Sneaky Microsoft Add-On Put Firefox Users At Risk

CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."

except Windows 7

[nurb432]

Best upgrade then ya lusers!.. Here is an online form to order your shiny new pc with Windows 7..

Sabotage?

[Reyendo]

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

Re:Sabotage?

[noundi]

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?

Re:Sabotage?

[FlyingBishop]

This is a .NET vulnerability, on MS Windows. Firefox being the vehicle is entirely Microsoft's fault as the maintainer of the .NET plugin.

Re:Sabotage?

[hairyfeet]

And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions. There you will find both it and the Java extension, just delete and voila! No more Dotnet or Java plugins.

Re:Sabotage?

[jamstar7]

Too many movies makes you think strange things. For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP. Real life: rotary phones, paperwork in triplicate, and a gigantic fucking bureaucracy that thinks pagers are still useful.

Or the idea of NSA 'agents' running around shooting up everything in sight (because the CIA isn't the big Boogie Man anymore). Real life: Bunch of bureaucrats overseeing a bunch of pastyfaced nerds and cubicle rats busy doing signal intercepts and codebreaking. Though the bandwidth and internet access is great, I hear...

Re:Sabotage?

[shutdown+-p+now]

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional - the vulnerability itself is a fairly obscure corner case in .NET bytecode validator/verifier, and, so far as I can tell, it has been there for a very long time, seemingly before WPF was even released. All in all, it looks like a genuine bug.

A testament to its obscurity is the way I encountered it - I was designing an Algol-60 compiler targetting .NET, and was looking for an efficient way to pass Algol function-type function arguments (which are effectively vararg on the caller side) without having to lift outer locals used by captured functions to heap. Only after coming up with an efficient design and testing that it works, I realized the implications of what I had just done to the verifier.

I cannot comment on CVE-2009-2529 (the second Firefox-affecting vulnerability), but I don't see how it would be any different. Really, the idea of MS deliberately adding vulnerabilities to its products in hope of marginally affecting Firefox by them (remember that IE is hit much worse...) is pretty absurd - even if you disregard the notion of business reputation when it comes to MS, it poses a very high legal liability. No-one in a sane mind would even contemplate doing such a thing.

Disclaimer: I do work for Microsoft at present, though not on the affected products. I did not work for Microsoft when I discovered and reported that vulnerability.

Re:Sabotage?

[PopeRatzo]

Who gave Glenn Beck a webcam?

Re:Sabotage?

[PopeRatzo]

I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090 [microsoft.com]) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional...remember that IE is hit much worse

You're spoiling everyone's fun, you know that?

Re:Sabotage?

[koro666]

[...] can't they steal that idea from Apple so it would be basically "regutil --remove HKLM_Software_Mozilla_Firefox_Extensions .net"?

Isn't this exactly what reg.exe does already?

Re:Sabotage?

[interkin3tic]

Not surprisingly this comment is sitting here unmoderated

Only for half an hour. An hour later, it is up to +5. I guess the "nucleation" for moderations is the slow step, it has seemed to me that most moderations are done on posts already moderated once. Looking over my comments, I usually notice that most of my posts are unmoderated, the ones that are are usually moderated more than once. I don't really think my posts are either +5 great or +0 meh. Most people with mod points must be lazy and don't browse in full.

Re:Sabotage?

[JimboFBX]

Nah, the instructions are missing a reference to an obscure library somewhere that the user was some how already supposed to have with no link as to where to download it.

Re:Sabotage?

[Gadget_Guy]

No, it is paranoid. How are you finding out about the vulnerability? Because Microsoft patched it last Tuesday. If they wanted to discredit Firefox they would have shipped something to take advantage of the security hole, not something to fix it. Besides, a security hole that only exists on the Windows version of Firefox (and will inevitably be traced back to their code) just makes it look like it is better to run FF on Linux rather than Windows - which would NOT be what they wanted.

The sad part is that this could have gone so well for them. This should have been remembered for Microsoft supporting alternate browsers under Windows so it would be one less reason to say how IE has an unfair advantage. I could (barely) forgive them for silently installing it the extension because from Microsoft's point of view they are adding support for Firefox to .NET rather than the other way around.

What was unforgivable was shipping this without the ability to disable the extension. Even if they had never contemplated the idea that anyone would want to uninstall it, it should have been blindingly obvious that a grayed out Disable button meant that this would stand out from other extensions. They couldn't just say that they didn't notice that it was not able to be uninstalled.

I would like to know how you disable those buttons. Is there some API call when installing the extension (meaning it is a deliberate feature, for which both Microsoft and Mozilla should be shot)? Is it caused by a lack of uninstall script (meaning Microsoft did a half-arsed job of writing the extension)? Or is it a permissions thing that the update was installed by the Administrator account and limited users were not allowed to delete the files/registry keys (meaning... I don't know what to think of that option)?

Re:Sabotage?

[shutdown+-p+now]

Ok, seriously. Why Algol-60?

Because it is one of the three languages that started it all, and one that affected all existing mainstream languages most. Curly braces of C, and the block construct that they represent, began their life as "begin .. end" in Algol-60.

Because it is at the same time a very beautiful language - especially considering the time when it was designed - and one with some very advanced constructs, not found even in many modern languages, that can pose significant challenge to implement efficiently, especially in an otherwise constrained environment such as sandboxed CLR. To list a few such features: computed goto, label variables/function arguments and the associated nonlocal goto, arbitrarily nested functions with variable capturing, and call-by-name. Challenges are fun.

Because it's a very important milestone in history of CompSci in general, and language design in particular (in case it's not quite obvious yet, I'm a language design geek), a piece of it that I wish to preserve. Apparently, I'm not alone in that, either - there's also GNU Marst - curiously enough, written by another Russian dude.

Because Simula-67 (the first OOP language ever, and the ultimate ancestor of virtually every statically typed OO language today, including C++, Java and C#) is a strict superset of Algol-60, and I wanted to go after it next.

And, of course, just for fun. I mean, this is Slashdot, right? We routinely get people installing KDE2 on NetBSD running on toasters with 7-segment indicators here; I think my little fetish is relatively benign in contrast.

(To bring the above references to Algol-60 language features into some context for those not familiar with the subject, the final Algol-60 language spec is here; it's a fairly short read.)

After all everybody her on SlashDot knows that Algol-68 is the most recent version!

Algol-68 is an entirely different language from Algol-60. It's not evolutionary, but a complete, ground-up redesign, by very different people. It's also a very interesting one, and important in its own right, since C borrowed a lot of things from it, down to keywords (VOID, INT, SHORT, LONG, STRUCT and UNION are all Algol-68 keywords with virtually the same meaning they have retained in C).

It would be fairly interesting thing to implement as well, but in many ways it's a much more rationally designed language than Algol-60, dropping some overly exotic and complicated features, and, consequently, implementing it is less of a challenge (I guess they had had enough real-world experience writing compilers by then to conclude that some features of Algol-60 looked good on paper only...).

Re:Sabotage?

[the_womble]

What idiot modded that insightful?

It is weird how Windows advocates are quite happy to mess about the the Windows registry but claim that copying and pasting a fwe lines into a terminal window is dfficult.

Not true

[Voulnet]

That's not true, I have Win XP SP2, Firefox 3.5.3; and I just disabled this plugin. It CAN be disabled.

Re:Not true

[Neon+Spiral+Injector]

That may not be entirely true. Have a look at this:
http://adblockplus.org/blog/the-return-of-net-framework-assistant

Re:Not true

[The+Moof]

Originally, you couldn't uninstall the extension. Microsoft did eventually release a patch that activated the Uninstall button, it's been out for a while now. I even think Slashdot had a story about the patch that enabled the button. Still patiently waiting for Sun to give me the same option with "Super Cool Java Firefox Extension"...

(Going to the Advanced Settings in Java under the Control Panel to uninstall a Firefox extension is unacceptable. I also wish they'd clean up their plug-ins when they update.)

Re:remember the important part

[abigsmurf]

The only thing worse than installing without asking is uninstalling without asking.

Registry Danger!

[aster_ken]

Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.

Also, the ability to remove this plug-in was covered on Slashdot a few months ago when Microsoft released version 1.1. It was included in an earlier service release to the .NET Framework for Windows XP and Windows Vista. This plug-in doesn't even exist in Windows XP by default. You must have installed .NET Framework 3.0 or higher to get it. Windows Vista includes .NET Framework 3.0, but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand. Windows 7 allows you to do it because the earlier service release is part of the operating system.

Microsoft bashing is fun, but let's stick to facts.

Re:Registry Danger!

[Penguinisto]

"It's no more dangerous to delete something from your registry"

Perhaps, but...

1. This kinda invalidates the argument that Windows fanboys have been spouting for years, namely "...but in Linux/BSD/Whatever, you have to edit files, which is too hard for Joe Sixpack to do!"
2. If you bork the registry, discover it's borked only after a full reboot/log-in, then try to reboot again thinking it's some other problem, that backup copy of the registry just went 'pfft!', and you may or may not be able to get to a point where you can use System Restore
3. The registry makes a great place to hide stuff in (see also half the malware to come down the pike in the past 9 years)

Amazing

[gmuslera]

This is from the same people that claimed that the Google Chrome Render plugin for IE6+ will make the browser less secure?

Shouldn't the title read

[jayme0227]

"Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.

Re:remember the important part

[jalefkowit]

That's what SHE said!

(sorry, couldn't resist)

Re:Not this shit again.

[asa]

There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.

No. Wrong. Installing plug-ins or extensions without asking is bad. Period. Full stop. End of story.

Re:except anything but Windoze

[zach_the_lizard]

You can try WINE. Assuming Aion is Aion: The Tower of Eternity, people have gotten the game to play on Linux, FreeBSD, and Mac OS X with WINE, though there may be caveats. No one has tested NBA 2k10 on the AppDB. NBA 2k08 seems to work, however.

Mozilla is on top of it, though

[macraig]

This screen capture of a dialog I saw tonight demonstrates that Mozilla is paying attention and doing something about it, though: