Sneaky Microsoft Add-On Put Firefox Users At Risk

← Back to Stories (view on slashdot.org)

Sneaky Microsoft Add-On Put Firefox Users At Risk

Posted by ScuttleMonkey on Friday October 16, 2009 @08:14AM from the bad-microsoft-no-donut dept.

CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."

10 of 333 comments (clear)

Min score:

Reason:

Sort:

Sabotage? by Reyendo · 2009-10-16 08:19 · Score: 5, Insightful

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.
1. Re:Sabotage? by FlyingBishop · 2009-10-16 08:31 · Score: 5, Insightful
  
  This is a .NET vulnerability, on MS Windows. Firefox being the vehicle is entirely Microsoft's fault as the maintainer of the .NET plugin.
2. Re:Sabotage? by shutdown+-p+now · 2009-10-16 09:26 · Score: 5, Insightful
  
  Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.
  I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional - the vulnerability itself is a fairly obscure corner case in .NET bytecode validator/verifier, and, so far as I can tell, it has been there for a very long time, seemingly before WPF was even released. All in all, it looks like a genuine bug.
  A testament to its obscurity is the way I encountered it - I was designing an Algol-60 compiler targetting .NET, and was looking for an efficient way to pass Algol function-type function arguments (which are effectively vararg on the caller side) without having to lift outer locals used by captured functions to heap. Only after coming up with an efficient design and testing that it works, I realized the implications of what I had just done to the verifier.
  I cannot comment on CVE-2009-2529 (the second Firefox-affecting vulnerability), but I don't see how it would be any different. Really, the idea of MS deliberately adding vulnerabilities to its products in hope of marginally affecting Firefox by them (remember that IE is hit much worse...) is pretty absurd - even if you disregard the notion of business reputation when it comes to MS, it poses a very high legal liability. No-one in a sane mind would even contemplate doing such a thing.
  Disclaimer: I do work for Microsoft at present, though not on the affected products. I did not work for Microsoft when I discovered and reported that vulnerability.
3. Re:Sabotage? by koro666 · 2009-10-16 10:32 · Score: 4, Insightful
  
  [...] can't they steal that idea from Apple so it would be basically "regutil --remove HKLM_Software_Mozilla_Firefox_Extensions .net"?
  Isn't this exactly what reg.exe does already?
4. Re:Sabotage? by Gadget_Guy · 2009-10-16 14:32 · Score: 4, Insightful
  
  No, it is paranoid. How are you finding out about the vulnerability? Because Microsoft patched it last Tuesday. If they wanted to discredit Firefox they would have shipped something to take advantage of the security hole, not something to fix it. Besides, a security hole that only exists on the Windows version of Firefox (and will inevitably be traced back to their code) just makes it look like it is better to run FF on Linux rather than Windows - which would NOT be what they wanted.
  The sad part is that this could have gone so well for them. This should have been remembered for Microsoft supporting alternate browsers under Windows so it would be one less reason to say how IE has an unfair advantage. I could (barely) forgive them for silently installing it the extension because from Microsoft's point of view they are adding support for Firefox to .NET rather than the other way around.
  What was unforgivable was shipping this without the ability to disable the extension. Even if they had never contemplated the idea that anyone would want to uninstall it, it should have been blindingly obvious that a grayed out Disable button meant that this would stand out from other extensions. They couldn't just say that they didn't notice that it was not able to be uninstalled.
  I would like to know how you disable those buttons. Is there some API call when installing the extension (meaning it is a deliberate feature, for which both Microsoft and Mozilla should be shot)? Is it caused by a lack of uninstall script (meaning Microsoft did a half-arsed job of writing the extension)? Or is it a permissions thing that the update was installed by the Administrator account and limited users were not allowed to delete the files/registry keys (meaning... I don't know what to think of that option)?
5. Re:Sabotage? by the_womble · 2009-10-16 18:45 · Score: 4, Insightful
  
  What idiot modded that insightful?
  It is weird how Windows advocates are quite happy to mess about the the Windows registry but claim that copying and pasting a fwe lines into a terminal window is dfficult.
Re:remember the important part by abigsmurf · 2009-10-16 08:29 · Score: 4, Insightful

The only thing worse than installing without asking is uninstalling without asking.
Amazing by gmuslera · 2009-10-16 08:33 · Score: 4, Insightful

This is from the same people that claimed that the Google Chrome Render plugin for IE6+ will make the browser less secure?
Shouldn't the title read by jayme0227 · 2009-10-16 08:55 · Score: 4, Insightful

"Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.

--
But then I realized the cable was blue, so I only gave it one star. I hate blue.
Re:Not this shit again. by asa · 2009-10-16 09:30 · Score: 4, Insightful

There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.
No. Wrong. Installing plug-ins or extensions without asking is bad. Period. Full stop. End of story.