Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sneaky Microsoft Add-On Put Firefox Users At Risk

Posted by ScuttleMonkey on from the bad-microsoft-no-donut dept.

CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."

11 of 333 comments (clear)

  1. Not true by Voulnet · · Score: 5, Informative

    That's not true, I have Win XP SP2, Firefox 3.5.3; and I just disabled this plugin. It CAN be disabled.

    1. Re:Not true by The+Moof · · Score: 4, Informative

      Originally, you couldn't uninstall the extension. Microsoft did eventually release a patch that activated the Uninstall button, it's been out for a while now. I even think Slashdot had a story about the patch that enabled the button. Still patiently waiting for Sun to give me the same option with "Super Cool Java Firefox Extension"...

      (Going to the Advanced Settings in Java under the Control Panel to uninstall a Firefox extension is unacceptable. I also wish they'd clean up their plug-ins when they update.)

  2. Re:Sabotage? by noundi · · Score: 4, Informative

    Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

    It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?

    --
    I am the lawn!
  3. Registry Danger! by aster_ken · · Score: 5, Informative

    Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.

    Also, the ability to remove this plug-in was covered on Slashdot a few months ago when Microsoft released version 1.1. It was included in an earlier service release to the .NET Framework for Windows XP and Windows Vista. This plug-in doesn't even exist in Windows XP by default. You must have installed .NET Framework 3.0 or higher to get it. Windows Vista includes .NET Framework 3.0, but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand. Windows 7 allows you to do it because the earlier service release is part of the operating system.

    Microsoft bashing is fun, but let's stick to facts.

    1. Re:Registry Danger! by Frosty+Piss · · Score: 3, Informative

      but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand.

      You mean like this? That's *no* uninstalling.

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:Registry Danger! by Penguinisto · · Score: 4, Informative

      "It's no more dangerous to delete something from your registry"

      Perhaps, but...

      1. This kinda invalidates the argument that Windows fanboys have been spouting for years, namely "...but in Linux/BSD/Whatever, you have to edit files, which is too hard for Joe Sixpack to do!"
      2. If you bork the registry, discover it's borked only after a full reboot/log-in, then try to reboot again thinking it's some other problem, that backup copy of the registry just went 'pfft!', and you may or may not be able to get to a point where you can use System Restore
      3. The registry makes a great place to hide stuff in (see also half the malware to come down the pike in the past 9 years)
      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  4. Re:except Windows 7 by Penguinisto · · Score: 3, Informative

    ...depends - the Windows 7 beta and RC had that nasty little habit as well. The RTM is (so far) not doing it.

    In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).

    To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft... just look at how they're blaming ORacle and Sun for the Sidekick data loss (in spite of the fact that it was lost because their management apparently forgot how to spell "backup").

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  5. Re:Sabotage? by hairyfeet · · Score: 4, Informative

    And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions. There you will find both it and the Java extension, just delete and voila! No more Dotnet or Java plugins.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  6. Re:Amazing by shutdown+-p+now · · Score: 3, Informative

    If anything, this case further reinforces that claim. Any new functionality (including plugins) added to a browser increases its attack surface, unless it completely replaces part of the existing code. In this case, the increased surface was due to WPF being exposed. In case of Chrome plugin, it's Chrome rendering engine.

    If Chrome completely replaced IE renderer, with no means to re-activate it, then it would be reasonable to argue that it does improve security. However, Chrome renderer is opt-in, which means that any attack site willing to exploit an IE vulnerability will happily work in IE with Chrome plugin installed, but at the same time any site willing to exploit a Chrome vulnerability - and it's not like there aren't, or will never be, any - can request IE with Chrome plugin to use Chrome for rendering.

  7. Re:except Windows 7 by SilverHatHacker · · Score: 3, Informative

    Removing the ubufox package is supposed to leave you with a vanilla Firefox, as far as I know. I don't know anything about the 'Ubuntu Firefox Modifications' add-on; I have nothing of the sort on my Ubuntu Jaunty system as far as I can tell.

    --
    Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
  8. Re:except anything but Windoze by zach_the_lizard · · Score: 4, Informative

    You can try WINE. Assuming Aion is Aion: The Tower of Eternity, people have gotten the game to play on Linux, FreeBSD, and Mac OS X with WINE, though there may be caveats. No one has tested NBA 2k10 on the AppDB. NBA 2k08 seems to work, however.

    --
    SSC