. Slashdot: the Fox News of IT.

Me too.

[NoYob]

Mine disables fine. XP, FF 3.5.3

The only thing in the mind of the predator...

[MindPrison]

...is the enemy!

Shouldn't the title read

[jayme0227]

"Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.

Re:Shouldn't the title read

[causality]

"Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.

In a way it is sneaky. If I used Firefox in Windows and wanted this plugin, I would install it myself. Anyone using Firefox in Windows is already demonstrating that they are aware that they have choices as to what browser software to use, and I strongly doubt that the average Firefox user has never heard of addons.mozilla.com or otherwise doesn't know how to locate and install desired add-ons/plugins on their own.

The case can be made for automagically installing things for the "blue E is the Internet!" crowd as they are rather averse to any involvement in this sort of decision-making, viewing it as an unwanted burden. Yet even then, it's non-ideal. The honest, non-sneaky way to handle this would be to separate it from the core .NET package. Then either remove it from Windows Update completely and offer it as a voluntary download, or, make it a separate line-item update that can be declined.

Just assuming that you must want this non-essential thing and making that assumption without considering security implications, all in the name of increasing marketshare, is what's sneaky or exploitative. People who use automatic Windows Updates do so because they rely on it to keep their systems patched and secure. When they are not technically inclined, they are something of a captive audience in this scenario.

You know, when the big virulent worms like Sasser and Code Red came out, they attacked vulnerabilities for which patches had already been issued. I used to wonder why so many people didn't keep their machines more up-to-date when an automatic mechanism is provided that will do it for them. Every time I see something like this, I begin to understand why. It's in everyone's interest to lessen the number of vulnerable machines on the network. Another reason to distrust a mechanism that could have prevented many of these infections does not further that interest. If Microsoft were really serious about security, they would minimize this effect by separating Windows Update into two categories: "Bugfixes & Security Patches", and an optional "New Features".

Re:Shouldn't the title read

[BikeHelmet]

Technically the plugin is installed in a sneaky unapproved manner, and opens up vulnerabilities. The title fits.

Re:Shouldn't the title read

[jayme0227]

I 100% agree with everything you've said. When Microsoft installed the plug-in, it was sneaky and underhanded. But that's already been covered.

The installation of the plugin simply was no longer news. The news was that Microsoft fixed the problem that they created, which really isn't something all that new, either, when it comes to Microsoft. This article serves solely as a soapbox to preach the evils of Microsoft and their sneaky ways. If you examine the language used in the article, you can clearly see that the author was not trying to present news, but rather to try to bash Microsoft. I really don't want that on my Slashdot front page.

On a side note, the fact that this is accepted as news point to the sad state of the media today. Opinion is frequently passed as fact and nobody blinks. Biased writing creeps through the front page of the newspaper and nobody recognizes it. In Soviet Russia, the news reads you, but in Capitalist America, the media only writes what you'll pay to hear.

Nevermind - I am confused

[NoYob]

'nuff said.

I haven't read the fta

[drodal]

nor have I even read any comments here
but the next time I hem and haw  about Mac vs Windows.

I'll choose Mac, cuz at least they aren't try to sabotage me and my applications....(probably)

The next time one of those idiots on TV say "Im a PC" I'll say back "and your infected! get away from me......"

Re:I haven't read the fta

Why should Apple care? They got 20 times more money from you than MS has and they haven't really given you anything but a logo.

Glad to see you're a dumb sucker.

Re:I haven't read the fta

your infected what?

Congrats....M$, nice on, you sick bastards

[hesaigo999ca]

Nice job, of trying to push the blame on a third party software that is kicking your own apps ass when it comes to web browsing!
So what to do, say could we not develop a nice little add on , that allows remote execution once infected and destroys that apps security...and also make it impossible through windows (M$) to uninstall.

Wow, nice one...
-clap/clap/clap

Re:I don't get it - why use Windows?

[drodal]

The only time I wouldn't use Linux is for video editing.
It's still a little weak there. But I use multiple OS's anyway....

WinVista sp2

Unless I fail at reading (Very possible), this post is wrong. Like others on the boards, i just went into plugins and disabled it.

I am currently fully patched on vista sp2.

Except for one thing...

[argent]

There is not enough schadenfreude in the world to satisfy the demand when it comes to Microsoft pulling something like "a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update."

Come on, you tell me, what on earth justifies that?

Here we go again.

[Deathlizard]

How many times must we hear about this plugin? This is at least the third time I've seen an article on it.

If you got 1.0 of the plugin and want to get rid of it, get the update here or Here, install it, and then uninstall it.

I'm saving this in my journal. That way, when they post the next .NET plugin story next month, I can just post the journal link. Maybe I can keep the story count there too.

What? Shouldn't firefox fix this one?

[Real1tyCzech]

So firefox allows a rogue addon to install without any user intervention and the story is all about how evil MSFT is?

Sure, they did it. Bad Microsoft.

But isn't the bigger issue that now that this is known....*anyone* can pull this on firefox users?

No. I am not apologizing for Microsoft. This was "Sony Stupid" of them. We're used to that here, though. What we're not used to (and apparently sweeping under the rug) is the massive, unholy hell of a mess mozilla's extension system for firefox is....

sounds like the Mozilla Foundation

[alizard]

should secure Firefox to make it impossible for M$ to install anything in their browser.

Re:sounds like the Mozilla Foundation

[ducomputergeek]

Maybe Mozilla needs a mod-store. You know, charge $99 to developers and take 30% of the fees, in exchange for verifying that plug-ins won't do harm to the system. Could be a revenue stream for both the plug-in authors as well as the mozilla foundation considering they're partnership with google looks shaky in light of chrome. If you try to install an unsigned plug-in, it gives you about 15 dialog warning boxes you have to click thru in order to do it.

You know kinda like apple, oh, but wait, that would be "evil" right?

Re:What? Shouldn't firefox fix this one?

That was my reaction as well. How can ANY firefox plugin be given the authority to not allow itself to be turned off? Sure, it's Microsoft being an asshole, but that also seems like broken behavior on Firefox's part.

Re:What? Shouldn't firefox fix this one?

[asa]

So firefox allows a rogue addon to install without any user intervention and the story is all about how evil MSFT is?

Sure, they did it. Bad Microsoft.

But isn't the bigger issue that now that this is known....*anyone* can pull this on firefox users?

No. I am not apologizing for Microsoft. This was "Sony Stupid" of them. We're used to that here, though. What we're not used to (and apparently sweeping under the rug) is the massive, unholy hell of a mess mozilla's extension system for firefox is....

Anyone that can run executable code on your system can do anything to your system. The "good guys" aren't supposed to do things to your system without asking you first. The "bad guys" can simply replace Firefox entirely with a version that has what ever features they want. If you let someone run code on your system, you lose. Firefox cannot stop that code from doing what ever it wants. The point is that you're supposed to only install software from vendors you trust. You should be able to trust Microsoft and that your trust was abused and abused in a way that caused you to be vulnerable to remote exploits is the story here.

Typical /.

Apparently editors staff at /. must have perceived the MS hate war not getting enough attention.
rofl
lawl

Not just Firefox

[shutdown+-p+now]

Note that this isn't just about Firefox. There's a WPF plugin for IE as well. Furthermore, this is about any browser that can handle "Netscape style" plugins, which is what WPF/XBAP plugin is. In particular, this includes Opera and Chrome, too; not sure about Safari, but it's probably covered as well.

Re:What? Shouldn't firefox fix this one?

[asa]

That was my reaction as well. How can ANY firefox plugin be given the authority to not allow itself to be turned off? Sure, it's Microsoft being an asshole, but that also seems like broken behavior on Firefox's part.

Easy, install the plug-in or add-on to a system directory the current user doesn't have permission to change. This wasn't installed through Firefox's add-ons manager. This was installed by a third party executable that dumped the file into a location that the current user couldn't modify.

Re:except anything but Windoze

[Hymer]

You may find free and secure alternatives to Windows at http://ubuntu.com/ or http://opensuse.org/

Apples to Oranges

But it's only insecure if it isn't done by Microsoft.

Firefox extension? What about a plugin installed

[Ilgaz]

They somehow managed to convince Telestream to slipstream Silverlight to "Windows Media Components for Quicktime" taking all the responsibility for future disasters. If anyone from that once serious pro media company reading this: Expect a security disaster in upcoming future which YOUR name will be mentioned.

If you install "Windows Media Components for Quicktime" today with default choices (like 99.9%) you will have a nice, shiny Silverlight in your Internet Plugins folder which means _every browser on OS X_ will load by default, to thread 0. (except SL Safari in 64bit mode).

We all thought they bought global license of that $10 shareware to undo the real scandal of Wmedia not being maintained but as usual, some IDIOT there had his own lame little "World domination plan" at MSFT.

Of course, wmedia player is not maintained and yet kept on download site, to bait unsuspecting windows switchers which will definitely result in complete browser instability disaster if installed to ANY modern OS X, both PPC and Intel. Somehow I suspect Silverlight for OS X or Silverlight related stuff on Firefox will be the last to be fixed. You know, you don't use their OS/app, you gotta be punished accordingly.

unless you are a Windoze user

[alizard]

the problem of OS vendors installing malware in Firefox isn't that big a deal at this point.

Why does Firefox allow this?

[bhagwad]

I don't understand why the Firefox browser allows an external party to do stuff like this. IMHO, no third party should be allowed to add something that cannot be disabled.

Re:Why does Firefox allow this?

[selven]

Because Microsoft controls the underlying environment and can make Firefox do whatever they want.

Re:Why does Firefox allow this?

[Dan541]

Because the user allows Microsoft to do so.

Re:Why does Firefox allow this?

[asa]

If you let someone run code on your machine, that code can do anything to any installed application. If the application tries to protect itself, then bad guys will simply replace the application with their own code that doesn't try to protect itself. There is nothing anyone can do to protect you if you let a bad actor run code on your machine. This was the case of a presumably reputable software vendor performing disreputably. That's not something to optimize for.

Dotnet Botnet

[AK+Dave]

Oh, the irony!

Win7 doesn't offer uninstall option

[fast+turtle]

I'm currently running the Win7RC and let me tell you, the only option it offers is the ability to disable it. Just like there's no way to remove the Office Plug-in.

Re:except anything but Windoze

[Evil+Shabazz]

Yeah, but where can I find free and secure alternatives to Windows that run the applications I want to run? Specifically, I'm currently only using my home computer for - Internet, Email, and Gaming. The first two, okay. But where can I find this free, secure OS that will run both Aion and NBA 2K10 for me? I'm not asking to be completely sarcastic - I actually would consider moving away from Windows if I could find an alternative for gamers... It's getting here, slowly. Didn't Valve recently say they'd make their games for Linux?

Re:Your official guide to the Jigaboo presidency

[PopeRatzo]

Don't call Mr Limbaugh a motherfucker.

Uncle Bill likes wooden shoes.

Just another example of Microsoft intentionally sabotaging their own software to interfere with the operation of a non-Microsoft application. They got sued for that once, and it cost them something like a billion dollars.

Re:What? Shouldn't firefox fix this one?

So that fact that firefox allows addons to be installed without user intervention isn't Mozilla's problem?

It noticed the plugin was installed (addOn window was launched informing the user of a neww addon)...

Should it not instead of simply accepting whatever is installed as legit, perhaps try to verify it first?

Get a Mac

[pubwvj]

Why am I not surprised? This is classic Microsocks strategy. They act like mal-ware. No wonder there is so much on their systems. Get a Mac.

Re:What? Shouldn't firefox fix this one?

[Arthur+Grumbine]

No. I am not apologizing for Microsoft. This was "Sony Stupid" of them. We're used to that here, though. What we're not used to (and apparently sweeping under the rug) is the massive, unholy hell of a mess mozilla's extension system for firefox is....

Not "Sony Stupid". That implies a lack of intelligence/insight. Whereas with Sony, it's done intentionally and with ingenuity. The word for a lack of good intentions is "Evil". The question remains whether or not this MS screwup was intentional. I'm voting for stupid/negligent. Also, you're totally right about the mess that is Firefox's extension/addon system. Mozilla should be the ones taking responsibility for building a system that gives the addon developers such latitude.

Re:Your official guide to the Jigaboo presidency

Yeah, we all know he's secretly gay.

Re:What? Shouldn't firefox fix this one?

[asa]

So that fact that firefox allows addons to be installed without user intervention isn't Mozilla's problem?

It noticed the plugin was installed (addOn window was launched informing the user of a neww addon)...

Should it not instead of simply accepting whatever is installed as legit, perhaps try to verify it first?

Yes, that's fine for "good actors" but a bad actor that is installing software on your machine could simply replace Firefox with a version that doesn't verify or worse. Once you've let a bad actor onto your system, you're screwed. And, to date it's been assumed (wrongly) that good actors wouldn't screw over users like that. The upcoming version of Firefox will do more to protect users against reputable vendors like Microsoft.

Isn't this like corporate espionage?

[Orion+Blastar]

Placing an "add-in" in a competitor's product to render it more vulnerable to attacks and crashes seems like more the DOJ needs to investigate into Microsoft. Because it is hard to remove or disable, it could also be considered malware of some type. There might even be a class action lawsuit against Microsoft for Firefox users. If so sign me up, as that add-in caused my Firefox to crash more often and caused me to lose productivity and gave me emotional and psychological damage. I suffer from schizo affective disorder and the add-in caused crashes and lockups that activated my disorder and made it worse. That makes me more sensitive than normal people.

It took a registry hack and deletion of hidden files to get rid of it, but my Windows XP crashes every three days now since I removed it. Automatic updates of Dotnet frameworks add it back in for some reason.

Dangerous Chore

[gencha]

"a potentially dangerous chore, since a misstep could cripple the PC"

Wow, what a statement. There are endless ways to cripple your PC if you have no clue what you're doing. Hell, if you put the --delete in a 'find' call at the wrong place, that could cripple your PC as well.
You know what else is extremely dangerous and will most definitely cripple your PC? Ignorance about the system you are using. Computers are complicated machines. You can't hope to use one without having to learn how your system works.

It's like when your car breaks down for the first time and someone explains to you that you need to check the oil every once in a while. At some point you gotta look under the hood, otherwise you will break it.

So please spare me these observations about the outrageous hazards that come with your Windows operating system.

Re:except anything but Windoze

[zach_the_lizard]

You can try WINE. Assuming Aion is Aion: The Tower of Eternity, people have gotten the game to play on Linux, FreeBSD, and Mac OS X with WINE, though there may be caveats. No one has tested NBA 2k10 on the AppDB. NBA 2k08 seems to work, however.

Firefox's fault as well

[Snaller]

They shouldn't allow the disable options to be disabled.

Like this was accidental on MS's behalf

Hmm...Microsoft silently installs the Windows Presentation Foundation plugin into Firefox. Microsoft then makes sure that all users, unless you run Windows 7 which has just been released, can't disable or remove it. Sounds like a sneaky way for Microsoft to get consumers to think that Firefox is no more secure than IE once the WPF plugin has allowed malicious software to be silently installed on consumer computers. Think about it. Why on God's green Earth would MS deliberately make the plugin uninstallable and non-disableable, let alone even allowing it to be installed without the consumer's permission in the first place? Only one reason comes to mind -- to discredit Firefox as being an inherently safer web browser compared to IE.

This reminds me of Microsoft's sneaky tactic where upgrading from IE6 to IE7 deliberately deleted a couple of DLLs which many older Win9X programs need to properly display dialog boxes and buttons. Microsoft then claimed that those two "missing" DLLs were Vista-only DLLs and that they were never a part of any Microsoft OS prior to Vista. Those two DLLs have been part of the Windows OS since Windows 98, yet Microsoft vehemently denied this fact. Instead Microsoft told consumers that they should upgrade from XP to Vista for better program compatibility. MS will try anything when sales are flat. Why not? They have gotten away with far worse in the past. Remember when MS stole the Stacker compression code, byte-for-byte, and used it in their Doublespace compression program? All they got was a court order to get rid of the Doublespace code and replace it with their own compression algorithms which MS then called Drivespace. Yet Stac Electronics was put out of business literally overnight, which of course was Microsoft's goal. There was truth to the old rumored Microsoft saying that "DOS isn't done until Lotus won't run."

Firefox is now blocking the extension

[tomk]

Does anyone know how to re-enable it?

Unlike some here, I actually find the extension valuable and wish to have it active. I am quite annoyed that Firefox decided to block it without giving me any choice in the matter.

BTW I understand that my own frustration at having this blocked without consent is similar to the frustration of those who wish not to have the extension but had it given to them without consent. That does not excuse either party. As a user I am now bearing the brunt of this petty squabble between MS and FF.

Re:Firefox is now blocking the extension

[midnaz]

I am quite annoyed that Firefox decided to block it without giving me any choice in the matter.

Mozilla decided not to let you have an addon that has an exploitable security hole. I don't find that annoying.

Re:Firefox is now blocking the extension

[BZ]

It's not exactly a squabble. MS green-lighted the addon being blocked. See http://shaver.off.net/diary/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/

ALGOL 60 vs. 68

[Colin+Douglas+Howell]

I have no clue why he chose ALGOL, except possibly for historical coolness, but he probably selected ALGOL 60 rather than ALGOL 68 because the latter was far more complex and was widely criticized for this, even by some of its own designers.

Firefox is blocking it now

[kriston]

Is this why all my computers are suddenly telling me that these plugins are unstable and should be disabled? I was wondering why all of a sudden all my computers starting complaining about these add-ons.

SOP

[eav]

Well duh.

the final solution...

We really need a nice and MASSIVE exploitation of the SSL implementation hole that will install some ridiculous worm on every single windows machine connected to the internet.

I wouldn't mind formatting my pc if it was enough to convince the idiots to stop automatically installing things on my system.

Re:except anything but Windoze

[NoobixCube]

I've given up hope on the whole Valve making games for Linux thing. It's been talked about for years and nothing has ever come of it. If they were to do it, I'm sure their Linux efforts probably wouldn't extend further than a customised WINE based wrapper for their games. It's not like they're going to properly port six years of flagship products *cough* just the source engine *cough* for a minority OS.

Re:except anything but Windoze

[the_womble]

You could dual boot and use Windows just for games. I have come across a few Linux users who do that - after all, when you are playing a game you are unlikely to be doing anything else.

Mozilla is on top of it, though

[macraig]

This screen capture of a dialog I saw tonight demonstrates that Mozilla is paying attention and doing something about it, though:

they have been doing the same crap for years

[SmallFurryCreature]

"they have been doing the same crap for years"

Well? Don't you get it? THIS IS THEIR STRATEGY. And it works. They made billions with it, so why should they change?

The russian strategy in WW2 was "Send in 1 million troops, then send in 1 million more from reserves." Sure, you could complain that their casualties were extremely high, but it worked as a strategy. You COULD have suggested they reform their tactics but why? It worked.

You have no respect for them as businessmen.That is wrong, Ballmer might suck as a human being and a developer but as a businessman he is pretty shrewd.

Oh, MS MIGHT be able to make more money with quality software but that costs a LOT of money and Vista happened because MS tried to make quality (with Longhorn) and failed and had to pump out something or be sued over its software assurance license (that you pay for X years and get every new version, Vista got in just under the wire or MS would have had no new version).

Russia MIGHT have gone for better trained troops and more advanced tactics but that would have been extremely risky and not making full use of what they did best, churn out an insane amount of troops and material.

If you want to blame somebody, blame the ones who BUY MS products. Who have settled for software were random reboots are the order of the day. Where you have to pay a premium for what is essentially a minor upgrade. There are many excuses to continue to use Windows, but they are nothing else then saying "I know I am using crap, but I am to lazy to do anything about it."

Don't blame the person shitting in your mouth, blame yourself for paying them for sucking on their arsehole.

Re:they have been doing the same crap for years

> If you want to blame somebody, blame the ones who BUY MS products. Who have settled for software were random reboots are the order of the day.

Oh please. I've been running XP on my laptop for over 3 years now (no reinstalls) and I can't remember the last time it crashed (well I can, but that was a hardware problem. I can't remember the crash before that one). I'm running as administrator and don't have a virus scanner. If you block incomming connections and don't run random crap, windows can actually be pretty awesome. Also I've never found any kind of malware on my system in those 3 years except for 'tracking cookies'.

Re:they have been doing the same crap for years

Yes you never found it but we have your credit cards, your social security number, your bank logon, passwords to all your email sites, social sites, as well as your last 3 years of tax returns.
Thank you for playing. Please continue with I have no anti-virus and I am uber enough to know when I have been rooted just by not having a crash.

That still makes a derivative work

In the US and most other IP-centric countries, that still makes a derivative work.

Or at least enough so that you can take it to court.

Given what SCO wanted to put World + Dog in court for, this is a pretty sane case, too.

Don't like it? It's because software shouldn't be copyrighted under the same conditions as books. They are NOT compatible.

Software demands that you combine elements together that rely on each other. Libraries. What is the equivalent of a library (even a dynamically linked one) in books, music, or video?

defaults command (not plutil)

[Ilgaz]

If you double click a reg file, it enters registry directly. Other way, viewing it is secondary option.

In Apple land, plutil is used this way, consider it as alternative to .reg files wondering around:

http://en.wikipedia.org/wiki/Defaults_(software)

For example,
  defaults read com.apple.dock

Re:defaults command (not plutil)

[hairyfeet]

The problem with Apple is it is like Ferrari-sure it is fast and sleek and exotic, but it is also expensive as hell. I'm glad you got Ferrari money but if you're not looking for a laptop(which even then is still high from Apple) you are gonna get shitty hardware or "take out a mortgage" prices. Just to get a PC with fricking slots on it is...what? $2000+? I built my AMD dual with 8Gb of RAM, dual DVD burners, an ATI 4650 PCIe, and XP x64 for $550 before rebates, closer to $450 after.

So while I am glad that you got Ferrari money, there are a WHOLE lot of folks out there who don't. That is why right now my biggest seller is off lease XP office machines for $200. At that price folks get a desktop that does everything they want to do and doesn't require them to refinance their homes to get it. One of these days I may pick up a netbook just to make a "hackentosh" out of it, but I'm betting that's the closest I'll ever get to Apple. I got a GF and kids and bills that have to come before exotic computer gear.

Re:defaults command (not plutil)

[Ilgaz]

This is not some Toyota vs. Ferrari thing. With 90.000 workers, MS can't figure a easy, fail safe method of command line registry modification and they teach that horrible UI to users/engineers instead. That defaults command roots back to 1991, NeXT, no kidding. I bet it must have some root in UNIX or even Mainframe.

Can you really dare to double click a .reg or .inf file without looking to its contents under Windows? I even remember removing the file association manually so I won't accidentally double click and try to trace what the heck happened to my Windows.

Re:defaults command (not plutil)

[hairyfeet]

All you have to do is put it in a .reg file first, which with notepad is easy peasy to cook up. then from CLI here is the command - regedit /s yourfile.reg. See? Not real hard, alothough why you would want to go to the trouble of editing from CLI when you have a nice little GUI is beyond me.

if you want a far more full featured regedit utility let your old pay da feet point you to Tuneup Utilities 2007 which you can use that free serial provided by the Tuneup guys, who give away their old versions hoping you'll by the new (which I did, and its quite nice) but the 07 version has a full set of nice utilities, including a MUCH better registry editor, along with a nice safe reg cleaner, temp cleaner, hell you can even change the XP boot screens if that makes you happy. Their reg editor does wildcards, allows you to only search specific areas or only for certain key types if you like, just an all around nicer experience than regedit. Try it, I'll bet you like it. Oh and you can just drag the program folder to a flashdrive and it makes a nice portable app too.

Re:except anything but Windoze

[bh_doc]

I know you didn't start this, but I have to say:

2k10... 2k08...

What the hell? Are these supposed to be short for 2010 and 2008? What's the freaking point of writing them like that?

No You Won't

[Toad-san]

My registry looks nothing like what you describe (despite Firefox 3.5.3 and several extensions (none of which came from Microsoft, of course: one doesn't pick one's worst enemy to provide "improvements" to a browser).

There's a "Mozilla Plugins" key that lists the various plugins I use ... but nothing like what you say.

Disabling it also kills Google Wave...

[pdboddy]

It appears that disabling this sneaky MS addon also prevents Google Wave from loading. It was working fine until the warning popped up, and of course I trusted Firefox. Now I can only get the outlines of the waves, but no text or other content.

Now using Google Chrome... :P

Re:Disabling it also kills Google Wave...

[emurphy42]

Works fine for me, even after uninstalling the addon.

Risk levels?

Turning on your PC is more risky than a normal person editing the windows registry. I've never harmed my PC by editing the registry. Anyone who can follow detailed instructions won't harm their PC either.

Get over it. Having a registry with init settings isn't ideal, but it is better than many other alternatives tried elsewhere.

Re:What? Shouldn't firefox fix this one?

[Quantumstate]

This is false as long as you are running Vista or above or Mac/Linux or even an older version of Windows as non admin. You need admin permissions to modify installed software so you would need to give the bad guys root permissions.

Re:What? Shouldn't firefox fix this one?

It just drives home the fact that MS believe they own your system, and they can do
whatever they want with it, whenever they want. This is enabled more intimately via the
automatic updates process where you're more or less permanently tethered to MS for
updates, fixes and other 'good stuff'.

You're just licensing it from them for a period of time ... not actually owning it.

Why can't use disable or uninstall buttons?

[randomProof]

What I don't get is why Mozilla allows extensions to disable the "disable" and "uninstall" buttons at all. The program makes to wait 5 seconds when you add extensions through the program, but doesn't warn you that a 3rd party installed an extension. Also, that registry key for extensions probably should even exist.

Re:Why can't use disable or uninstall buttons?

[BitZtream]

The disable and uninstall buttons are for plugins installed in YOUR profile, specific to you.

MS installs the plugin globally, for all users on the system, which means that a standard user account is not likely to have the permissions required to uninstall it.

Why shouldn't the key exist? You realize that you can install plugins in your profile without the dialog using a command line right? You realize that with a quick permission change (as an admin) I can prevent you from disabling plugins or extensions in your profile?

The registry key method is there for several reasons. Plugins can install themselves BEFORE firefox is installed, so when you install a PDF reader before Firefox, you don't have to reinstall it AFTER firefox in order for firefox to be aware of it. System administrators can install plugins that are required to all users on a system by adding one registry key, rather than hacking something together via a login script or some other hack.

Go ahead, remove the registry key, then apps will have to run a command line at login to add plugins to a specific user profile instead of globally, but it'll get added none the less. When you run code from someone else on your PC as an administrator, you run the risk of this sort of thing happening, with or without Firefox checking this particular registry key. Its in HKEY_LOCAL_MACHINE, which on any properly configured machine, you can't write to. If you're running code as an admin, you're already fucked, with or without Firefox being involved in any way.

Re:except anything but Windoze

[Ascagnel]

They're made by 2K games, and EA Sports took the "2008" and "2010" style of naming.

Perrfect timing?

As I opened this article on Slashdot, Firefox announced it wanted to disable this service, and would I please allow it to restart so it could do so permanently. It's nice to have a proactive fix, with the ability to opt-out if you choose!

I don't have any problems with the DOT net...

[Lost+Penguin]

Fedora :)

Re:I don't have any problems with the DOT net...

[BitZtream]

Awesome, now other than stroking your own ePenis because you think running Fedora makes you cool, what actually do you use that machine for that can be considered useful to someone on the planet? What exactly is the impressive part of running Fedora that made think you should tell us all that you do. This is slashdot, 90% of the people here run Linux, its not impressive to anyone on this site. Its great that you can browse porn on your cute little Fedora machine, but no one gives a shit what OS you run.

Hard Task

Let's see here how do I uninstall a PoS add-on that won't uninstall from Firefox. Oh yeah uninstall Firefox and reboot then reinstall Firefox. Amazingly simple, imagine that.

Wha?

The evil MS writes a patch for leetist software? Fucking hilarious.

Re:except anything but Windoze

The 2k-dated sports games are developed by 2k Games, which is part of Take-Two, and EA was using the 200*-style dates for their sports titles until just a few years ago when they started just naming them as the last 2 digits.

Also, its 2k8, not 2k08.

Re:except anything but Windoze

[YourExperiment]

EA have copyrighted 2010? I must getting cynical, that almost wouldn't surprise me.

Re:except anything but Windoze

2k games.

Re:except anything but Windoze

I don't mind this so much as it reads: Two thousand ten Two thousand eight Much better IMHO than saying: Twenty-ten or Twenty-oh-eight.

Re:except anything but Windoze

They're developed by a company called 2k Sports.

Another perspective ....

[deek]

It's funny, but I would have said exactly the same thing about Windows. It's all hunky dory IF you have the right hardware, right OS version, and an actual driver CD. I've had some seriously difficult times trying to download Windows drivers for some hardware. I'm not even talking about obscure stuff ... even some Sound Blaster cards have been enormously difficult to get working in Windows. Once a manufacturer wants to forget about some old hardware, there goes an easy driver download.

Linux, on the other hand, worked flawlessly with the same hardware. In fact, a few times, I had to boot a Linux Live CD just to test that the hardware was actually working properly. Another time, I had to boot into Linux to download a windows ethernet driver, save it to USB drive, and then boot into Windows to do the install. Linux just "worked" with the ethernet card. Windows would not. Don't even get me started on 64bit Windows. That is more picky about hardware than Linux ever was.