Slashdot Mirror
Sneaky Microsoft Add-On Put Firefox Users At Risk
CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."
That's not true, I have Win XP SP2, Firefox 3.5.3; and I just disabled this plugin. It CAN be disabled.
Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.
It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?
I am the lawn!
Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.
Also, the ability to remove this plug-in was covered on Slashdot a few months ago when Microsoft released version 1.1. It was included in an earlier service release to the .NET Framework for Windows XP and Windows Vista. This plug-in doesn't even exist in Windows XP by default. You must have installed .NET Framework 3.0 or higher to get it. Windows Vista includes .NET Framework 3.0, but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand. Windows 7 allows you to do it because the earlier service release is part of the operating system.
Microsoft bashing is fun, but let's stick to facts.
Is it just me, or were we just talking about this
...depends - the Windows 7 beta and RC had that nasty little habit as well. The RTM is (so far) not doing it.
In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).
To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft... just look at how they're blaming ORacle and Sun for the Sidekick data loss (in spite of the fact that it was lost because their management apparently forgot how to spell "backup").
Quo usque tandem abutere, Nimbus, patientia nostra?
And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions. There you will find both it and the Java extension, just delete and voila! No more Dotnet or Java plugins.
ACs don't waste your time replying, your posts are never seen by me.
The Adblock guy is talking about the Assistant. Unless I'm misunderstanding the issue, the problem is with the WPF plugin. Windows Presentation Foundation - that's the vector.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
If anything, this case further reinforces that claim. Any new functionality (including plugins) added to a browser increases its attack surface, unless it completely replaces part of the existing code. In this case, the increased surface was due to WPF being exposed. In case of Chrome plugin, it's Chrome rendering engine.
If Chrome completely replaced IE renderer, with no means to re-activate it, then it would be reasonable to argue that it does improve security. However, Chrome renderer is opt-in, which means that any attack site willing to exploit an IE vulnerability will happily work in IE with Chrome plugin installed, but at the same time any site willing to exploit a Chrome vulnerability - and it's not like there aren't, or will never be, any - can request IE with Chrome plugin to use Chrome for rendering.
That was my reaction as well. How can ANY firefox plugin be given the authority to not allow itself to be turned off? Sure, it's Microsoft being an asshole, but that also seems like broken behavior on Firefox's part.
Easy, install the plug-in or add-on to a system directory the current user doesn't have permission to change. This wasn't installed through Firefox's add-ons manager. This was installed by a third party executable that dumped the file into a location that the current user couldn't modify.
You may find free and secure alternatives to Windows at http://ubuntu.com/ or http://opensuse.org/
"Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.
In a way it is sneaky. If I used Firefox in Windows and wanted this plugin, I would install it myself. Anyone using Firefox in Windows is already demonstrating that they are aware that they have choices as to what browser software to use, and I strongly doubt that the average Firefox user has never heard of addons.mozilla.com or otherwise doesn't know how to locate and install desired add-ons/plugins on their own.
.NET package. Then either remove it from Windows Update completely and offer it as a voluntary download, or, make it a separate line-item update that can be declined.
The case can be made for automagically installing things for the "blue E is the Internet!" crowd as they are rather averse to any involvement in this sort of decision-making, viewing it as an unwanted burden. Yet even then, it's non-ideal. The honest, non-sneaky way to handle this would be to separate it from the core
Just assuming that you must want this non-essential thing and making that assumption without considering security implications, all in the name of increasing marketshare, is what's sneaky or exploitative. People who use automatic Windows Updates do so because they rely on it to keep their systems patched and secure. When they are not technically inclined, they are something of a captive audience in this scenario.
You know, when the big virulent worms like Sasser and Code Red came out, they attacked vulnerabilities for which patches had already been issued. I used to wonder why so many people didn't keep their machines more up-to-date when an automatic mechanism is provided that will do it for them. Every time I see something like this, I begin to understand why. It's in everyone's interest to lessen the number of vulnerable machines on the network. Another reason to distrust a mechanism that could have prevented many of these infections does not further that interest. If Microsoft were really serious about security, they would minimize this effect by separating Windows Update into two categories: "Bugfixes & Security Patches", and an optional "New Features".
It is a miracle that curiosity survives formal education. - Einstein
Removing the ubufox package is supposed to leave you with a vanilla Firefox, as far as I know. I don't know anything about the 'Ubuntu Firefox Modifications' add-on; I have nothing of the sort on my Ubuntu Jaunty system as far as I can tell.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
You should learn to read the article, too.
FTFA:
Emphasis mine.
Also, note that this plugin update was pushed out via Windows Update.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Don't know about you, but "Disable" is not grayed out on my Ubuntu box for that add-on.
SSC
You can try WINE. Assuming Aion is Aion: The Tower of Eternity, people have gotten the game to play on Linux, FreeBSD, and Mac OS X with WINE, though there may be caveats. No one has tested NBA 2k10 on the AppDB. NBA 2k08 seems to work, however.
SSC
Uuuuhhh...never heard of a .reg file? If you have somebody who is afraid of using the reg they really ain't hard to cook up. if you need one here is a nice tutorial on how to modify and delete reg entries with a .reg file. Certainly a lot easier to go "clicky clicky" on a reg file than risk having the user bone something in CLI.
That is one of the nice things about the Windows registry-it really isn't hard to cook up a .reg file in notepad and send it to someone having a problem. Oh and if anybody needs it here is a page of the most common fixes for those little problems that pop up from time to time, and nearly all of them are nice simple .reg files that makes it simple to send to someone having trouble or keep on a flash in a misc tools folder. Despite all the hate out there for the reg is actually pretty simple to backup, fix, and maintain, with little effort.
ACs don't waste your time replying, your posts are never seen by me.