Firefox Disables Microsoft .NET Addon

ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.

Great

[sopssa]

All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?

Re:Great

[setagllib]

Microsoft has put billions of dollars into developing the most effective and efficient security vulnerabilities to date. I can only watch in awe and wonder.

Re:Great

[xonicx]

Not really. I was on verge of swtiching to chrome because of firefox getting stuck while typing in address bar. Disabling "Windows Foundation Presention" magically fixed the problem.

Re:Great

[The+MAZZTer]

There's actually a whole Firefox setting namespace devoted to bits of useragent to append, you don't even need a whole addon.

Re:Great

[piripiri]

It's not just a useragent string, but it allows remote code execution. https://bugzilla.mozilla.org/show_bug.cgi?id=522777

Re:Great

[wasabii]

Not exactly. It also allows you to run .Net and WPF apps inline in the browser, hosting a CLR instance. Not to mention mapping the ClickOnce file type.

Re:Great

What could possibly go wrong?

Re:Great

because it lets you bring in the same .net vulnerabilities that IE has? Nobody asked for these to be brought into firefox. The issue is that they were installed without any confirmation. It was "installed for you".

duh. Go home you fucking shill.

Re:Great

[Anpheus]

But how much execution? .NET supports sandboxed/isolated app domains.

Saying .NET has remote code execution is like saying Java and Flash do, unless you're specific.

I don't know yet what vulnerability, if any, existed, except that Firefox developers were annoyed Microsoft added another addon.

Re:Great

[mR.bRiGhTsId3]

The question is; Could a normal user find the setting namespace and change their UA to report .NET without the autoinstall add-on. I didn't think so.

Re:Great

[nmb3000]

All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?

For anyone curious as to the real state of affairs behind this MS plugin issue, you might be interested in a few things. For everyone else just enjoying a good anti-Microsoft circle-jerk, ignore this post.

The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications to run in Firefox and ClickOnce program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?

This is the bug in question. There is a lot of interesting comment there, including the fact that while everyone is crying about Microsoft "secretly" adding the plugin and preventing users from disabling it, Mozilla doesn't even give users an option to enable it! Their blocklist is all or nothing. Why doesn't that bother anyone here? One poster is very insightful:

Many corporations have begun implementing Firefox and telling their users that it is an equally if not more capable but more secure browser. For a subset of those corporations, the action of removing necessary tech without consent or a secure method for re-enabling it will result in the removal of the browser from the system completely. It will be called a failed experiment. The following day, sys-admins around the world will be left explaining to the non-enthusiast employees that the reversal came because certain business apps would not function in FF. Those users will only hear that FF is not as capable.

But perhaps the best thing about this entire issue, is that Mozilla didn't block the plugins until AFTER they were patched and the mechanism of the block is retarded. Mozilla is claiming that Microsoft agreed to issuing the block of the affected plugins, and that might be true, but only to an extent. Mozilla is currently blocking the plugins based on the name of the plugin, not the version, which means users who have installed the patched version of the plugs (at this point almost everyone using Windows Update) are still unable to use the plugins and have no way to re-enable them.

So essentially, by issuing this patch, Mozilla is doing nothing but hurting its business customers. Slashdotters can scratch their heads trying to figure out who uses these technologies, but the answer is a lot of businesses do. This absolute, non-scriptable and non-changeable block of these plugins will just remind corporations that open source isn't ready for the big leagues and they should just stick with Microsoft and IE. The sad thing is that if this kind of knee-jerk, carte-blanche blocking behavior becomes the norm for Mozilla, they will probably be right! Taking this kind of control away from the users is simply unacceptable, doubly so for businesses.

If you're wondering what MS says about this, you might take a look at this:

First we'd like to make it clear that any customers that have applied the update associated with MS09-054 are protected, regardless of the attack vector. And most customers need not take any action as they'll receive this update automatically through Automatic Updates.

So there it is -- pretty much everyone

Re:Great

[Deathlizard]

So Does older versions of Flash and Java.

You Don't see them blacklisting older versions of Flash or Java. The most they have done so far is tell you your flash is out of date, which granny promply ignroes and two days later calles her grandson asking why this newfangled Windows Enterprise Defender is telling her she got 50 viruses on her pc even though she paid $80 for it to remove them.

I don't have a problem with Firefox disabling plugins with security issues, but they sure as hell better be consistant about it. Especially when other plugins (Especially Flash) have a much more horrible security record and policy.

Re:Great

[**loki969**]

Please mod parent up!

Re:Great

[shentino]

I consider any plugin installed without my consent to be malicious, especially if it's a plugin FOR SOMEONE ELSE'S SOFTWARE.

Re:Great

You installed the fucking .NET framework.

Re:Great

Doesn't .NET framework come with Windows Vista and Windows 7?

Re:Great

[Mike+Shaver]

There is no version difference for the plugin or add-on between patched and unpatched systems. That's one reason that this is so messy right now; if we had known about the Firefox aspect of the vulnerability before the SRD blog post, we would have suggested just that sort of version bump.

Re:Great

[jbb999]

I was using this and they disabled it so I can't use firefox any more. Oh well, back to IE8 then.

Re:Great

[raddude99]

The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications [wikipedia.org] to run in Firefox and ClickOnce [wikipedia.org] program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?

To answer your question, No, it is in fact a bad thing. This is another instance of a typical microsoft strategy called "Embrace - Extend - Extinguish". To see how this works see the comment from the poster below:

I have over 100+ boxes at work that depend on this plugin. When I get into work tomorrow, if they're not working (they run FF), then I'm not going to have much choice but to switch back to IE, am I?

Microsoft have embraced Firefox by writing software for it, Extended it's functionality to add support for their own proprietary "standards" and now they are trying to extinguish Firefox by forcing Mozilla to remove a plugin that some users have come to rely on. If microsoft were serious about adding functionality to Firefox then they would have contributed source code to this open source project. One good thing has come from this though, the rug has been pulled from under this plugin quite early, probably before many users have become dependent on it, because it was only a matter of time (probably a few years) before microsoft withdrew this plugin themselves in an attempt to force users back to IE.

Re:Great

Pretty much everyone..
Except corporations that block updates because they might break their internal applications.
Except all the pirated copies that don't get updates.
If you don't think these are a big share of the market, just look at any browser market share stats for how long it's taking for IE6 and 7 to die.

Re:Great

[nmb3000]

Microsoft have embraced Firefox by writing software for it, Extended it's functionality to add support for their own proprietary "standards"

False. How is this different than Adobe writing Flash plugin software for Firefox? Adobe Flash is proprietary and contains a lot of their own "standards". Many, many more businesses currently rely on Adobe's Flash than do on Microsoft's XAML WPF apps. If the Mozilla team blacklisted Flash tomorrow, how many people would that piss off? How many would switch back to IE or Opera?

and now they are trying to extinguish Firefox by forcing Mozilla to remove a plugin that some users have come to rely on.

False. There was a security flaw in the Microsoft plugin for Firefox. This isn't debated. However, it was the Mozilla team that decided to block the plugin software, not Microsoft. Microsoft has already released a patch for the flawed programs. I'm not seeing any "extinguish" involved here.

If microsoft were serious about adding functionality to Firefox then they would have contributed source code to this open source project.

False. The hundreds or thousands of plugins and extensions for Firefox (popular ones include Flash, PDF support [from dozens of vendors], audio/video support, etc) show this to be misguided and invalid thinking.

Re:Great

[IamTheRealMike]

Hm, that's not good. Is Microsoft going to re-patch the plugin to make it obvious that it's been fixed, so you can apply a version block instead of a name block?

Re:Great

[TropicalCoder]

Please mod parent down! He is not a real person anyhow, but a member of Microsoft's psy-op team, spreading disinformation. It is outrageous to see shills modded up to +5. You gotta wonder about the motivation of someone who is defending something that was installed by stealth instead of a normal opt-in procedure. Who of those fictitious users of One-Click he is referring to actually installed this plugin on Firefox? None of them! ...because it wasn't offered or advertized, and there was no opportunity to deliberately download this plugin, and therefore nobody asked for it.

The real story can be found on the Mozila discussion board.

Fundamentally, Microsoft introduced a security risk into Firefox with these add-ons. That risk came to fruition and thus Mozilla closed the risk entirely. Both have agreed to this, at least for the time being.

Mozilla is only blocking the unpatched vulnerability. It's just that there's no appreciable difference between the patched and unpatched versions so it's all blocked at once. Firefox users are by no means guaranteed to have both the update that caused this and the update that fixed this. Updates are not magic. Some people have them now; some don't. If it's not 100% then it's vulnerable and hence the block.

It's important to note that the vast majority of users with this add-on installed did not know that it was installed, or ask for it to be installed, and it's very difficult to uninstall cleanly due to the hidden extension that is left behind, as well as the "9.*.*" maxversion. This means that users who don't normally care about IE updates, because they are Firefox users, will be vulnerable until it is available to them and installed.

Mozila suggests that if you are one of the very small minority that need this software that was by and large installed into users' browsers without their permission or knowledge then you request Microsoft to write a clean version completely free of this and Mozilla can allow that through.

Neither the plugin nor the extension are updated by the hotfix, only an OS component that they depend upon is changed. All versions of the extension or plugin are affected if the old version of the system component is installed, none are affected if the new version is installed. Firefox doesn't contain a mechanism for checking system library versions, so there's no way to automatically block the plugin only on affected systems. It's all or nothing: disable this functionality completely, or allow even on systems with the vulnerability.

Re:Great

[BikeHelmet]

I think the real moral here is to use Java rather than .net! :P

In all seriousness, it's only a matter of time before more .net exploits are discovered. Java is the more open solution, with a better security track record. *shudder*

Re:Great

[gnud]

The main difference is, the microsoft plugin was installed automatically (often without user knowledge), and is hard to uninstall correctly.

Re:Great

[nmb3000]

He is not a real person anyhow, but a member of Microsoft's psy-op team, spreading disinformation.

If that's the case them I'm short a paycheck or two.

The real story can be found on the Mozila discussion board.

Funny, that's the exact same link I posted!

Fundamentally, Microsoft introduced a security risk into Firefox with these add-ons. That risk came to fruition and thus Mozilla closed the risk entirely.

Yes, and nuking New York City would take care of the rat problem. The issue is most logical people wouldn't see that as a valid solution. Of course, in this case it would be more like nuking New York City to get rid of the rats, but doing it after somebody else has already safely killed off 90% of the rat population.

If it's not 100% then it's vulnerable and hence the block.

So you suggest that punishing all users for a few users is a good idea?

Mozila suggests that if you are one of the very small minority that need this software [...] then you request Microsoft to write a clean version completely free of this and Mozilla can allow that through.

There is so much wrong with this.

- Assuming very few people use a program just because you don't is a bad idea.
- Microsoft should write the software to be free of what?
- So now Mozilla is dictating what software users are and are not allowed to use? Super idea there.

Really, part of the problem is the mechanism that Firefox uses with regards to system-wide extensions. It is a flaw in the browser that these kinds of extensions are not allowed to be removed by the user. It's common for system admins or software vendors to need to install something that everybody using the computer can use, not just a single user. The idea of a multi-user, restricted-user environment seems completely foreign to the Firefox developers (see Firefox's automatic update feature for another example, it will try to let a non-admin user install updates and then fail over and over and over...). While not the reason for this problem, it is the reason that users have a difficult time removing the .NET extensions for Firefox.

Re:Great

[shutdown+-p+now]

But how much execution? .NET supports sandboxed/isolated app domains.

One of the vulnerabilities fixed by the recent major update was precisely that - .NET sandbox being broken, allowing for execution of arbitrary native code.

Re:Great

[Deathlizard]

First off, if you install Java even if you wanted to install it just for IE, or just to run a local program that runs java, it installs the Java Plugin for FireFox as well as ask you for the toolbar of the day. The same goes for Adobe Acrobat Reader if you just wanted to view a PDF, and is actually worse since the earlier installers would install Adobe AIR Without permission. Flash doesn't install to both by default, but the problem with Flash for FireFox is that it does not automatically update. (don't know why. The ActiveX Flash has an updater.)

Second. Again, I'm all for the blacklisting, Especially the 1.0 version since uninstall was not possible until 1.1. What I'm saying is that this needs to happen with other plugins with similar security issues and not just with Microsoft's because a few zealots are butthurt because they see a MS product in their Microsoft free FireFox.

In February, .NET 3.5 framework comes out and it has 2 verified exploits (See Here). In that period of time, Adobe flash has had 4 exploits and Acrobat Reader had 8 (See Here). Java had 15 (not too sure of this number See Here) Now considering that none of the affected Adobe or Sun Plugins were blocked (as they should have been) Is this more of a political move because it's Microsoft or is it because Firefox cares about the security of their browser? (which they should.)

Re:Great

[AHuxley]

The problem is not just MS and its .NET part, its the whole of the Windows. once you overrun or break one small section, your "in" for real.
Traditionally MS is wide open under its sandboxed/isolated app marketing speak.
MS might be able to fake protection for one or two applications, but anything they expose from the inner MS workings is then wide open.

Re:Great

[CoolGopher]

Especially when it disables the friggen "uninstall" button!

Re:Great

[Arker]

The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications to run in Firefox and ClickOnce program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?

No, actually, it is not. Not at all a good thing, quite the opposite. If you are using firefox to run "content" via a closed, windows-only system like .net, you might as well be using IE. In fact that would be better - at least no one would be fooled into thinking they were writing something that would work on firefox when in fact it would only work on Windows/Firefox.

There is a lot of interesting comment there, including the fact that while everyone is crying about Microsoft "secretly" adding the plugin and preventing users from disabling it, Mozilla doesn't even give users an option to enable it! Their blocklist is all or nothing. Why doesn't that bother anyone here?

Because MS forced the plugin out without user consent and without even a disable option to begin with. Either of which is sufficient in and of itself to classify this bug as malware and remove it whenever encountered without further fuss.

Taking this kind of control away from the users is simply unacceptable, doubly so for businesses.

Oh, indeed it is. MS nonetheless has been doing it regularly for decades, and usually get away with it.

Good to see Mozilla give them what they deserve, even if I do suspect astroturfers like you will wind up sadly blunting the impact as usual.

Re:Great

[Arker]

You installed the fucking .NET framework.

He might well have installed it as a prerequisite for one particularly important application that was programmed by brain-dead chimps. Doesnt mean he wanted it hijacking his browser.

Re:Great

[CSMatt]

The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications to run in Firefox and ClickOnce program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?

No, because .NET doesn't belong on the Web any more than Java, Flash, or Silverlight. None of them are part of the Web standards, and they all violate the idea that the Web is (and should be) completely browser-agnostic.

That being said, I agree with you that the blocking of these add-ons without the option to override the blocklist, regardless of whether the vulnerability is fixed, is a very poor move on Mozilla's part and they deserve far more flak than they are getting right now for merely having such an un-optional thing part of the browser in the first place. Even their automatic updates can be disabled if need be.

Re:Great

[ffreeloader]

You're setting up a straw man and then knocking it down.

MS has both a history of malicious behavior, and motivation to insert some of their technology into Firefox which they can then later withdraw to make Firefox look bad so they could drive users back towards IE.

Adobe has no motivation to pull their Flash technology out of Firefox. What would be the point? So they could drive users and web site creators towards Silverlight and thus cut their own throats?

Besides, Adobe didn't/doesn't install their Flash plugin into Firefox without specific user request, nor do they ever disable the user's ability to uninstall/disable it. MS stuffed their plugin into Firefox through their own update service and then disabled the ability of the user to get rid of it. That is not behavior that will generate trust. MS does not have the right to do that. Do they have the capability? Yes. But just because you can do something doesn't make it right, nor the right thing to do.

Doing what MS did is engaging in the type of behavior that creates distrust and suspicion in anyone who sees what they did, as if they actually needed to engage in more of it be distrusted, disliked, and seen as manipulative.

Re:Great

[shutdown+-p+now]

The problem is not just MS and its .NET part, its the whole of the Windows. once you overrun or break one small section, your "in" for real.

Explain yourself, please.

No, you're not "in for real". The code executes under the account of the user who runs a browser. The effect is exactly the same as remote code execution in any Unix system - the exploit can do anything with user's files, but that's it. I'm not aware of any known privilege escalation exploits that can be abused further; however, even if one exists, they've been found for Unix systems as well.

Re:Great

[mysidia]

It's a security move. They're blocking only the Windows Presentation Foundation plugin that has the vulnerability, not the addon, they are leaving other components MS put in, intact.

The plugin is different from the addons.

It's actually not just one thing MS adds to FF, it's a bunch of things.

Including "the plugin", some DLLs in the FF plugins directory (that actually won't even be disabled if you use Tools > Addons > disable, since the Addon is separate from the Plugin).

Re:Great

[mysidia]

I wonder if MS will eventually make an ActiveX plugin for FF to bring MSIE-style ActiveX control support, sort of like the "Google Chrome Frame" concept, but for FF, and automatically added behind the scenes, whether the user is interested or not.

Re:Great

[nmb3000]

You're setting up a straw man and then knocking it down.

What? Where's the straw man? Don't use phrases until you know what they mean.

motivation to insert some of their technology into Firefox which they can then later withdraw to make Firefox look bad so they could drive users back towards IE

Can I borrow your crystal ball? I'd like to look up stock figures for next year.

disabled the ability of the user to get rid of it

This is a flaw with Firefox, not an intentional act of malice on Microsoft's part. The MS plugins are machine-wide so that all the users of a computer can use them, however machine-wide browser plugins cannot be removed via the Firefox user interface.

Re:Great

[mysidia]

this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?

In this case, providing access to MS-centric technologies that hardly anyone is using, and simply don't have any credibility among developers at the present time. Microsoft needs FF users to have access to the technology for the technology to have a hope of their new .NET technologies attaining any traction.

Yes, I'm suggesting that XAML is in its infancy and not widely adopted by anyone. On the other hand, the plugin is widespread, due to MS silently installing the plugin without user knowledge or informed consent.

So essentially, by issuing this patch, Mozilla is doing nothing but hurting its business customers.

It's not a patch, it's an update to a published blocklist. Mozilla has no business customers that I know of, who pay for support of X copies of FF. People who download free copies of FF for business use are not "business customers", are they?

Certainly they can use custom browser configurations and provide their own addon blocklists, by populating the browser configuration with a custom base URL, and serving up suitable .XML files for all browser versions. The blocklist and how it works are not a secret. It is not as if this is the first time a plugin has been blocklisted due to security issues.

Mozilla is protecting its users who don't necessarily use Windows update, against a plugin that is not part of the browser, and was installed without users' control or knowledge.

Certainly a third-party plugin is not a supported component; Mozilla doesn't have to fix third-party plugins, they can block them if there are issues.

Allowing the user to run a plugin with known stability or security issues is a bad idea, a compulsory blocklist (with URL schema that can be customized by IT) is a very good idea.

Re:Great

[mysidia]

False. How is this different than Adobe writing Flash plugin software for Firefox? Adobe Flash is proprietary and contains a lot of their own "standards".

Microsoft has Internet Explorer.

What was the name of Adobe's competing Web browser, again, that they would switch people to by removing Flash from FF and thus killing it?

The analogy totally falls apart when you consider the fact that Adobe is browser-neutral. They don't have a browser of their own, and they give equal support to all major browsers.

So no, Adobe flash doesn't disprove that .NET WPF/XAML plugins are EEE.

Re:Great

[RobertM1968]

So...

First we'd like to make it clear that any customers that have applied the update associated with MS09-054 are protected, regardless of the attack vector. And most customers need not take any action as they'll receive this update automatically through Automatic Updates.

Why exactly should I believe this? How many obviously failed attempts to patch remote code execution and other such holes in .NET have failed already? So, why does this patch suddenly protect us from ALL attack vectors? Do you really seriously think anyone with a brain and some technical knowledge should believe that?

But perhaps the best thing about this entire issue, is that Mozilla didn't block the plugins until AFTER they were patched and the mechanism of the block is retarded.

Dunno... because maybe they lack faith in Microsoft's claim to have patched .NET to protect users "regardless of the attack vector"? I for one know that with such a statement issued, I'd have little faith. It is simply the most retarded and clearly impossible statement ever. Wanna start taking bets as to when the next exploit for .NET and/or this plugin surface (regardless of MS insisting that everyone is protected "regardless of the attack vector")?

And it is nice to see that you are holding Mozilla responsible for Microsoft's fuckup. Mozilla did not write the plugin, Mozilla also did not ensure that the uninstall mechanism was disabled (until MS finally released a patch for that). Did they perhaps act late? Sure. But more importantly, shouldn't Microsoft have acted sooner thus requiring no actions from Mozilla at all? Or even more importantly, shouldn't Microsoft have made it clear they were installing this thing in the first place and let users opt out of the install? Or not disabled the uninstall option?

Now, on to the interoperability thing... couldn't Microsoft simply decide to follow web standards, instead of pushing their own, foisting "compatible" versions of their own methods into other products (and then most likely, as in the past killing those compatible versions when everyone is dependant on them)? So, that argument from you is kinda lame, considering such things are exactly what people have been complaining about Microsoft for doing for years.

Re:Great

[mysidia]

The blocklist can be overriden, of course. Type "about:config" search for extensions.blocklist

Disabling it or changing the blocklist URL schema is fairly straightforward.

Re:Great

[RobertM1968]

In addition, if you checked out the bug page, you would find that Mozilla simply blocked it as soon as they were made aware of it:

https://bugzilla.mozilla.org/show_bug.cgi?id=522777

Re:Great

[RobertM1968]

Well, as a side note, I am happy for this little security risk. You have no idea what this latest blunder has done for our little computer business. Well, that's partially a guess based off the infections, location in temporary directories and browser logs and the user reporting doing nothing other than web surfing without downloading anything (and of course, the plugin installed)... but I'd say it is a pretty good guess. Sadly, Mozilla blocked this plugin. My system, as of yesterday, was not patched, and still had the plugin installed. Surfing to a "wrong" site made AVG very unhappy as something it detected as malicious tried installing itself.

And of course, I am glad that ONCE AGAIN Microsoft claims they have fixed this code to prevent infections from all attack vectors. How in the world, with their track record on these things, could they be so sure?

As a computer tech, I should be upset with Mozilla for blocking a genuine income source. As an end user, I am very happy that they did. Anyways, time to look for and manually install this patch on my XP system. Glad the rest of our systems dont run Windows.

Here's just ONE similar exploit and patch:
http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx

When that obviously failed to address nothing but specific methods for such attack vectors, that patch was replaced by this one:
http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx

When that obviously failed to address nothing but specific methods for such attack vectors, that patch was replaced by this one:
http://www.microsoft.com/technet/security/bulletin/MS09-061.mspx

And that was after 3 earlier service packs for .NET didn't fix these issue. This thing is like a boat with a hundred holes. patching 2 or 3 at a time doesnt solve the core problem... water is still able to pour right in.

So... even though MS's Security/Patch Bulletin make no such claim, there is some idiot at Microsoft claiming this protects users from RCEs "regardless of attack vector" (which to me means, no more RCEs) - an absurd fantasy considering over a half dozen major attempts at fixing this. That instills a lot of faith in me.

Re:Great

[violet16]

Mozilla guy responds to that here: https://bugzilla.mozilla.org/show_bug.cgi?id=522777#c83

Re:Great

[starfire83]

I don't get where people are getting this "didn't ask for it to be installed" and other such nonsense. Every single installer for the .NET framework since 1.0 (and subsequent service packs to the versions) have a EULA that you have to accept. In that EULA it no doubt mentions the plug-in since they legally have to and where else to put mention of it but in the EULA? Yeah, no one reads those but that's no one's fault but their own. You, technically, have awareness of the install by clicking the accept button.

Re:Great

[raddude99]

False. How is this different than Adobe writing Flash plugin software for Firefox?

Incorrect, this is about Browser market share, and thus (because the most popular browser only runs on one companys operating system) operating system market share. Microsoft has the largest share of the browser market which is what they are trying to protect by using these underhand tactics. If Adobe were to kill their Firefox Flash plugin they would have nothing to gain. When, on the other hand microsoft disables their Silverlight plugin for Firefox (or perhaps the Mac version of Silverlight) they have in fact quite a lot to gain. Your other arguments fail for the same reason.

Re:Great

[TropicalCoder]

You seem quite knowledgeable about this EULA. Tell me then - does it say that you are giving Microsoft permission to sabotage Firefox? Does it even mention Firefox?

Re:Great

[daem0n1x]

I don't really care if it's great and so many organisations depend on it. I don't even care about the vulnerabilities.

I didn't ask for it, was installed behind my back and I was given no means to uninstal it. It's malware and Mozilla did the right thing cutting this evil by the root. MS behaviour is completely unacceptable and should be handled in a very strong and assertive way. Kudos for defending user freedom, Mozilla!

Now, if the MS plugin is so important, offer it as an optional download and allow for users to uninstall it, just like Java, Adobe and Flash.

Re:Great

[ConceptJunkie]

You raise a good point but the difference is this:

The Microsoft .NET plugin is for functionality that maybe 1% or 1/10 of 1% of users actually use. If Firefox were to disable Flash, no matter how legitimate the reason, this would affect almost every single user adversely. Ditto for Adobe Reader and Java, although to a lesser extent.

Re:Great

[jeremyp]

Parent is wrong in one technical respect. The blocking mechanism does work by version, but the Microsoft add-on has not changed. The bug and the patch were in an underlying operating system component.

The blocking mechanism is brain dead in one respect, in that it does not allow users to override the block decision. However, as the last post on the bug thread states,, the add-on mechanism is also flawed, since it should not be possible for other companies to silently install Firefox add-ons without the user's consent. Microsoft is not the only company to have done this, apparently HP have done it for some of their printer drivers. A prompt the first time the add-on runs would help enormously.

Re:Great

[saider]

Don't most windows accounts have elevated privileges when compared to unix accounts? I know on my windows machine (a default dell installation) the user can go in and overwrite the system files without a problem. This means that the typical windows user account has permissions that require root on a Unix machine, hence the increased trouble on windows machines.

Re:Great

[shutdown+-p+now]

Don't most windows accounts have elevated privileges when compared to unix accounts? I know on my windows machine (a default dell installation) the user can go in and overwrite the system files without a problem. This means that the typical windows user account has permissions that require root on a Unix machine, hence the increased trouble on windows machines.

In XP, when you installed it and it created a new user account for you, it was Administrator by default, which gave you access to a lot of things; you could still create a normal user account, which would be limited in the same was it is in Unix, but a lot of software was written to only run correctly under admin.

In Vista and 7, the new user account created during installation is also called "administrator", but in practice it is rather equivalent to a Unix setup wherein you have a normal user who has permission to sudo to root with his own credentials, as in Ubuntu or OS X out of the box; except that in Windows, he doesn't have to type his password again, but simply has to confirm privilege elevation via an UAC prompt (typing one's own password in OS X / Ubuntu ensures that program running under that user account cannot silently elevate on its own; in Windows, the same thing is achieved using "secure desktop" for UAC confirmation dialog - basically something which is sandboxed so that no application can inject input into it).

So, no, in Vista and 7, a typical user account doesn't have any "root-like" permissions, and is no more troublesome than a typical Unix user account.

Re:Great

The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications to run in Firefox and ClickOnce program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?

No it is not. IF I need XAML applications to run in my Firefox at all, I would want to go to the Firefox Extensions website to install it. I do not want, under ANY circumstances, for my software which I chose and installed, to be altered by any third party, without my express consent. How difficult is that concept to grasp?

The way it is done, i.e. installing their software stealthily, leads me to think that MS would like to make it a "compelling" business case to customers to adopt .NET because most every browser has it.

I am usually amused by MS antics, but this really pisses me off.

Re:Great

[ffreeloader]

So MS doesn't have any motivation to drive users back to IE? MS doesn't have a history of screwing with technologies created by others so that technology will either be not used, or used only on Windows? Tell me you really believe that....

And MS couldn't have created the plugin at the user level rather than at a system wide level? You're really telling me that MS just sort of accidentally created this plugin system wide rather than at the user level? It's just unintended consequences that the plugin just happened to be next to impossible to remove by the average user....

If you really believe all that there's a bridge in Massachusetts that I'll sell to you for pennies on the dollar.

Yeah, this is all Mozilla's fault. They didn't proactively stop MS from messing with their users, so they're the ones at fault. Not MS. They're just doing what they always do. Nah. MS shouldn't be held responsible for that. Anything MS can do is always the right thing to do.

The unstated premise behind your logic is really something. MS never does anything wrong. It's always somebody else's fault when MS is the one screwing with users of third party software.

How about just disabling Microsoft?

[John+Hasler]

Much more effective.

Re:How about just disabling Microsoft?

[AvalancheBurn]

Yes, except that most of the world is using M$ as their OS. They still have the largest market share on computers, especially in the US. Though I am still confused as to why M$ would need to have an addon for Firefox. Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?

Re:How about just disabling Microsoft?

[sopssa]

Because Microsoft is not only creating or competing with Internet Explorer. The addon adds .NET version in to useragent so websites can see if it's installed.

Re:How about just disabling Microsoft?

[siddesu]

FYI, it doesn't help at all !!!

I have Microsoft disabled (I run Gentoo Linux), and my Firefox failed miserably to disable the .Net plug-in. I spent a day clicking on the menus and recompiling updates, and I still don't get the pop-up :(

On the bright side, my system now runs 1.27% faster compared to yesterday. It feels like 10% faster, really.

Re:How about just disabling Microsoft?

[Hurricane78]

So your argument against people switching away from MS, is that people use MS??
That's the classical excuse of to beta human: I can't do it, because nobody does it.
And why does "nobody" do it? Because everybody uses that "argument" to not do it!

The best thing is, that it isn't even remotely true that nobody does it. You're reading a comment from someone doing it right now. But it's so convenient to ignore it that, isn't it?
Maybe that's the difference between alphas and betas. Alphas have no problem being the first in the club, to start dancing. No they even grab a girl and make a show out of it! ^^ (Because they know that that makes them the leader. Something that is very handy and feels great. Killing any insecurity-based awkwardness.)

So if one person can do it, then two can too. Including handling MS file formats. Including the ability to be in a MS (SMB) network. And so on.
So if two can do it, everybody can.

Which means nobody needs to use MS software. But they want it! Why? Because it's less effort. One can be lazy. And the excuses "always work", to lie even to oneself, about wanting to switch.
"Oh, if only others would use it! Then I would too! But in this situation? No way!" Except that you wouldn't. Or if you would, then I wonder what a pathetic kind of cattle you are, for always trying to conform, even if it's not what you like.

Hell, I'd even prefer to hear that you actually prefer Windows, and that this is mostly because you don't like all the work required to switch. That would at least be honest. And while not agreeing with the view, I could absolutely comprehend and accept it.

Do yourself a favor, stop imitating others just to be "accepted", stop caring what others think of you, build your own set of values, be you, do what you like, and strongly stand behind your reality. That is a basic human right of everybody. And we will not hate you for it. No, we will love you for it. (Isn't it strange, how doing the opposite of what you did, will give you what you always wanted? ^^)

P.S.: If anywhere you found that my assumptions are wrong, *of course* you can tell me how wrong I am. But only if. ^^ (And moderation is no replacement.)

Re:How about just disabling Microsoft?

[daboochmeister]

As Mr. Morden said to Londo Mollari when Londo asked why not just destroy the Narn homeworld ... "one thing at a time, Ambassador, one thing at a time".

Re:How about just disabling Microsoft?

[AvalancheBurn]

Your argument is the same as "Post Hoc ergo propter hoc". You say that just because one can that other's can, which isn't always true. Now I do not use M$ software myself because I find there to be problems that should be fixed, but there are a lot of people who just have neither the time to deal with linux nor do they have the technical experience. Yes, there have been advances especially with Ubuntu but the problem is that there is still not enough safety measures in place to make it user proof.

Re:How about just disabling Microsoft?

[buchner.johannes]

It feels like 10% faster, really.

Dear fellow Gentoo User, this is just your headache from watching programs compile. Take your medicine now.

Re:How about just disabling Microsoft?

[ae1294]

my system now runs 1.27% faster compared to yesterday. It feels like 10% faster, really

Ahhh you must have complied using something other than 386! Congrads on useing "make menuconfig"!!!

Now if I could only learn how to get that damn make-kpkg to work right in Debian so the modules get included in the .dep file... What is a .dep file anyhow? is it just some tar file? I really wanna make a complete custom kernel package that I can move to my other system.... sigh

"Documentation" vs "developers, developers, developers!"

Re:How about just disabling Microsoft?

[John+Hasler]

> Now if I could only learn how to get that damn make-kpkg to work right in
> Debian so the modules get included in the .dep file... What is a .dep file
> anyhow?

".dep"? Never heard of it. Nothing to do with Debian, certainly.

Re:How about just disabling Microsoft?

[King+Kwame+Kilpatric]

This is OT, but:

man depmod

depmod - program to generate modules.dep and map files

If you mean you want the modules in the .deb file, use the --initrd parameter as well as a script, such as
/usr/share/doc/kernel-package/examples/etc/kernel/postrm.d/initramfs
/usr/share/doc/kernel-package/examples/etc/kernel/postinst.d/initramfs

...as is mentioned in /usr/share/doc/kernel-package/README.gz

Re:How about just disabling Microsoft?

[Rocketship+Underpant]

"On the bright side, my system now runs 1.27% faster compared to yesterday."

Which means that time you spent recompiling everything should pay for itself after about 90 more days of straight Firefox usage.

Re:How about just disabling Microsoft?

[Vellmont]

Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?

Not really if you look at where the real competition is occurring.

The REAL product that Microsoft is trying to protect is the Windows platform. This is how Microsoft maintains their monopoly. IE is merely a means to try to control the web market to use Windows only across the board. The windows platform maintains much of its monopoly power by controlling the software to run on only Windows. Microsoft has long known that 3rd party developers were a big factor in building their monopoly, and keeping them on Windows maintains that monopoly.

This plugin lets you run parts of .Net on Firefox, correct? .Net is largely Windows only software, correct? So by having Firefox (an increasingly popular web browser on Windows) run .Net software, Microsoft is trying to maintain .Net on web browsers as a viable platform. By doing this they try to ensure that you'll need a Windows computer to run .Net software on a browser. The alternative is that Web developers increasingly reject .Net components because of the increasing popularity of FireFox (and .Net not running on FireFox, thus developers don't want to lose the market share and choose non .Net alternatives). That's bad for Microsoft, since it means more inter-operability with other OS's, which would decrease the relevance of Windows.

Pretty clever, really. Frankly I think the Firefox developers should stop this nonsense not only because of the security concerns, but mainly because it's an attempt to control Firefox by Microsoft. Does Mozilla really want to answer to whatever Microsoft decides to inject into Firefox this week?

I also think it's a anti-competitive move by Microsoft and an abuse of their monopoly power. I doubt anyone will do anything about it though.

Re:How about just disabling Microsoft?

[mweather]

And you think Windows is user proof? They can't even use the web browser without getting infected with god knows what.

Re:How about just disabling Microsoft?

[AvalancheBurn]

Not saying it's user proof, but the concept of it is easier to understand for the average user. In a linux os there is a lot more available to the user but the problem is that because of that there is also more ways to cause accidental harm. The problem is the with Mac OS X you have almost no real power when it comes to what you can do with the system besides what the creators wanted and in linux you have too much. Windows is far from perfect and in fact I hate it most of the time. The point is that for the average user windows provides a system where there is still the ability to have some control but at the same time there are safety rails.

Re:How about just disabling Microsoft?

[AvalancheBurn]

I agree with your points, that is what I was getting at with the question. Microsoft is really pushing it a little to far when it comes to placing .new code in a third party application. The problem is that with most microsoft code there are going to be bugs throughout it, this is even more so when dealing with a third party application like firefox. I think they should stick to their os and leave the rest to others because they end up causing more issues than they solve.

Re:How about just disabling Microsoft?

[ae1294]

Thanks for the info. Yeah it's offtopic but I've been scewing with it all morning...

grads,
Luke

Re:How about just disabling Microsoft?

Microsoft has issued a download that will remove the .NET-related addon politely.
http://www.microsoft.com/downloads/details.aspx?FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab&displaylang=en
It didn't even ask for a reboot (not sure how that works, if it has to alter the registry) and Firefox seems to be happy now.

Re:How about just disabling Microsoft?

You're not a real alpha either, real alphas grunt and catch their food with their hands.

Re:How about just disabling Microsoft?

[jtheisen]

So your argument against people switching away from MS, is that people use MS?? That's the classical excuse of to beta human: I can't do it, because nobody does it. And why does "nobody" do it? Because everybody uses that "argument" to not do it!

Exactly. Why do most countries still speak languages other than English? Their argument always is "because everyone else around here speaks xyz".

Re:How about just disabling Microsoft?

Wow, bit overboard? The guy points out that most people have MS, so disabling it isn't a very viable option... If you want to personally (and magically, like santa) go and install Linux on every MS computer then offer that and THEN bitch to the person. The point stands though, you can't just "switch" people who have no idea how to do it for themsevles.

Are all alpha humans self-righteous and full of idealogical zeal?

-LAZY AC

Re:How about just disabling Microsoft?

[agnosticnixie]

If your argument made any sense, it would be in favor of keeping multiple OS platforms and multiplatform tools.

Re:How about just disabling Microsoft?

[jamstar7]

Which means nobody needs to use MS software. But they want it! Why? Because it's less effort. One can be lazy. And the excuses "always work", to lie even to oneself, about wanting to switch.

No, they want it because it's bundled with the computer. Except for geeks like (most?) of us, bare OS-less computers turn into paperweights. One of my old customers remarked way back in the day, "We pay people like you to handle the computer details, we're busy making MONEY." And other than geeks like (most?) of us, the last thing we wanna do when we get home from the 9 to 5 is work on a computer.

Spare me the 'learning curve' line. There is a learning curve involved with Windows and Microsoft products, otherwise there wouldn't be any of those 'For Dummies' books in the computer stores & book stores to teach Joe Sixpack a good portion of what he needs/should know.

Re:How about just disabling Microsoft?

[shentino]

I'd say it had something to do with the Tower of Babel.

Re:How about just disabling Microsoft?

[petermgreen]

Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
There is no desktop web browser market anymore, MS killed that years ago and even opera which hung on for a while has now given up trying to sell thier desktop browser.

Microsofts goal is to keep people on windows (and prefferably office too but that is not relevent here). Whether that is through relying on IE or relying on a MS plugin for .NET in firefox doesn't really make a whole lot of difference.

Re:How about just disabling Microsoft?

[ae1294]

".dep"? Never heard of it. Nothing to do with Debian, certainly

DAMN! that must have been my whole problem right there! THANKS!!!

Re:How about just disabling Microsoft?

[PhilHibbs]

Mozilla could take a leaf out of Microsoft's book. MS won't let third-party Ogg Vorbis files play on their Plays4Sure devices, because they want the user experience to be consistent across the entire Plays4Sure "platform", and having a media file play on one device but not another is, according to them, not a good thing for the consumer. Therefore Mozilla should, according to MS's play-book, act to prevent .Net components from working in Mozilla, because that creates a fractured Firefox platform experience. Someone will probably point out to me some feature or add-on that only works on GNU/Linux Firefox now...

Re:How about just disabling Microsoft?

[Joey+Vegetables]

Didn't ya RTFM??? Just set your ARCH to ~x86 and emerge www-misc/disable-mafia$oft-plugin-crapola-0.4428-r1.ebuild. With all the required deps it should take no more than a week, assuming at least a quad-core machine and that you're using distcc. :)

Oops

[Mr_Silver]

I just checked my addons and whilst I don't have the Microsoft addon, I do have an AVG one which is disabled. Clicking on the more information link (https://en-gb.www.mozilla.com/en-GB/blocklist/) presents me with a page that says:

en-gb.www.mozilla.com uses an invalid security certificate.

The certificate is only valid for *.mozilla.com.

(Error code: ssl_error_bad_cert_domain)

Whilst it is nice to see they've done it, it's a shame that they didn't test the end to end user flow.

Re:Oops

[mwvdlee]

It's open source; you did the testing for them just then!

Now if only reporting these types of issues could be done from within Firefox without having to jump through hoops.

Re:Oops

Like they do with the ubuntu bugtracker, in which popular bugs are polluted with lusers asking instructions? No thank you, leave reporting to the semi-professionals instead of every luser with a keyboard...

Re:Oops

It's being worked on. See bugs 505031 and 454299 to track.

Re:Oops

That would be easy to write if only there were a .NET plugin installed in Firefox!

Re:Oops

Wouldn't a better option be to allow automated/no-registration bug reports on a different bug tracker? Have a bug wrangler or two push the useful information on to the real tracker, and aggressively delete the crap.

Re:Oops

Like they do with the ubuntu bugtracker, in which popular bugs are polluted with lusers asking instructions? No thank you, leave reporting to the semi-professionals instead of every luser with a keyboard...

it's called "noobuntu" for a reason, you know...

Re:Oops

this is https://bugzilla.mozilla.org/show_bug.cgi?id=522864

so, no, we don't really need a way for people to file that bug report.

Re:Oops

Clearly not a bug. It works for the people testing it in the US :-)

Re:Oops

[Malc]

My experience of reporting bugs to Mozilla is that it is a waste of time. The devs are a bunch of prima donnas. I gave up supporting Mozilla in that way years ago. It's not worth the time nor effort. Do they still allow you to vote on bugs? They used to ignore that too.

This issue itself has been turned in to a politcal issue. They have implemented the wrong solution, but that doesn't matter to them.

Re:Oops

[sayno2quat]

(Per your signature), isn't the site slashdot.org, not slashdot.com? Unless there is a joke I am missing here...

Re:Oops

-1 points abuse of Whilst. What is wrong with "while"?

Re:Oops

Stop saying "whilst" you neckbearded goon.

Re:Oops

[Mr_Silver]

Oops, well spotted and thanks :)

Plugin-checker

[Norsefire]

The TFA makes a reference to Mozilla's new Plugin checker. I just went there with JavaScript disabled and ...

You have JavaScript disabled or are using a browser without JavaScript. This Plugin Check page does not work without the awesome power of JavaScript. Please enable this Content Preference and reload the page. Or disable all your plugins and keep JavaScript disabled... you'd be in good company, that's how RMS rolls.

Re:Plugin-checker

[drinkypoo]

The TFA makes a reference to Mozilla's new Plugin checker. I just went there with JavaScript disabled and ...

I just enabled JavaScript and...

We've encountered an error. Please try your request again later.

How fantastic.

Why do quote and blockquote tags render the same? That's stupid.

Re:Plugin-checker

[phozz+bare]

The TFA makes a reference [...]

You mean The TFA Article.

Re:Plugin-checker

[Norsefire]

Oh shit, you're right. "Terrific, friendly, articulate article". ;-)

Re:Plugin-checker

[Hurricane78]

So RMS also caved in, and does not disable images and CSS styles anymore? What a loser. I knew he was getting weak when he switched from netcat to lynx!

Re:Plugin-checker

[icebraining]

Actually

"For personal reasons, I do not browse the web from my computer. (I also have not net connection much of the time.) To look at page I send mail to a demon which runs wget and mails the page back to me. It is very efficient use of my time, but it is slow in real time."

http://lwn.net/Articles/262570/

Re:Plugin-checker

The Fricken' TFA Article. (Also an abandoned slogan for Coke!)

Re:Plugin-checker

[mister_playboy]

I admire his principles, but this is a little ridiculous.

Re:Plugin-checker

He probably likes to eat at The La Trattoria...

Bad for Firefox in the long run?

[cyclocommuter]

I might be mistaken but don't these add-ons/plugins from Microsoft specifically allow certain web pages to render properly under Firefox which otherwise would have required users to run IE? If so Microsoft centric IT Enterprise users who have started using Firefox at work might revert back to IE. This might reduce the gains that Firefox has been achieving in Microsoft centric IT Enterprise shops.

Re:Bad for Firefox in the long run?

[Antique+Geekmeister]

Oh, I think not. The "functionality" added is Windows specific. Websites _should not_ be OS specific. And Microsoft had _no business_ shoving their plug-in silently into Firefox. And most of all. .NET is now a security nightmare: Brian LaMacchia, one of the authors of ".NET Framework Security", resigned from .NET development rather than continue with it. (LaMacchia's career is fascinating: if you'd like to follow a trail of an expert engineer getting involved in projects that are doomed for mishandling security, perhaps in spite of his best efforts, check out his career.)

Re:Bad for Firefox in the long run?

>Websites _should not_ be OS specific

Try telling that to corporate IT which wants certain functionality implemented certain ways. Hell, if you want, blame whoever invented the "best viewed by" concept and slap them around with a wet trout.

Re:Bad for Firefox in the long run?

[wgoodman]

essentially it added an option to have pages install things without the user's input.. since apparently Mozilla users have been hounding MS for that ability for quite some time now.

I was rather confused on seeing the dialogue box considering i manually uninstalled the security holes a long while ago. they were no longer installed but i suppose it's nice that Mozilla wanted to be extra sure. i miss having proper control of my system. this is reminding me (on a larger scale) of the adblock vs noscript wars a while back.

Re:Bad for Firefox in the long run?

[gbjbaanb]

Do you have a link for that? I'd be very interested to show more flaws in the design of .NET.

I know Chris Brumme's excellent weblog about the CLR has quite a few interesting things to say, and even more if you read between the lines in places, you know he wants to say "we screwed this up big time" and he does say that occasionally. With hindsight, they did make some technical mistakes - throwing objects instead of just exceptions, allowing .Net apps to run in IIS at all, thinking GC would remove the need for reference counting, and several marketing mistakes - telling everyone exceptions were very inexpensive (I recall one particularly misinformed MS drone telling me exceptions were free because it was all handled by the CLR... d'oh)(read the blog)

If ever there was an example of keeping it simple, .NET is it - as an example of what not to do. Hats off to Chris who I think is very intelligent and talented, but the scope and spec of what they asked of him was too awkward to make a perfect job of.

Re:Bad for Firefox in the long run?

[thejynxed]

You better check again, as the plugin tries to re-install itself silently when a .NET service is called from a website in Firefox, and also via the recent batch of patches from Microsoft. The only way to be sure is to double-check and not only nuke the appropriate registry entry, but the entire sub-folder of your .NET installation the plugin is installed to, as well as resetting the ID string in About:Config. Then you should proceed to disable that update from being downloaded or displayed via Automatic Updates.

The really disturbing thing I found, is that after sneakily re-installing itself via the latest patch from MS, the plugin is not displayed at all in the Addons/Extensions portion of the Firefox configuration screen. The only reason I even found it reinstalled, was that warning from Firefox when the nasa.gov site attempted to load the plugin while viewing their photo galleries.

Yes, it was my fault to have updates set on Automatic/Automatic, which has since been remedied on this system. I was irresponsibly lazy on the matter.

Re:Bad for Firefox in the long run?

[EMN13]

So your argument against the fact that a plugin replicating IE-specific tech for firefox doesn't matter in intranet environments is... ... that it's windows specific?

Are you kidding?

Re:Bad for Firefox in the long run?

[thejynxed]

I forgot to mention in my previous post: It always shows up in the Plugin section of Addons (as it always did, found it odd to be displayed in both Plugins and Extensions sections, but whatever), even after the Plugin is uninstalled manually and the system and Firefox are restarted. Anyone know how to fix that?

Re:Bad for Firefox in the long run?

[Hurricane78]

No. Once you are used to the other add-ons, you can't live with a plain browser anymore anyway. ^^

But obviously, you think that everybody just caves is, when a page is crap (=renders only in IE).

Do you remember how you and others argued, that IE users complain that the page is buggy, when in fact their browser was?
You either have to say that the same is true for average Firefox users too, or that it never was true (which would be a lie, because people actually did blame the pages, as I know from years of being in that business).

I think they will finally call the page what it is, for "being buggy" (= requiring IE): A crappy page.
Then they will go to the competition, which is just a click away.

By the way: I really wonder why people still come up with that "IE only pages" argument. It's years since I last saw something like that. And even then it was an old and buggy page that looked like out of the 90s. With Firefox over 20%, there is just no way any serious business would miss out on that market share. I know from my old job, that we usually had to make out pages compatible with enough browsers, to get above the 95% margin. Which sometimes meant, to specifically test in IE (two versions, at least), Firefox, Opera and Safari. That's how business does it. Because every lost user is a lost client is going down compared to the competition means not reaching the yearly goal means no bonus or raises for anyone. It's a no-brainer.

Re:Bad for Firefox in the long run?

[bhtooefr]

Well, if the site will load in IE 5.5 and doesn't need any ActiveX components, it's not Windows-specific - it'll work on Solaris/SPARC or HP-UX/PA-RISC as well. :P

Re:Bad for Firefox in the long run?

[wasabii]

Yup. Basically. I'm going to be super pissed if I have to walk around to 100+ machines tomorrow morning and uninstall Firefox. Seriously. That'll be the end of that.

Re:Bad for Firefox in the long run?

[Tubal-Cain]

The web browsers aren't just being used on the intranet.

Re:Bad for Firefox in the long run?

[spikenerd]

I worked under Brian (bal) when he left .NET. He accepted a position as an architect in another division. I left a couple of years later (but that's another story--I'd love to tell it). It seemed to me at the time that he was just moving upward, not really taking a stand against Microsoft's bad practices. ...or maybe they were just really good at keeping those kind of things quiet. He was always too clear-headed to fully drink the MS kool-aid. Hmm. I suppose I could believe that they gagged him as part of the terms of his new position. Do you have any sources on this information? I'd really like to hear about it.

Re:Bad for Firefox in the long run?

[advocate_one]

dust off, nuke it from orbit and install Linux...

Re:Bad for Firefox in the long run?

[TubeSteak]

With hindsight, they did make some technical mistakes - throwing objects instead of just exceptions

Objects like chairs?

Re:Bad for Firefox in the long run?

[TropicalCoder]

You only have Microsoft to blame for that. This is a serious vulnerability that Microsoft created, and both Microsoft & Mozila agree that blocking it is necessary.

It's important to note that the vast majority of users with this add-on installed did not know that it was installed, or ask for it to be installed, and it's very difficult to uninstall cleanly due to the hidden extension that is left behind, as well as the "9.*.*" maxversion. This means that users who don't normally care about IE updates, because they are Firefox users, will be vulnerable without the block.

Re:Bad for Firefox in the long run?

[ralphbecket]

The modern CLR seems fairly sensible to me; definitely several steps ahead of the JVM (e.g., compare how parametric polymorphism is handled).

The article you link to on GC is an in-depth discussion on the cost of implementing finalisation in the GC. These problems are well known and, more to the point, are only some of the reasons why implicit (nondeterministic) finalisation is a Bad Thing. Reference counting memory allocators are much slower than mark-and-sweep memory management for most programs, mainly because all of the bookkeeping the mutator (i.e., your application) has to do.

With regards to exception handling being slow, this is something that has always made me curious: why would anyone use exceptions in a situation where they expect exceptions to be thrown frequently (i.e., not exceptionally!)?

For both these points, yes I can come up with examples where reference counting would be sensible and where fast exception handling would be useful, but these would be very special cases that are not representative of most programs.

The .NET CLR is surely not perfect, but I can't think of any competing schemes that do better (C-- is a possibility, but that project has unfortunately been stuck in first gear for a while).

Re:Bad for Firefox in the long run?

[shutdown+-p+now]

Oh, I think not. The "functionality" added is Windows specific. Websites _should not_ be OS specific.

When it comes to websites on the Internet, I wholeheartedly agree. Intranet is a different story altogether - quite often, web browser is simply used as a convenient way to serve an application to the user, and make sure it's always up to date, but otherwise it's not restricted to HTML/JS (which, as I'm sure many will agree, is pretty messy when it comes to complicated forms and highly dynamic UI).

XBAP was designed precisely for that thing - for user it looks like a browser application in a sense that he navigates to some URL, and sees more URLs (and working Back/Forward buttons) as he uses the application, but all rendering is done via WPF. I don't really see anything wrong with that; not anymore than writing applications in XUL (which obviously requires Firefox or other Mozilla-based browser).

And Microsoft had _no business_ shoving their plug-in silently into Firefox.

I think that asking before doing that would be the way to go, but unfortunately MS didn't establish the existing "we know better" convention - Sun did, when it started to silently install browser plugins to handle Java applets and Java Web Start.

At this point, for both MS and Sun, the first one to back out of it would be put at a disadvantage compared to the one who doesn't, because that would mean that their tech no longer "just works". In this case, it seems that MS was forced to back out by vulnerability discovery; I sure hope that someone finds a few holes in JVM as well, so Mozilla guys can block that as well, and we can get back to the sane explicit opt-in model for everything.

Brian LaMacchia, one of the authors of ".NET Framework Security", resigned from .NET development rather than continue with it.

Do you have any references to back your implied claim that Brian resigned from .NET development because of issues with .NET security model?

Keep in mind that the vulnerability mentioned in TFA doesn't have anything to do with .NET's "inherent insecurity" - it really is just a bytecode verifier bug, and it can happen to any sandboxed VM - such as JVM, for example.

Re:Bad for Firefox in the long run?

[shutdown+-p+now]

If ever there was an example of keeping it simple, .NET is it - as an example of what not to do.

I don't think the design goal of .NET was ever to "keep it single". It could be a lot simple if its design goals were like JVM - a VM specifically designed to run a single language that is very restrictive in terms of what one can do with it. .NET, however, was originally designed as VM for which you could write a full-featured ISO C++ compiler producing strictly bytecode (not necessarily verifiable - can't really do it with C++ - but 100% "managed"). Because of that, it's far more feature-rich than JVM from its user's perspective, and that, of course, means "more complicated".

In fact, one of the recent .NET vulnerabilities specifically has to do with an obscure CLR feature that, so far as I know, was originally added to it solely for the sake of C++.

Re:Bad for Firefox in the long run?

[zero0ne]

Really? You have to _walk around_ to 100+ machines to uninstall an application?

Re:Bad for Firefox in the long run?

[Antique+Geekmeister]

Well, Brian discussed it at a conference, explaining that we could have some confidence in the closed source of his new Palladium project (later renamed Trusted Computing) because if it were mishandled, engineers like him would resign, just as he had resigned from .NET due to mandated changes that would break its security. It took several of us quite some time to stop laughing at the naivety of this claim, because _of course_ Microsoft would abuse such a new security model and would not care much about disillusioning him, again.

So for me, it was Brian saying it to the conference. I'll see if I can find a direct reference to it.

Re:Bad for Firefox in the long run?

[Antique+Geekmeister]

This was some years ago: what enforced this in my memory was the stunned reaction of more politically aware people to Brian's claim that we can trust Microsoft because if they screw up, the engineers will resign, not the details of the particular .NET security change that caused Brian to resign. The details of the added vulnerability, and it was an _added_ change, was one I simply don't remember enough about .NET to remember.

Re:Bad for Firefox in the long run?

Links to the details regarding why he resigned from .NET security? I think lots of people would like to know.

Re:Bad for Firefox in the long run?

about:config "blocklist". Duh, and you call yourself an admin?

Re:Bad for Firefox in the long run?

[gbjbaanb]

Ah, no.. my point is not that its complex it itself, but its complex because of all the "added-value" bit it was required to support - the article of hosting is a good one because it describes how any nice, clean, implementation would have to be sullied by having to support IIS integration, and SQL Server, and whatever other bodged in system MS happens to have. Instead of keeping it separate, it always has to be integrated so you can write your SQL queries in C#, or your webapps in VB.NET, nobody thought it might be a good idea to try a more decoupled approach.

As a result, you get feature sprawl, and then have to support a ton of backward compatibility issues, and maintenance becomes very difficult. And things like security issues will creep in simply because the system is vastly more complex than it should have been.

Re:Bad for Firefox in the long run?

[thejynxed]

Irrelevant in a discussion on how to fix the issue at hand. Linux does not help me fix the issue of a Microsoft plugin showing up in the Windows version of Firefox after it was manually removed.

Don't get me wrong, it has a place on one of my hard drives, but it is not my primary OS, nor is it the right tool for the job I do, hence what I use my Windows OS for.

Also, I can't use Linux to connect to work remotely. Incompatible systems. MacOSX and Windows are the only two supported systems at the workplace via Citrix (and they also both work with the version of MS Office that work serves to me via Citrix, Linux does not). This is strictly enforced on their end. This could be due to them having support contracts, service contracts, etc with Citrix, Apple and Microsoft, but Linux, real 'BSD', etc are locked out and their use for work is considered violation of company IT rules set by the board of directors and the company CTO.

Two words

[Norsefire]

Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?

Chrome Frame.

Re:Two words

[Darkness404]

Chrome Frame was required for running Google Wave (HTML5) in IE. So its not much different than all those Active X plugins you used to have to install to get other things to work back in the "bad old days".

Re:Two words

Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?

Chrome Frame.

I trust Google to patch such holes far faster than MS. Why? Well call me an idiot, but a few decades of history is what I base this on.

Re:Two words

[SanityInAnarchy]

Except that Chrome Frame is doing this via modern standards (HTML5). So it can be used for more than just a single website, and if you don't like Chrome Frame, there's always another browser.

Re:Two words

[man_of_mr_e]

Really? Which standard does HTML5 correspond to? There is no HTML5 standard. Right now, it's just browser makers doing their own proprietary things hoping to make it standard when things are finalized.

I'm sick of people claiming Video tags, or various other HTML5 things are standard. They're not. Not until the standard is ratified, everything is subject to change.

Re:Two words

[shentino]

The critical difference in this case is that chrome frame is entirely opt-in. You aren't forced to install it.

Even doughnuts taste disgusting if they're rammed down your throat.

Re:Two words

[msuarezalvarez]

All standards are born that way. Well... all good standards: those of the other kind usually are born in without having been implemented before.

Re:Two words

[Kalriath]

I wouldn't claim that if I were you - that's where IE6 came from, Microsoft implementing a draft standard in whatever way they thought made sense.

Re:Two words

[SanityInAnarchy]

There is no HTML5 standard.

http://dev.w3.org/html5/spec/Overview.html

Right now, it's just browser makers doing their own proprietary things hoping to make it standard when things are finalized.

That's how it pretty much always has been -- browser makers add a feature, and if it's a good idea, it gets folded into the standard. Very rarely is it the other way around, and for good reason -- you wouldn't want to specify something in the standard which has zero implementations, and may not be possible to implement.

Regardless, there is an HTML5 standard, and it is possible to build websites that conform to that standard, and are viewable without modification on Safari, Chrome, Firefox, Opera, Konqueror, pretty much everywhere except IE.

Not until the standard is ratified, everything is subject to change.

That's a fair complaint -- but it doesn't change any of what I just said. I can build something to conform to this "standard", even if it isn't ratified, and have it work everywhere except IE.

In fact, even if we ignore HTML5, IE has been so bad about other standards that it makes sense, even if only to allow me to use standard CSS, or rely on Javascript actually being fast.

Re:Two words

[SanityInAnarchy]

Except that Microsoft then didn't change IE once it actually was standard, nor did they work with other browsers to ensure that their implementation is compatible.

Re:Two words

[msuarezalvarez]

Why would I not claim what I claimed? It is true.

Re:Two words

[AntiDragon]

And you get to choose whether to install Chrome Frame or not. You can even *gasp* uninstall it at a later date!

Re:Two words

[man_of_mr_e]

No. There is no HTML5 standard. It's a draft standard, subject to change at any time. Anything that can change at any time, and have the rug pulled out from under you is *NOT* a standard.

In fact, HTML5 isn't likely to be a ratified standard for several more years.

Re:Two words

[SanityInAnarchy]

I acknowledged this, and responded to it. Did you read my entire comment?

MS kinda overstepped its bounds on this one.

Microsoft has deservedly taken a LOT of sh*t for forcing this addon into Firefox unannounced - AND preventing you from disabling or uninstalling it - unless you yank it out of the registry. It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"

Re:MS kinda overstepped its bounds on this one.

[sopssa]

It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"

You seem quite lost. They're not blocking it for that reason, but because it had a security vulnerability.

Re:MS kinda overstepped its bounds on this one.

[phoenix321]

The .NET installer/updater that forces this addon into Firefox is running as administrator or even system rights. How should a non-running app protect itself against a code injection in their home directory done by a process with system privileges? Without creating another mess of cryptographic signing, super-super user and files undeletable when Joe Sixpack decides to uninstall?

I'm sure the Firefox team is working on hardening their application against scummy plugins that disallow being uninstalled, but I fear it's not exactly trivial protecting against administrator privileged malware without breaking a whole lot of other stuff.

Re:MS kinda overstepped its bounds on this one.

[lukas84]

Firefox offers an option for addons installed on the system level, and not on the user level, like the addons you manually install are.

This makes sense for example in a company, where you deploy Firefox to desktops - you'll want for addons to be installed on a system, and not a per-user base.

The .NET utility just made use of that.

Re:MS kinda overstepped its bounds on this one.

[buchner.johannes]

Furthermore, Microsoft agreed with the plan of disabling it. (RTFA)
So it's more like

It's nice to see the Mozilla folks say
Mozilla> "NOPE, you...'re NOT doing this to our browser, now get lost!".
Mozilla> that is, if it is OK with you, Microsoft, we would like to temporarily disable the addon until you come up with a fix
Microsoft> we see we get some bad press, so yeah, its OK
Mozilla> Ooh thank you for talking with me
FOSS people> Yeah, Mozilla, take them! M$ is buggy and insecure!

Re:MS kinda overstepped its bounds on this one.

[buchner.johannes]

I should really get rid of my sock puppets. But the M$ one is so cute. The Mozilla one scares me a little bit.

Re:MS kinda overstepped its bounds on this one.

[dna_(c)(tm)(r)]

This makes sense for example in a company, where you deploy Firefox to desktops - you'll want for addons to be installed on a system, and not a per-user base.

It doesn't make sense that Steve Balmer administrates your company's systems.

Re:MS kinda overstepped its bounds on this one.

[wasabii]

A vulnerability which has already been patched. I use this functionality on over 100+ machines at the office. I've already deployed the patch. As far as I can tell, there's no easy way for me to disable the block list. I'm going to get into work tomorrow and switch 100+ boxes back to IE, if they don't reverse it. And I won't be switching them back to FF.

Re:MS kinda overstepped its bounds on this one.

[lukas84]

I guess you can see it that way, but in the end the .NET framework isn't an optional part in Vista or 7 (it was in XP - you may opt not to install it).

 

Re:MS kinda overstepped its bounds on this one.

Welp..... fail for you and your users, lol.

Have fun using IE, fucking retard!

Re:MS kinda overstepped its bounds on this one.

You can edit an XML file somewhere in the firefox folders, and there's an entry in about:config that will disable the check that happens every 24 hours. I find it ridiculous as well that the plugin is blocked even after the patch has been applied. It makes no sense at all.

Re:MS kinda overstepped its bounds on this one.

What? Seriously, either Windows is so horribly fucked or you don't have a clue what you are talking about.

Firefox runs in a regular user account. The plugin would allow remote code to be executed in a sandbox created by .NET framework (however it is run). Disabling the plugin so remote code is not run by .NET seems a trivial thing to do. After all, .NET does not exactly hook from Admin level into the sockets and sniffs traffic, right? So seriously, what are you talking about? Disabling load of any plugin, wherever it is installed, should be possible from within firefox. Sure, you may not be able to uninstall it, but you should be able to prevent it from being loaded.

So yes, your reply does not make sense at all.

Re:MS kinda overstepped its bounds on this one.

By your logic Firefox could not possibly have done what it just did, namely disable MS's addon. But they did. Therefore they can. Or are you saying the OS was hard coded to disable Firefox's disable button?

Re:MS kinda overstepped its bounds on this one.

[petermgreen]

That is the immediate reason for the block yes but afaict the way MS pushed it on a load of users who don't want or need it without the users informed consent was a major contributing factor.

If this addon and plugin had only been deployed in situations where it was actually needed then I strongly suspect mozilla would have taken a far less agressive approach.

Re:MS kinda overstepped its bounds on this one.

[TropicalCoder]

"A vulnerability which has already been patched." - maybe on your machines, but there could be millions of machines out there where it wasn't - that's the problem.

It's important to note that the vast majority of users with this add-on installed did not know that it was installed, or ask for it to be installed, and it's very difficult to uninstall cleanly due to the hidden extension that is left behind, as well as the "9.*.*" maxversion. This means that users who don't normally care about IE updates, because they are Firefox users, will be vulnerable without the block.

It is unfortunate that you have a lot of extra work awaiting you, but you only have Microsoft to blame for that. This is a serious vulnerability that Microsoft created, and both Microsoft & Mozila agree that client's protection must come first.

Re:MS kinda overstepped its bounds on this one.

[petermgreen]

IIRC the problem is that the bug was not actually in the plugin but in a library it depended on and the plugin version was not bumped. As such there is no way for the blocking system in current firefox to tell if you are vulnerable or not.

Afaict mozilla was stuck between a rock and a hard place on this one. They had to chose between breakign functionality some enterprise users relied on or leaving a large propertion of firefox users vulnerable to a bug in libraries depended on by a plugin and extention that were installed behind thier back.

Re:MS kinda overstepped its bounds on this one.

[shutdown+-p+now]

How should a non-running app protect itself against a code injection in their home directory done by a process with system privileges?

In this particular case - since .NET plugin doesn't actually patch Firefox executable, or anything like that, but rather uses the documented way to install a system-wide plugin - there seems to be a reasonable way to deal with this (and any other plugins that quietly install themselves: Java and Acrobat Reader are two other offenders, with the latter being particularly annoying). Here's how:

Don't auto-load plugins from system-wide plugin directory. Instead, when user starts Firefox, and a new system-wide plugin is detected, user is prompted to enable or disable it (use the same dialog as for plugins downloaded from the Net, with a countdown timer on "Yes - enable" button). This is then recorder in user's configuration file for future runs.

This doesn't let user remove a system-wide plugin, obviously, but this ensures that everyone knows exactly what crap is running in his Firefox, and that all such crap at least has to go past an explicit confirmation prompt.

A potential problem is that some overly smart installer might try to circumvent this by "opting in" on behalf of all users by patching their config files. On one hand, such behavior is very, unambiguously clearly a sign of malware. Also, there is a simple way to counter it at least on Windows: use encrypted files to store user settings for system-wide plugins. NTFS file encryption uses a key associated with a given user account, and derived from his password, and thus cannot be decrypted even by administrator. The latter can overwrite the file with its own new version, of course, but it is trivial to check whether the file is encrypted or not, and if it is, then which user's key was used to encrypt - this can be used to detect any such tampering. At this point, the only recourse for plugin installer is to patch the Firefox binary directly - something that will be slapped down as malware by pretty much anyone out there.

Re:MS kinda overstepped its bounds on this one.

[Swordsman02155]

I am sorry, but what does - in this context - "9.*.* maxversion" mean?

Re:MS kinda overstepped its bounds on this one.

[mpe]

The .NET installer/updater that forces this addon into Firefox is running as administrator or even system rights. How should a non-running app protect itself against a code injection in their home directory done by a process with system privileges?

This is more something for anti-malware systems to be dealing with. Yet the likes of Symantec and McAfee appear to have been beaten by Mozilla.

Re:MS kinda overstepped its bounds on this one.

No, you're just an idiot

Re:MS kinda overstepped its bounds on this one.

[Gyles]

Extensions get automatically disabled when they exceed the "maxversion" value, this is so they don't end up trying to work in an environment they are not designed for. Current extensions might say 3.5.*, so they'll be disabled when Firefox 4 comes out. They should then update the extension to work with the new version of FF.

maxversion 9.*.* essentially means never disable me.

Re:MS kinda overstepped its bounds on this one.

[phoenix321]

Of course they can choose not disable the plugin. But only when Firefox is actually running of course.

During install time of the plugin, Firefox has no running instances that can prevent it.

Firefox developers could've rolled out a mechanism to disable the plugin earlier, but I guess they had different opinions or priorities and knew what they were doing.

Another round of MS .NET installers could of course demand admin rights, which the user dutifully provides and then shut running Firefoxes the hell down and rip out all plugin-protecting code segments.

They will not do that, because it's class action and billion dollar punishment territory, but all I wanted to say that nothing can prevent a process with admin rights from wreaking havoc on non-running installations.

Re:MS kinda overstepped its bounds on this one.

I should really get rid of my sock puppets. But the M$ one is so cute. The Mozilla one scares me a little bit.

Twitter, is that you?

Re:MS kinda overstepped its bounds on this one.

[LordKronos]

Also, there is a simple way to counter it at least on Windows: use encrypted files to store user settings for system-wide plugins. NTFS file encryption uses a key associated with a given user account, and derived from his password, and thus cannot be decrypted even by administrator.

Of course, wouldn't that require you to provide your password every time you start up firefox? No thanks.

Re:MS kinda overstepped its bounds on this one.

[shutdown+-p+now]

Of course, wouldn't that require you to provide your password every time you start up firefox?

No, because you've already typed in your password when you logged in. Have you ever worked with encrypted NTFS files before (to create one, right-click on it in Explorer, go into "Properties" -> "General" -> "Advanced" -> "Encrypt contents to secure data")?

Re:MS kinda overstepped its bounds on this one.

[Swordsman02155]

Ah, thanks for straightening that out for me. Much appreciated! Regards

Re:MS kinda overstepped its bounds on this one.

[LordKronos]

Uhhhh, ok. So, what you are saying is that I've logged in so my apps can now access the file without me having to enter a password. So, how exactly does that stop that nasty other program from doing what it wants to the file then? Does windows allow you say "only application x can use this file"? As far as I've seen, it doesn't.

Re:MS kinda overstepped its bounds on this one.

[shutdown+-p+now]

Uhhhh, ok. So, what you are saying is that I've logged in so my apps can now access the file without me having to enter a password. So, how exactly does that stop that nasty other program from doing what it wants to the file then?

If it runs under your account, nothing. Installers generally switch to admin at start, though, and so does Windows Update.

Does windows allow you say "only application x can use this file"? As far as I've seen, it doesn't.

I'm not aware of anything like that.

Re:MS kinda overstepped its bounds on this one.

[LordKronos]

So, how exactly does that stop that nasty other program from doing what it wants to the file then?

If it runs under your account, nothing. Installers generally switch to admin at start, though, and so does Windows Update.

Yeah, but that's hardly much of an obstacle. I've seen plenty of installers where the install.exe actually launches a child process to do the install and then waits for the child to finish. It would be trivial to do that, letting the child install as admin while the parent is still running as the logged in user. Or even simpler...throw an entry in the RunOnce registry key (so the next time you log in a process runs as the user and does the install).

Read the TFA, MS suggested this!

[Gopal.V]

From the TFA, it is clear that Microsoft approves of this particular move. I quote

It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article and implement it themselves. At least, not my mom.

Re:Read the TFA, MS suggested this!

[Razalhague]

and Microsoft is recommending that all users disable the add-on.

Well gosh, that "unable-to-be-disabled" feature seems really quite stupid now, doesn't it?

Re:Read the TFA, MS suggested this!

That's true, unlike the poster, your mom wasn't sitting in front of her computer at 11:45 on Friday night, trust me...

Re:Read the TFA, MS suggested this!

You are the second person in four posts to talk about "the TFA."

What do you people think the T stands for anyway?

Re:Read the TFA, MS suggested this!

[Blakey+Rat]

Why are you surprised? Microsoft isn't like some kind of cartoon supervillain... if they have a bug in the add-on, and no fix ready yet, then of course they want people to disable it.

Re:Read the TFA, MS suggested this!

[shutdown+-p+now]

Well gosh, that "unable-to-be-disabled" feature seems really quite stupid now, doesn't it?

It wasn't a feature, it was merely a rather silly misunderstanding of the implications of installing the extension into Firefox application folder (rather than users' AppData folder), from an installer running with administrative privileges. Naturally, once thus installed, the extension cannot be easily removed by normal users.

Oh, and by the way, there was never a problem with disabling the extension - that button was always active, and worked as advertised. The problem was that you couldn't easily uninstall the extension.

Of course, once that story hit /. and complaints started to mount, the extension was quickly patched to allow for removal (there was a separate /. story on that too, IIRC).

Re:Read the TFA, MS suggested this!

It can be disabled just fine, the thing you can't do is uninstall it.

Which really isn't to surprising, since you shouldn't be running Firefox as an administrator anyway.

Re:Read the TFA, MS suggested this!

[wvmarle]

They still allow you to use Windows for that matter... or IE... both full of bugs, known vulnerabilities and the like.

Joking aside, this may break some .NET functionality (I wouldn't know, not on Windoze - I did see it happen in my XP in a VM that I use for e-banking only) which makes it sound strange that MS so readily accepted the block. I hear a patch is out already even - which is also blocked by FF due to them blocking by name/version and the patch has no new version number (strange action from MS - how to tell you are patched?).

On top of that, FF doesn't seem to have a way to override this block even if you'd want to, e.g. after patching. That's equally bad from FF's side.

Re:Read the TFA, MS suggested this!

[rsborg]

From the TFA, it is clear that Microsoft approves of this particular move.

It gives them cover to kill Google ChromeFrame (which stands to completely undo Microsoft's lock on IE users).

I see that happening if there's any update in installation of ChromeFrame.

The real reason why they want to hack user agent

[Ilgaz]

While some slashdotters think otherwise, Java/Windows install base is huge thanks to couple of very popular apps and tiny games. Since companies these days looks for multi platform, multi arch; MS needed to show that their herd has been installed/infected by .NET too.

So, they haxor the user agent to show that clueless CTO that their 90% of users have .NET so they should use it instead of massively multi platform Java.

Anyway, as you see, karma is a real bitch and if Sun had a real management, they could milk this issue but... Lucky for MS, Sun is under auto pilot, even under Larry Ellison's Oracle.

Ha ha

[TimeElf1]

hopefully this will get Microsoft to release a patch sooner

Sooner as in six months to a year when Microsoft finally goes...hmm maybe that didn't quite work?

Re:Ha ha

[Norsefire]

Actually, it was patched on Tuesday.

Re:Ha ha

[__aaqvdr516]

Yep I've been following this pretty closely myself. It was patched a couple days ago. You can follow step by step the discussion of someone providing a link of the initial vulnerability, them deciding to blocklist it, and someone claiming (though no name was given) that Microsoft agreed on the course of action.

The Firefox plugin itself was not the insecure part, it was items within the OS. Because of this, when Microsoft patched the vulnerability they didn't have to patch the plugin. So unless Microsoft re-releases the plugin with a higher version number there's no way for Firefox to do a version check to only allow patched systems to allow the plugin again. This is not an issue for me, but in the thread there are multiple people who are IT guys who claim their corporations rely on the plugin and their mission critical items won't work without it. There's a workaround via disabling the blocklistings via about:config but that's not a very graceful fix.

IMO this whole deal was handled very sloppily and I feel that this is all just petty bickering between Mozilla and Microsoft. Mozilla saw an opportunity to stick it to Microsoft and they took it. I don't want, or need, any part of this. It's easy enough to switch to Opera.

Re:Ha ha

[TimeElf1]

Well color me suprised. I don't think I can handle a Microsoft that's on top of things.

Re:Ha ha

[Mike+Shaver]

I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.

Re:Ha ha

[wasabii]

Mike,

Hi.

I have over 100+ boxes at work that depend on this plugin. When I get into work tomorrow, if they're not working (they run FF), then I'm not going to have much choice but to switch back to IE, am I?

I frankly did not know you guys had this ability to unilaterally disable things I depend on. That is a bit disturbing. It's going to unexpectedly cost me HOURS tomorrow.

Can you at least switch the block to only block unpatched versions? I'd agree with that.

Re:Ha ha

The problem is the patch doesn't increase the version number on the file, meaning Firefox has no way to distinguish between patched and unpatched versions.
(actually the stated version in both cases is 0.0.0.0)

Re:Ha ha

Open source programs, while many times safer and more efficient than their closed-source counterparts, still come with no warranty.

Re:Ha ha

Great, and now instead of not being able to work due to a plugin, he would've been unable to work because the OS plain sucked.

Re:Ha ha

[Mike+Shaver]

I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.

(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)

Re:Ha ha

[swilly]

I keep hearing this, but I have yet to see closed source software that comes with a warranty.

Re:Ha ha

I frankly did not know you guys had this ability to unilaterally disable things I depend on.

Haha you little bitch! That'll oughta make you read those Micro$oft EULAs more carefully!

Re:Ha ha

[CSMatt]

How about providing an option to re-enable the plugin or add-on, regardless of what Mozilla says and regardless of whether it is the vulnerable version or not? Hide it in the preferences if you must, but make it possible and not excessively difficult to find (i.e.: don't bury it in about:config or something). I am the sole administrator of my computer, and I should always have the final say on what gets installed, uninstalled, updated, upgraded, or changed on my computer, and that should never be usurped by anyone, be it Microsoft, Apple, Cannonical, or Mozilla, without my explicit concent.

Re:Ha ha

[Hymer]

Doesn't matter, it has been installed behind peoples back and without any possibility of disabling. It is no better than the Sony rootkit.

Re:Ha ha

Some intranet-based applications at my company rely on the ClickOnce add-on.

The applications have been around for several years, but prior to February our corporate policy was that FireFox was not supported. That policy is slowly changing.

will MS release patch sooner

[tokul]

Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner.

Blocklist banned both of plugins without any version limits. Even if MS release updated plugin versions, plugins will remain blocked. I suspect that MS will create new plugs and try to sneak them back to Firefox with .NET "security" updates.

I think Mozilla team even considers removing features abused by MS plugs.

Re:will MS release patch sooner

[recoiledsnake]

The bug was already fixed via updates last Tuesday. What if Microsoft decides(via Windows Update) not to allow Firefox to run if it has any critical vulnerabilities?(Happens all the time). MS might claim that Windows gets a bad name if it's hacked via Firefox.

It is nothing compared to VPC

[Ilgaz]

That issue is nothing (they asked for it in fact).

The issue which should make to books about the tech irony is Virtual PC for Mac 7.x (if anyone uses, UPDATE!). MS found a theorotical (not sure) issue which Virtual PC's emulated X86/Hypervisor can MODIFY the OS X memory from "there".

While they were decent to fix it very quickly and shipped an update (7.0.3) confusing Mac users, that is one big amazing issue for you. Imagine by running (emulating in fact) a Windows, you risk your OS X memory locations with overwrite.

Re:It is nothing compared to VPC

Sounds like a bug in OS X to me.. Operating systems should have been able to protect teir memory from an occasional buggy program for few decades now.

Re:It is nothing compared to VPC

[Ilgaz]

It is a very special piece of software with very special purpose. It runs "as root", even some call "above the root" with its own kernel extensions. I talk about a emulator/hypervisor. For example, AV solutions, firewalls under OS X is incapable of watching what it does.

I think AIX is capable of doing the thing you ask for but of course, it doesn't run on Mac and there is no "Virtual PC" for AIX anyway :)

It is happening you know

It is happening you know. Check out the fantastic Liunx mobile phone http://www.theinquirer.net/inquirer/news/1532176/nokia-n900-internet-tablet-walk

The Nokia N900 is the MS/Apple killer par excellence, but as Linus Torvalds noted "Killing off Microsoft is just a side effect, not a goal".

Why was the MS plugin again legal?

[cheros]

Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).

Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.

I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..

Anyone else an explanation why that plugin avoided legal consequences?

Re:Why was the MS plugin again legal?

[Nuskrad]

Was it without consent though? I'm sure it would have been buried in the small print somewhere when installing/updating the .Net framework.

Re:Why was the MS plugin again legal?

[gbjbaanb]

I'm sure whatever it was you installed from Sony that snuck the rootkit in had similar wording in its smallprint too.

I guess its ok if MS does it, but not Sony?

Re:Why was the MS plugin again legal?

[Val314]

please show me the passage. I have read it (really) and havent seen it.

Re:Why was the MS plugin again legal?

[Fantastic+Lad]

So, yes, it's OK when Microsoft installs functionality into Firefox that Firefox should, by all rights, already include compared to Sony installing software designed explicitly to disable existing features on your computer.

No.

Microsoft, if I allow them, can update the code they wrote on my system. But what you are talking about is no different from somebody over in Redmond deciding that your private documents were written poorly and needed to be re-done according to their preferences and took the liberty of doing so without telling you. Heck, I might even agree with their assessment of your writing, but I certainly wouldn't say it was okay for them to mess with it. --At least not without asking you first in a very up front manner.

-FL

Re:Why was the MS plugin again legal?

[S.O.B.]

And, yes, by all rights, Firefox should support .Net natively. It already has special support built in for Java, so there's no reason why it shouldn't include the same hooks for .Net other than an irrational hatred of Microsoft.

Try again anonymous Microsoft fanboi.

As far as I can see there is nothing special special in Firefox for Java to function unless you are referring to the standard plugin architecture that Firefox/Mozilla provides for all plugins.

Java is installed at the choice of the user where the .NET plugin is installed by a Windows update without informing the user. Once installed the Java plugin can easily be removed by the user via the Firefox configuration GUI but the .NET plugin can not be installed without doing some complicated registry and configuration hacks.

To me this looks like an attempt to drag Firefox down to the level of IE by silently adding .NET holes into Firefox and then they can say, "It's not us because Firefox has the same problems we do".

Re:Why was the MS plugin again legal?

[BooRolla]

I agree with you in sentiment, but I think it'd be a hard argument to construe Sony's audio CD's as needing fine print. Also, Sony installed the rootkit even if you rejected the overall software installation. I think that fact alone sealed Sony's fate in the matter

Re:Why was the MS plugin again legal?

Once installed the Java plugin can easily be removed by the user via the Firefox configuration GUI

You might want to check this out

Re:Why was the MS plugin again legal?

[Cl1mh4224rd]

Java is installed at the choice of the user where the .NET plugin is installed by a Windows update without informing the user.

Whoa, whoa, whoa... There's an imbalance in your equation here. You're comparing Java itself to the .NET Framework plugin.

Yes, Java itself requires that the user explicitly install it, but the Java Quick Starter extension for Firefox is also silently injected. Now, with the exception of Windows Vista and Windows 7, the .NET Framework must also be explicitly installed by the user.

Also, the Java Quick Starter extension can not be removed through Firefox's UI; it can only be disabled. This may actually be the better option, though, because even if you remove it through the Java Control Panel applet, it's reinstalled with the next Java update (which is pretty heinous, in my opinion). Disabling it may leave it disabled across updates, but I haven't tested that.

To me this looks like an attempt to drag Firefox down to the level of IE by silently adding .NET holes into Firefox and then they can say, "It's not us because Firefox has the same problems we do".

Not to defend Microsoft, but that is unbelievably paranoid. In fact, I'd say it qualifies as an outright conspiracy theory.

Re:Why was the MS plugin again legal?

[TrancePhreak]

Not really. The Sony rootkit installed silently any time you inserted the CD into the system. The Microsoft plugin in question is installed with another package and must be started by the user. It's probably mentioned in wording somewhere in the EULA, but the user has to install it on their own in the first place.

Re:Why was the MS plugin again legal?

[GravityStar]

Java has been installing plugins in web browsers for ages. I haven't seen any mass complaining about that.

Re:Why was the MS plugin again legal?

[shutdown+-p+now]

Now, with the exception of Windows Vista and Windows 7, the .NET Framework must also be explicitly installed by the user.

Here's an interesting question. If you start with a clean Vista or Win7 install (which already has .NET), and then put Firefox on it, then it won't get the .NET extension in it, right? because .NET installer doesn't get a chance to run and put it there...

Re:Why was the MS plugin again legal?

[jim_v2000]

This isn't a root-kit, dumb ass. And Microsoft has been extremely straightforward and helpful in admitting that they messed up with the uninstall issue and coming up with a fix.

Re:Why was the MS plugin again legal?

[jim_v2000]

The Java plugin installs as part of Java. The .Net plugin installs as part of .Net 3.5....what's your point?

Re:Why was the MS plugin again legal?

[Arker]

Frankly, I agree with you, Java misbehaves in a similar fashion and deserves similar treatment. But that is no excuse to roll over for MS. Also:

Not to defend Microsoft, but that is unbelievably paranoid. In fact, I'd say it qualifies as an outright conspiracy theory.

And I would say you sound very naive. Having worked with MS for a good 20 years now, I'd say it sounded like a reasonable educated guess from someone who knows their MO.

Re:Why was the MS plugin again legal?

[natehoy]

I installed .NET so that Microsoft-specific programs which I purchased or downloaded could run. I did not install .NET in order to expose my Firefox browser to IE/ActiveX/.NET vulnerabilities. I have Internet Explorer for those very rare websites that require Microsoft-specific stuff.

If the add-on was made available and advertised to me, I would never have sought it out. If the add-on was installed and I was informed and could disable it, I would have disabled it. Instead, I find out only well after it was installed and running in the background on my Firefox implementation that it was there.

Sorry, that's a major trust issue with me. I run Firefox because it lacks the "hard ties" with the OS that IE has, and therefore tends to be more secure. I do NOT want Firefox accessing .NET, ActiveX, system default image viewing services, and other functions that are constantly being exposed as having serious security vulnerabilities.

So, to the Mozilla/Firefox team: THANK YOU for making me aware of this. Please keep up the great work!

To Microsoft: I still run XP, but it's this type of "assuming what I want and making it so" that bugs the crap out of me. YOU DO NOT OWN FIREFOX, and it's not yours to update without my knowledge or consent, even if it does add cool new features. I don't want 'em, I didn't ask for them, I didn't know you were installing 'em, and I'm pissed now that I know I had 'em. It's this kind of crap that makes me more and more tempted to join the Penguin side permanently, and I've been a mostly happy Microsoft user since the DOS on an 8088 with 5.25" floppies days, back when 640K of memory was enough for everyone.

Re:Why was the MS plugin again legal?

[natehoy]

In Firefox, I go to "Tools / Addons" in Windows. Yup, "Java" is there. Oh, wait, that's the "Java Quick-Starter". Which I was asked about when I installed Java, and chose to add. Which is visible in my installed addons list. Oh, wait, and which also has a disable button. Hmm, which one of these tests did the .NET Firefox add-on pass?

Sorry, what are you comparing? An openly-disclosed, user-option install with a disable against a quietly-installed, no-user-option, disable-not-available install?

I installed Java because I wanted it available in my web browsers, and Java asked me which web browsers to add itself to.

I installed .NET because I needed it for some specific software, and it never asked me about adding things to my web browser of choice, which by the way is NOT a Microsoft product and if Microsoft wants to change it they should at LEAST ask me and allow me to turn it off.

Re:Why was the MS plugin again legal?

[sjames]

If it's buried in the fine print (surely meant to prevent people from noticing it) is it really consent? It's like a teen whispering to Mom and Dad "say 'what' if I can stay out all night."..."What?"..."Thanks Dad!". If you think Dad will consider that giving consent, think again.

Re:Why was the MS plugin again legal?

[wvmarle]

And, yes, by all rights, Firefox should support .Net natively. It already has special support built in for Java, so there's no reason why it shouldn't include the same hooks for .Net other than an irrational hatred of Microsoft.

Try again anonymous Microsoft fanboi.

Don't panic, this is probably just an AC that forgets that Java != JavaScript, the latter which is built in natively into the browser indeed. And which, by the way, even can be disabled by the user, and easily so.

Re:Why was the MS plugin again legal?

[mpe]

If the add-on was made available and advertised to me, I would never have sought it out.

Is this add-on even available as a regular xpi file?

Re:Why was the MS plugin again legal?

[thuvia]

Was it without consent though? I'm sure it would have been buried in the small print somewhere when installing/updating the .Net framework.

I'm not sure if it was even mentioned in the "more information" link attached to the update.

I know that if I was in better health and had the energy to do so at the time I learned of this, I would have personally made the effort to verify the malicious behaviour on a clean installation (I got so far as looking up the appropriate law in my country to determine that Microsoft's actions here did appear to be in breach of the UK's Computer Misuse Act), and attempt to see them prosecuted for it, since I strongly believe that they undermined the user's very efforts at securing their systems.

Re:Why was the MS plugin again legal?

[gbjbaanb]

because .NET installer doesn't get a chance to run and put it there...

No, not until Tuesday when you get the next set of security updates :)

Re:Why was the MS plugin again legal?

[Tim+C]

A quick check of the list of plugins installed in Firefox on the machine I'm currently sat in front of shows that I have plugins for Quicktime, iTunes, Adobe Acrobat, the JVM, etc. I don't remember explicitly allowing any of them to be installed.

If you're going to haul MS over the coals for silently installing a browser plugin, you might want to go after a few other companies too.

Re:Why was the MS plugin again legal?

[natehoy]

I don't know. I didn't know it existed until I learned Firefox disabled it for me, and it's something I've never looked for or asked for in Firefox. Perhaps if I did a lot more .NET stuff I'd want it, and Microsoft would have done well to do a campaign to inform people it was out there and allow them to install it, so those who want to run Firefox for Microsoft-quirky sites (and open Firefox up to the same security holes IE is well-known for) could.

But, frankly, at that point, why run Firefox? OK, maybe you've got an add-on you love, but if Firefox is vulnerable to many of the same Windows vulnerabilities as IE, PLUS its own vulnerabilities... seems kinda pointless.

Re:Why was the MS plugin again legal?

[cheros]

Umm, you never had the chance to reject the .Net plugin - it was installed surreptitiously.

What's more, it was installed in such a way that uninstalling it was a lot of hard work. As the specs are very clearly available on how to write a *decent* plugin with proper uninstall capabilities I cannot assume this to be an accident.

Ergo, it's malicious to me.

As for other installs, yes, there too I have some issues but they alow at least a degree of control. Still not good enough, but better than the MS approach.

Re:Why was the MS plugin again legal?

[S.O.B.]

My point is that you can disable Java through the Firefox UI but you can not disable .NET.

Re:Why was the MS plugin again legal?

[S.O.B.]

I shouldn't have used to word "remove". You can not actually remove the Java plugin from the Firefox UI but you can disable it.

The .NET plugin does not offer the user the option to disable it. Which is interesting because the other 29 extensions I have installed all allow themselves to be disabled.

Should Java be controlled from the extensions list rather than the "Preferences-->Content" tab, sure. But Java was around before extensions and they haven't gone back and corrected the UI. However, does this excuse Microsoft from installing an extension to Firefox and not allowing it to be disabled like every other extension, most definitely not.

Re:Why was the MS plugin again legal?

[TrancePhreak]

You run Firefox, a browser that does not run its plugins in a sandbox. You should be worried more about that than your obvious fear of MS.

Re:Why was the MS plugin again legal?

[cheros]

Let me amend this question.

Most of the comments appear to assume that "it must have been in the EULA somewhere".

Well, I may be different to most - I READ THOSE. That's why I will never uise Google services - check out their Terms of Service, point 11.

So, bottomline, every comment that states "you have probably agreed to this" - sorry, I explicitly haven't. The Java plugin I knew about, and so for all the others. *Not* so for the MS breach of my computer.

If you find a EULA that states differently I'd like to read it - I have not find a single reference to this plug-in, so the MS apology is not "mea culpa", it's more like Sony: "sh*t, someone caught us".

My surreal experience

[phozz+bare]

Last night I was browsing through the headlines on Slashdot's front page. At one point I came across the headline "Sneaky Microsoft Add-On Put Firefox Users At Risk" (story here). While I was reading the text underneath that headline, Firefox's prompt (indicating that it had detected the relevant plugin) popped up. It was so startling that I started wondering whether the browser was reading my mind! Weird stuff.

Re:My surreal experience

[The+MAZZTer]

Nah that happens when it automatically checks for addon updates, it also pulls down a copy of the addon blacklist from Mozilla.

Re:My surreal experience

[sskinnider]

This functionality will be included in a future release of Firefox.

Re:My surreal experience

[troll8901]

You mean, mind reading is all wireless now? What protocols are they using? I've searched Wikipedia and came up nothing.
(Thoughts of certification and mesh networking running in my mind.)

Re:My surreal experience

[BadDreamer]

Your friendly browser read Slashdot with you!

Nuke it with regedit...

[Dark$ide]

For x86 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Mozilla > Firefox > Extensions

For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions

Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'

Re:Nuke it with regedit...

[The+MAZZTer]

Only nukes the addon, the plugin is hiding in C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (and C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll if you have the .NET 4.0 beta).

Remove HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5

And HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF, version=4.0 if you have the 4.0 beta

Re:Nuke it with regedit...

You see how intuitive and user friendly that is?
I'm so glad I never need to help anybody keeping their Windows machines functioning.

Re:Nuke it with regedit...

[Sponge+Bath]

Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'

Be careful. If you accidentally delete key {20a82645-c095-46ed-80e3-08855760534b}, your machine explodes.

Re:Nuke it with regedit...

[TubeSteak]

FYI - on my Vista box I found the reg key under
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/WPF,version=3.5

I also removed the Silverlight and Live Photo Gallery keys while I was there.
I never chose to install that crap.

Re:Nuke it with regedit...

I believe Google Pack's Spyware Doctor also identifies this key name and recommends quarantining it.

Re:Nuke it with regedit...

[jim_v2000]

Or you know, just run Windows update and uninstall the plug-in normally.

Re:Nuke it with regedit...

[L4t3r4lu5]

Expect this to be used in the next Die Hard movie

ya it was funny...

[wisnoskij]

Ya, it was funny. I was actually reading about how they were dangerous to have while i was prompted by Firefox to remove them.

Rule 1: Don't talk about the registry

[Norsefire]

A friend had a problem with a CD burner app (Nero I think?) and asked me to take a look at it (they weren't too tech savvy). So I took a look and Googled the error and found that it was a problem with a registry key that would screw randomly. The fix was to delete it and if the error came back the fix was to change it to a specific value (which would cause nagging warnings but not make the program fail outright, so deleting it first was the better solution). So when I had fixed it I told him offhandedly, not expecting him to understand, that it was a problem with the registry and if it happens again to give me a call. So a week later he calls and says it had the same problem but I didn't need to come round because he had found a registry cleaner, for cheap, only $39.95... I never mention the word "registry" to non-tech people now.

Re:Rule 1: Don't talk about the registry

[Bob_Who]

he had found a registry cleaner, for cheap, only $39.95... I never mention the word "registry" to non-tech people now.

....I never mention windows, I'm up to my neck in Windex and squeegees....

Re:Rule 1: Don't talk about the registry

[wvmarle]

It's impressive how Windows people are not only used to pay a lot for software, but also to pay a lot for software that fixes parts of their other software that they paid a lot for already.

Terrible summary

[live.play.code]

Microsoft has ALREADY released a fix, so mozilla's blocking it doesn't force them to do anything. Also, mozilla asked microsoft if blocking it would be a good idea, microsoft said _yes_, and mozilla blocked it. All this I learned from looking at the links in the summary. Hmm, actually RTFA has some advantages.

Re:Terrible summary

[Mike+Shaver]

I applaud your commitment to understanding ahead of commenting. I wish such commitment were as widespread as the plugin in question!

Re:Terrible summary

[petermgreen]

As I understand it the problem now is MS released a fix but did it in such a way that the current firefox blocking mechanisms can't tell if the fix is applied or not.

Inconsistent logic

[lseltzer]

Microsoft says that the MS09-054 patch fixes the issue through all possible vectors, so the add-on is not a vulnerability on patched systems. Yet Firefox is blocking all versions of the add-ons. Why?

If it's to block potential future vulnerabilities then they should block all add-ons, because they all have potential future vulnerabilities.

If it's because some users may not update their systems then they should block all add-ons (especially Flash and Acrobat) because lots of add-ons have old vulnerabilities.

If it's just to stick it to Microsoft for the inconsiderate way they in which they delivered these add-ons then they should say so. I doubt Microsoft agreed to this, as Mozilla implies in their blog.

Re:Inconsistent logic

[Mike+Shaver]

MS09-054 is labelled as an Internet Explorer update, so it's not obvious that Firefox users need to apply it. We're working with Microsoft on getting that fixed. Microsoft did definitely agree to it; I'm the one they told, on the telephone, before I requested the block be pushed out. I don't know why you think I was lying -- I didn't "imply" it, I flat out said that they agreed, which is the case. Do I have a history of lying about such things?

Re:Inconsistent logic

[lseltzer]

Even so, why do you block patched systems?

Re:Inconsistent logic

[lseltzer]

BTW, I don't assume you lie, it's just that your argument doesn't make sense to me as you worded it. And in your own blog you state that "Microsoft is recommending that all users disable the add-on." From everything I've read from Microsoft this is an overstatement. They advised disabling the add-on as a mitigation mechanism for those who had not applied the patch.

Re:Inconsistent logic

[Mike+Shaver]

Because there is no way to distinguish patched from unpatched systems -- the WPF plugin doesn't expose any version information, unlike Flash and other such systems, and it didn't get updated with MS09-054. If I had known about this vulnerability before they posted on their blog, I would have told them to provide just such a distinction, so that we could disable only unpatched setups! We can remove from the blocklist as quickly as we added, but I wanted to protect users while we made sure that Firefox users would apply this patch, and figure out how to do better with this subsystem going forward. Microsoft agreed, and -- my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.

Re:Inconsistent logic

[Mike+Shaver]

That statement is consistent with what I heard from Microsoft, though their post has been updated since that conversation. And MSFT has seen that text; if it's not correct, I'm sure I'll hear it from them, and will be happy to correct it. (I wrote the text pretty quickly, since it was late on Friday night and we were getting inbound already from the blocklist addition.) But that's really ancillary to the issue, which is that Firefox users are vulnerable to a problem that we learned about this week, which is labelled as an IE problem/patch. Microsoft and Mozilla agreed that we should block the plugin and add-on to mitigate the risk while we made sure that FF users were going to install that IE patch. This isn't an us-vs-them thing, but I don't know who you're talking to at Microsoft who is saying different things.

Re:Inconsistent logic

[lseltzer]

Maybe your system can't work with it, but they do publish the file version information for this update.

Re:Inconsistent logic

[lseltzer]

I haven't talked to anyone at Microsoft. I'm just reading what they're putting out publicly.

Re:Inconsistent logic

[Mike+Shaver]

Yes, sorry, I should have said that we can't distinguish it without custom code pushed through a patch, because it doesn't affect any files that we load or touch.

Re:Inconsistent logic

[DigitAl56K]

While I was angry at Microsofts silent installation of this component in Firefox and there is part of me that is ready to cheer on Mozilla for disabling it, I also feel disappointed by the reaction to this.

Not only are they vulnerable versions of Microsoft's add-on disabled, but also all versions indiscriminately, including the patched version that Microsoft rolled out last this Tuesday. Just as some people may have been impacted by Microsoft's original silent installation, how does Mozilla know whether an end user actually uses sites that depend on that add-on or not?

Imagine what would have happened if Mozilla remotely disabled everyone's Flash plug-in each time a new vulnerability was discovered in it? There have been 0-day exploits in the wild for Flash and just think about it's install base. Or the Adobe Reader plug-in? Lord knows it's a more deserving candidate given its history.

In this case there may be some justification in that the unrequested component might pose yet unknown risks, but now I have to wonder what Microsoft's strategy will be during their next update cycle - to re-enable it given that they've fixed the hole in question? Did Mozilla just give Microsoft precedent that would support it disabling Chrome Frame in future?

As a customer of both parties I feel that I've been dragged into someone else's war, which is being waged with my computer as the battle field.

Re:Inconsistent logic

[lseltzer]

As I said elsewhere, a lot of plugins seem not to report their version information. Why don't you disable them too?

According to your plugin checker the following plugins on my system don't report version information:
        Java(TM) Platform SE 6 U13 Java(TM) Platform SE binary
        Microsoft Office Live Plug-in for Firefox Office Live Update v1.4
        Java Deployment Toolkit 6.0.150.3 NPRuntime Script Plug-in Library for Java(TM) Deploy
        ActiveTouch General Plugin Container ActiveTouch General Plugin Container Version 104
        Adobe Acrobat Adobe PDF Plug-In For Firefox and Netscape
        Microsoft® Windows Media Player Firefox Plugin np-mswmp
        Google Update Google Update
        iTunes Application Detector iTunes Detector Plug-in

See this screen shot.

Many of these have had vulnerabilities in the past.

Re:Inconsistent logic

[Alpha830RulZ]

Mike, I haven't seen anyone else say this, so allow me. As a grateful firefox user and evangelist, thanks for your efforts, contributions, and patience in putting up with all of us. Please pass this thanks on to your co-team members.

Re:Inconsistent logic

So, how do we patched-system users reapply the add-on?

Re:Inconsistent logic

[silanea]

My assumption is that none of these plugins are slipped into Firefox by an update to an unrelated software without informing the user or requiring their action beforehand, so users do not even know they might be vulnerable (though I cannot recall whether I was prompted to install the Google Update plugin), and that none of these plugins prevent the user from removing or disabling them from within Firefox.

Re:Inconsistent logic

[arth1]

Even presuming you tell the truth, did they really agree that Mozilla should "patch" by removing both vulnerable and patched versions, deny the user an option to choose not to block, and prevent him from (re)installing a non-vulnerable version?

Or did you add all these steps yourself, after being told it's to remove the vulnerable plugins (implicitly with the end user's consent).

Sorry, no, I do not trust you. You haven't given me a reason to. Just because you're the enemy of my enemy doesn't make you my friend. And that you continue to maintain the social illusion of this having absolutely nothing to do with making a small jab at Microsoft gives me a small incentive not to trust you.

Re:Inconsistent logic

A better question is...

WHY is any addon allowed to not use the disable or uninstall features. ever.

I'm used to shit sneaking into my windows machine. But dammit. You should at least let me disable or remove the crap.

Re:Inconsistent logic

[lseltzer]

I know I didn't intentionally install most of these, and the Acrobat and Windows Media Player ones are, I believe, the only ones I specifically installed or agreed to.

Recent versions of the Windows Presentation Foundation plug-in have enable/disable, so that can't be the reason for it.

I stand by my subject line: Mozilla is being inconsistent here.

Re:Inconsistent logic

[uuddlrlrab]

Maybe they don't pose as grave a vulnerability as the .NET one.

Re:Inconsistent logic

[lseltzer]

later in the day I have asked Microsoft for their explanation of all this. No answers yet. Probably none till tomorrow.

Re:Inconsistent logic

Do I have a history of lying about such things?

To put it simply, yes. To put it more complexly, blocking something that's already been patched is a huge pain in the ass.

Re:Inconsistent logic

Thanks for the good work, Mike! Keep it up. I'm glad to see some proactive and rapid action to protect users from this probably unnecessary and often unwanted plugin that has been foisted upon our systems.
Frankly I'm a deep believer in the ad-hoc opt in model to browser functionality as one might achieve with noscript. For 99.999% of sites (e.g. on a site by site basis and a domain / element by element basis) I don't want ANYTHING optional turned on, not java, not javascript, not codec / reader plugins, not flash, not anything that increases the attack surface of my browser. Basically the default is a plain HTML text browser that might as well be LYNX. Disable cookies and off-domain images and stylesheets too etc. Then for a selected set of domains/elements/site URLs I'll enable a bit more of things like Javascript or whatever highly selectively. And if there ever should exist particular sites that I wanted to allow the use of CLR/WPF/.NET/Silverlight related materials, you may be sure I'd only want those urls and only those to even have it enabled. I wish that more explicit site/address/domain control of things like scripts, plugins, codecs, sound, cookies, animations, etc. were more easily possible in FF -- Noscript / flashblock / adblock / ... doesn't entirely do it. With the move to sqlite or whatever, I'd welcome some APIs in between FF's functionality like "I want to run this script from this domain" "I want to handle a file with this mime type from this domain" and sqlite which could hold a database of allow / deny capabilities and regex checking and whatever to easily configure the amount of exposed browser functionality on an ad hoc basis.

One thing that has disturbed me about addons like flashblock or noscript in the past was that, say, if I had something like a PDF plug in installed in the browser, but I configured the blocking add-on to block that functionality, I could SWEAR that I'd often see a glimpse of the media (e.g. a PDF file) that was supposed to be blocked actually LOAD AND RENDER in its page area and THEN moments later be covered up visually by whatever "this is blocked" canvas the plugin is expected to expose. If it is actually LAUNCHING the codecs / plugins for things that are supposedly blocked and THEN blocking them, this seems like a security problem relative to people's expectations that things which are blocked shouldn't invoke 3rd party code which they're trying to limit exposure to. Anyway I have no idea if it is still like that, but it does seem there should be ways to a-priori block the loading / handling of anything rather than a-posteriori.

As for MSIE on a related note, does anyone know how to ADD a new custom distinctly configurable security ZONE to IE8 e.g. under Vista / Win7? I've tried adding a 6th entry to the registry as some WWW sites suggest by copying the tree under one of the default 1-5 zone keys but that doesn't seem to work at least with IE8/W7. Frankly in the rare case I use MSIE I want the "internet" zone to basically behave like the "restricted sites" zone with only very very limited functionality, and to add a "semi trusted sites" zone I can manually add my "usual favorites" to such that they'd behave with something approaching but less than "normal internet zone" functionality. Then for the few sites I REALLY want to open up to, they'd go in "trusted sites".

Re:Inconsistent logic

[Mike+Shaver]

There is no war. We decided together that this was the right step to take right now to protect our mutual users, based on our understanding of the problem and outcomes.

Re:Inconsistent logic

[kantos]

Mike, any user NOT installing the IE updates on Windows is an idiot, because the COM components of IE are used in many applications. Thus not patching IE even if they haven't opened it in ages is the stupidest thing they could ever do (followed by not updating Flash Player) for the security of their system. So saying that people won't install the patch because it has the letters IE in the name is bull. The patch is listed as a CRITICAL update, not recommended but CRITICAL. On the other hand should MS introduce an optional update to install an updated version of the plug-ins? I'm thinking so...

To those who are going to make the inevitable comments about the use of the COM IE components supporting MS browser monopoly: your right, but there is no guaranteed alternative, and I have yet to see a COM interface for FF, or Chrome.

Re:Inconsistent logic

Do you meet a lot of hairy, bushy women with that surname, Mike Shaver?

Re:Inconsistent logic

So Windows Updates no longer store themself as installed updates on a machine? Couldn't you just detect the damn update entry?

Re:Inconsistent logic

[Arker]

Imagine what would have happened if Mozilla remotely disabled everyone's Flash plug-in each time a new vulnerability was discovered in it?

Hrmm either that would result in Flash getting the thorough clean-up it needs, or being effectively eliminated from the web. Either way, I dont see a downside. This is a great idea!

Re:Inconsistent logic

According to Ballmer, approximately 20% of global OS share belongs to pirated Windows installations. Most of these, if not all, would likely have auto-updates and such turned off.

Therefore any applications that count on Microsoft's updates to block a vulnerability in it, that was opened by Microsoft, could be leaving as much as 1/5 of all users vulnerable.

20% worth of compromised system could create a lot of problems for the rest of us.

And that's not counting lazy people and your theoretical idiots ;)

Re:Inconsistent logic

[ArghBlarg]

Hear, hear! The Firefox team did the right thing. MS needs to play by the rules of any third-party applications with which it wants to interact. They should have used the 'front door' when installing their plugin, and had proper versioning information. They should live with the consequences of their backhanded install procedure, just like anyone else.

Hooray for UAC

Logged in, UAC popped up a notification that some .NET installer was trying to do something funny. I disallowed it.

Thanks, UAC. Best thing Microsoft has done for Windows in forever and most people disable it. Pity.

Cat and mouse

[fearlezz]

So, when do we expect a microsoft update to change te blocklist? Or will they simply rename their plugin+give it a new extension id?

Re:Cat and mouse

[Mike+Shaver]

There's no cat and mouse -- they agreed to this blocking. I have in fact encouraged them to use a different extension ID if and when they make a fixed ClickOnce/WPF add-on that can be installed by active user choice rather than by default!

Re:Cat and mouse

I seem to remember a certain historical figure agreeing not to invade a certain Eastern European country... I think it started with a 'P'.

Yes, I went there. Yes, it's a joke.

Imagine this from the other side

[moosesocks]

Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."

Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.

That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...

Re:Imagine this from the other side

[tokul]

Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.

Bigger shitstorm than the one which happened when MS installed browser extensions without consent from end user?

Company abused its position and put malware on users' machines. Good thing that Mozilla has some options to handle such behavior.

Re:Imagine this from the other side

[Mike+Shaver]

If Microsoft or Apple asked us about such a kill-switch for a version of Firefox that we put onto their users' systems via a security update, and we agreed that it was the right thing to do, I would hope there wouldn't be a shitstorm at all.

Re:Imagine this from the other side

[jmv]

If Mozilla had been installing Firefox without the users' consent and prevented the same users from uninstalling it, then yes, Microsoft would have been justified to hit the kill switch. The same way, if it was just a regular Firefox Addon that MS distributed (that the user explicitly installs and can uninstall at any time), I doubt Mozilla would have made a fuss about it.

Re:Imagine this from the other side

[rtaylor187]

I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...

There are some situations where a kill-switch is useful - this seems like one of them per TFA. So, I don't think "we" are against kill-switches per se, but rather against undisclosed/secret kill-switches. Firefox is open source, so the kill-switch mechanism is visible in the source somewhere - right? It would take some code review to be "aware", but it is openly available to be found. Whereas... Microsoft, Apple and Amazon (Kindle) are delivering closed source products where a kill-switch mechanism would be hidden/secret unless explicitly disclosed by the manufacturer.

Re:Imagine this from the other side

[moosesocks]

Oh, come on. Microsoft released a patch to their software that extended support to an additional browser.

If you don't like it, don't install the .NET framework. There might have been an accidental security flaw (that they openly acknowledged), but it's hardly malware.

Re:Imagine this from the other side

[Jeff+DeMaagd]

Maybe there were people that were 100% anti kill-switch, but I don't think they represent everyone. Just because something can be used for evil doesn't mean it's necessarily bad. A knife that is used to cut fruit can cut people too.

What bothers me more though is the fact that a plug-in can prevent its own disabling or removal without an aggressive external technique.

Re:Imagine this from the other side

[Mike+Shaver]

The plugin in question was installed via a Windows Update _security_ update, it wasn't something that people really chose to install. I agree, though, that this really, really isn't malware. That's a ridiculous misuse of the term.

Re:Imagine this from the other side

[Hurricane78]

I think I have to agree with that one. I really hope that there is a option (aka a "kill-switch") for that "kill-switch" in the Firefox settings dialog. Otherwise I would be very disappointed of those Nazi methods. :/

Re:Imagine this from the other side

[noundi]

I think I have to agree with that one. I really hope that there is a option (aka a "kill-switch") for that "kill-switch" in the Firefox settings dialog. Otherwise I would be very disappointed of those Nazi methods. :/

about:config -> extensions.blocklist.enabled
 
Amazing how people still haven't figured out google.

Re:Imagine this from the other side

[arth1]

Two wrongs doesn't make a right.

Microsoft installing the plugin without the user's explicit concent, and no (easy) way to uninstall was, indeed, wrong.
But Mozilla unilaterally disabling it on the users' machines without an option not to is wrong too.

What about those who have:

1. Started depending on the functionality of the plugin, and
2. Patched the vulnerability

What they see is that Mozilla goes in and deletes functionality on their machines. From a logical point of view, it's no better than, say, Amazon going in on end users' e-book readers and deleting specific books in order to right a wrong.

Again, two wrongs doesn't make a right, and by doing this, Mozilla has proven beyond doubt that they have the means to make unilateral changes to a user's machine, without giving the user a choice. This is VERY bad, and I really hope that the fallout will be that a fork appears that's guaranteed free of a backdoor for Mozilla to control the user's machine. No matter whether it's in the end users' "best interest".

But I fear that the average user will actually agree with this knee-jerk reaction, because they in their hearts truly believe truisms like "the enemy of your enemy is your friend" and "the end justifies the means". And presumably get a minor kick out of Mozilla sticking it to Microsoft (let's at least be adult enough to call a spade a spade, and admit that this is what Mozilla did -- the (patched) vulnerability was a convenient pretext to maintain the social illusion).

Re:Imagine this from the other side

Don't forget to mention that FF contacted a server despite disabling all visible option for any "phone home" activity.

What else is FF doing behind the users back?

Re:Imagine this from the other side

[Dreadneck]

Forget about the names involved and examine the situation more closely. A company took it upon itself to introduce an unknown security risk into a competitor's product by way of a stealth install. Said company further complicated the matter by making it next to impossible for average users to uninstall - provided they even became aware of the issue - and compounded it even further by having subsequent updates reinstall the software by stealth again.

I think that given this situation Mozilla did the right thing. Until Microsoft learns to work above board where Firefox plugins are concerned, Mozilla can and should disable them. It would be nice in the future if Mozilla offered users the option - and I think they will - to retain use of a plugin after being told it poses a security risk, but the only action I see in need of correction at the moment is for Microsoft to ask users explicitly for permission to install an add-on to non-Microsoft software on a system.

Re:Imagine this from the other side

[Yvanhoe]

Anyone else than Microsoft installing plugins into browsers without users consents would have this product called a malaware. I think on this issue /. is quite polite with MS.

Re:Imagine this from the other side

[Trelane]

Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.

Eh. If we were concerned about it, we'd just remove the kill switch in the source and re-compile IE, right?

Re:Imagine this from the other side

[DerekLyons]

That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...

I love the [highly rated] responses to your question, which amount to "fuck Microsoft, fuck Microsoft, fuck Microsoft", without actually addressing the issue you raise. It just highlights once again how the majority of Slashdot is two faced when it comes to... just about any issue. Mozilla is in the same category as Google, they simply cannot do wrong in the eyes of Slashdot. "Two legs bad, for legs good".

Re:Imagine this from the other side

[Ralish]

I've been following this story since it began, and I've got to be honest, I think you've made completely the wrong move and have done potentially serious damage to Mozilla's public image among certain techies, and possibly worse, hindered enterprise adoption of Firefox (and helping to nuke the scourge that is IE6), which I'm sure you'd know is an area FF has struggled to really gain increasing marketshare in.

Getting the preliminary kneejerk stuff out of the way; Microsoft screwed up, bigtime. I don't know of anyone who is debating this. This add-on should never have been silently installed in Firefox at all, period. The best distribution mechanism would have been a manual and entirely separate download that can be installed/deployed en-masse by those who require its functionality.

This is also entirely irrelevant. The damage has been done, and calling Microsoft names or abusing them for their past actions does nothing to fix the current problem (I'm not accusing you of this, but others who've been contributing to this discussion). I can understand the principle behind your decision to add the add-on to the blocklist, but it has some serious issues that I'm astounded Mozilla decided to disregard:

1. It has no regard for patch level. This results in people having patched versions of the add-on (whether they use it or not isn't the point, there's no way you can determine this without consulting the individual user) disabled. You are literally automatically killing functionality in the browser that is NOT a security or stability risk. Worse, you present users with a dialog box which in the case of a patched system is telling an outright lie or serious misinformation to the user with respect to the status of their add-ons. I can't even begin to understand how Mozilla deems such a situation where a significant proportion of the userbase is potentially being fed misinformation by their browser acceptable.

2. This add-on is not to my knowledge under significant usage, but where it is used, it is mostly in the enterprise. Business doesn't take kindly to having programs that they rely on remotely disabled, it causes pain for sysadmins and I don't think I need to elaborate what other problems it can cause that are more serious. That Mozilla thought it a worthy trade-off to potentially protect some of their userbase at the cost of disabling functionality remotely that people may not merely use but rely on for important or even critical computer functions simply boggles my mind. I'm of the opinion it's generally not appropriate to remotely kill even vulnerable software the but I can understand how others would differ in opinion. But taking into account the fact that it kills non-vulnerable versions as well, and that people may depend on it, and that it's non-trivial to re-enable, and I can't understand the rationale.

Put simply, if you don't have the infrastructure in place to reliably differentiate between vulnerable and non-vulnerable versions of the add-on, don't block it at all, it's not worth the problems you're inevitably going to cause, be it ethical (remotely disabling perfectly working and secure/stable software even if not used) or the more practical (as before except actually in use). That, and ClickOnce is also not to my knowledge a popular exploit target at all; this may of course change, but I'd be surprised when there's plenty of other ripe and easily exploitable targets with a larger userbase. If you wanted to go for sheer attack surface reduction, I would have thought there are several versions of Flash that are obsolete with truck-sized security vulnerabilities that plenty of people are running and are actively being exploited right now, that are easily detectable by versioning. I'm not advocating this mind you, but it seems to me there are easier targets if beefing up security through add-on blocklisting is the idea.

Finally, you've re-iterated several times that Microsoft approved your decision. I don't see how this legitimises the decision? I often don't agree with M

Re:Imagine this from the other side

[Phroggy]

Company abused its position and put malware on users' machines.

Careful. The term "malware" is short for "malicious software". Maliciousness is the intent to deliberately harm others. This add-on isn't malicious, it's just buggy and misguided.

Re:Imagine this from the other side

[noundi]

Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."

Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.

That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...

Well, since you asked I'll describe the order of priorities of what we are against:
 
1. Installing software without our consent, that includes sneaking in software in methods that classify as "gray zones". The ask.com bar is a good example of this, and also the .NET framework.
2. Kill-switches
 
So you see, as described above, the installation of such applications is far more dangerous than the kill-switch. Also since this kill-switch can be turned off. If you don't think MS did anything wrong, then let me ask you this: why are so many people angry with this installation? For those of you who installed IE7 or IE8 on XP through Windows update, do you remember the EULA that popped up after the download and before the installation? Wouldn't it had been completely acceptable if such a screen would have showed for this as well? Since ultimately this was something new for Windows update, never before had it tampered with Firefox, so people -- don't fucking pretend it was a harmless and innocent move.

Re:Imagine this from the other side

[Kalriath]

Actually, no, it was not. It was installed by .NET Framework 3.5 SP1, which required you to have .NET Framework 3.5 already installed. A later update allowed you to use the "Disable" and "Uninstall": buttons on it again.

Re:Imagine this from the other side

[shutdown+-p+now]

The plugin in question was installed via a Windows Update _security_ update

Mike, can you clarify which security update it was? I recall the original story about quiet installation of plugin had to do with .NET 3.5 SP1 hitting Windows Update as a "recommended update"; and those things aren't auto-installed with default WU settings. Was there some update marked "critical" since then that also installed the plugin?

Re:Imagine this from the other side

[CSMatt]

Microsoft, perhaps, but everyone knows about Apple's kill switches in the iPhone, and even Google's ones in Android, but there isn't much controversy surrounding either one of them here. I wonder why that is.

I'm going to assume that the ones commenting on some stories are probably not commenting in the others.

Re:Imagine this from the other side

[CSMatt]

Think about this for a moment: How many Firefox installs have been without the explicit and informed consent of the person who owned the computer? How do you think those people would feel about whoever installed Firefox on their computer if Microsoft decided to killswitch the program?

The only time a kill switch is ever justifiable is if the person who actually owns the machine is the one pushing it.

Re:Imagine this from the other side

[sjames]

Sufficiently insecure software is indistinguishable from malware.

Re:Imagine this from the other side

[mpe]

Oh, come on. Microsoft released a patch to their software that extended support to an additional browser.

Something which they had no business doing in the first place. If they wanted to offer a Firefox/Thunderbird/etc add-on they should have used the same method as everyone else.

If you don't like it, don't install the .NET framework.

The .NET framework is required for certain applications to run. They'd still run without .NET doing anything with any web browser.

Re:Imagine this from the other side

[Tim+C]

I think that given this situation Mozilla did the right thing.

And I disagree. I am extremely uncomfortable to know that my browser vendor can - if it so wishes (and I'm not about to claim that this is a slippery slope, etc) - remotely disable arbitrary plugins on my system, leaving me with no way to re-enable them.

While I appreciate the motivation for the block, and that it was done with MS's consent, this is my system, and ultimately it should be within my control, not theirs.

Re:Imagine this from the other side

[Dreadneck]

We don't fundamentally disagree, though I'm seemingly less worried about Mozilla than you. I don't see Mozilla sacrificing hard-earned market share for the sake of a feature its users loathe. Granted, they were naughty for implementing it without regard for user control, but now that the issue has - fortunately? - been thrust into the spotlight, I predict a quick and satisfactory resolution.

Or a code fork.

Microsoft, on the other hand, has a long and proven track record of abusing customers' rights and trust.

This is very annoying for me

[Winckle]

I like to play games through http://2dfighter.com/default.aspx and this extension let me do so through firefox, now I can't reactivate it at all, and I can't install a new version because it's been removed from the website. Thanks Mozilla, now I have to go back to IE to use 2df.

Re:This is very annoying for me

[Fantastic+Lad]

Lessee. . . By default a secure browser for a few hundred thousand users who didn't want an invasive add-on in the first place or. . , your ability to play video games.

You know, there are some other fun websites out there which will also try to trick you into installing malware. You might enjoy visiting those as well. --Hey, they even have boobies!

-FL

Re:This is very annoying for me

[Dreadneck]

If you go to about:config in firefox and toggle the value of extensions.blocklist.enabled from true to false and restart firefox then the plugins will work.

Re:This is very annoying for me

[Winckle]

Hey I agree with it not being installed by default, but I can't install it at all.

Re:This is very annoying for me

[Mike+Shaver]

We're working on it (today) -- I'm very sorry for the inconvenience!

Re:This is very annoying for me

[Cl1mh4224rd]

Thanks Mozilla, now I have to go back to IE to use 2df.

If you're annoyed enough, it might worth installing the IE Tab add-on: https://addons.mozilla.org/en-US/firefox/addon/1419

Re:This is very annoying for me

Look at the bright side:

Now you can use the unsecure MS browser for trusted sites that require such things AND Firefox for whenever you don't feel like placing absolute trust on a website.

Re:This is very annoying for me

[Winckle]

No problem man, glad to hear you're working on it, it was a little weird when I went to your addons site to reinstall it and I couldn't.

Re:This is very annoying for me

[LeRaldo]

2df is just a bloated front-end lobby system for nFBA. It's not necessary to play games with people.

Re:This is very annoying for me

Microsoft .NET Framework Assistant and Windows Presentation Foundation, all versions, for all applications. Reason: remote code execution vulnerability (see bug 522777) [https://www.mozilla.com/en-US/blocklist/]

See that part about "remote code execution" ? You really don't want that.

Re:This is very annoying for me

Fuck you microsoft shill.

Is There a Conspiracy?

[Mad+Hamster]

After last Patch Tuesday (yes, this is a confession I do have some Windows boxes), Firefox on my systems developed an issue with pages displaying in sort of a text-only mode when using the Refresh button(1). Page load times were also longer than usual. Those issues disappeared immediately once Mozilla's block of the .NET addon & the WPF plugin arrived.

This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.

After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.

(1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.

Re:Is There a Conspiracy?

[bhtooefr]

Could also be an issue with loading CSS - I actually get that a lot on Opera if the Opera session has been running for a while (think weeks) and used heavily.

Outrage

[windex82]

Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?

Re:Outrage

[recoiledsnake]

At least they should have allowed people like this one a way to allow the plugin to run.

Re:Outrage

[not-my-real-name]

I always wonder when I see a comment like this. Did they not read any of the other comments? Virtually ever story on Slashdot has some outraged person or another posting a comment.

Re:Outrage

I would imagine for a lot of people here this isnt automatic. Mozilla is just finishing a job we have been working on since the patch came out. I appreciate the help....

Re:Outrage

It's not being argued by informed people, because you have the option to re-enable it in Firefox, if you'd like.

The outrage is about the evil company that automatically installed something dangerous on your browser, disguised as a "Security Patch", with no description of what it was installing.

Re:Outrage

[Culture20]

Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?

I'll show you where it is: Open up your Firefox browser, surf to "about:config" and search for blocklist. There ya go. Oh wait, that's the place that allows you to turn off or fine tune Mozilla's blocklist.

Re:Outrage

[windex82]

When I started the post there were no other posts.

Immediately after posting there was one from a user who was posting around the same time I was.

I suspect there are many more now that you have gotten here.

Re:Outrage

[CSMatt]

I don't know. All I see is more gripe about Microsoft's addition of the thing in the first place. Microsoft had no right to silently install the add-on to begin with, but two wrongs don't make a right. Mozilla had no right to tell their user base what's good for them, at least not without an option to override the blocklist, which the Mozilla blocklist information site linked to in the submission makes no mention of.

While they're at it...

[wigle]

They should also disable the Adobe Download Manager (Adobe DLM). For any of you that have downloaded Adobe Reader 9 (with Firefox) recently, you would have noticed that they make you install a Firefox add-on instead of just linking you to the binary.

It's proprietary and full of ads! Just what I wanted, an extension that checks for updates of my Adobe Reader software. Uninstalled. The Firefox team should send a message. Firefox add-ons are not yours to take over like the Windows startup.

Re:While they're at it...

[Bobtree]

You should really just dump Acrobat and get Foxit Reader instead.

Re:While they're at it...

You're going too low on the food chain; just disable adobe reader.
The thing is an ongoing greek tragedy of one inexcusable remotely exploitable security
vulnerability after another on a monthly basis. 9.1 I figured I'd forgive them their errors and I installed the 9.1.1 patch, yes, patch, since apparently they couldn't be bothered to make an installable version so you'd have to install the KNOWN VULNERABLE version FIRST then patch it to get the latest version. Fast forward a few weeks and, oops, 9.1.1 has also a remotely exploitable vulnerability that sits unpatched for all too long until 9.1.2 patch comes out. Ok, installed that. Rinse, repeat, what do you know, 9.1.2 is remotely exploitable too, and here comes a 9.1.3 patch. Ok, this is getting ridiculous and scary since there have been common exploits in the wild infecting people with drive-by malware through PDF/javascript/browser integration while they were cooking up the latest patches. And, hey, what do you know, 9.1.3 NOW has itself a remotely exploitable vulnerability and there IS NO PATCH.
F*** adobe and their insecure bloatware. Is it too much to ask that sometime in the last dozen versions you could have, say, removed a lot of the insecurities, disabled the media / javascript / browser integration / etc. stuff by default, and come out with a useful version that isn't the SINGLE BIGGEST VULNERABILITY on millions of systems?

PDFs are now getting read or format converted to something that doesn't wreck my machine using a linux VM via evince / xpdf / ghostview or whatever. Never again, Adobe; your PDF reader software is "considered harmful".

Oh, and the story with FLASH player plugin is the same. Look at the vulnerability reports for the last dozen or so versions and try to convince yourself it is safe to run their latest honeypot of the day "it's fixed now, honest..." version.

FWIW, though, for the masochists that insist on drinking their PDF poisoned kool aid, do yourself a favor and use ftp.adobe.com to download it and not their worthless web site; at least you can save some of the pain of dealing with their malware soap opera of non-improving versions.

Re:While they're at it...

[socsoc]

Just click the "if your download doesn't start, click here" link. It's worked for me in both FF and IE

Re:While they're at it...

Add bittorrent's btDNA or whatever it is to that list. Installs without any permission request or notification whatsoever.

I think I see a need for a plugin blocker plugin!

Re:While they're at it...

[jim_v2000]

You don't have to install their plugin...there's a link on the page that says something like "Click here if download doesn't start".

Re:While they're at it...

[MojoStan]

That reminds me...

For those who updated the Windows version of Adobe Reader (version 9.2 arrived last week), note that the update enables (or re-enables) AdobeARM.exe and Reader_sl.exe (Speed Launcher) as Windows startup programs without asking or giving you the option of not installing/enabling.

I can confirm that they can be disabled in Windows 2000 and XP using CCleaner. For those who don't have or want that great utility, I'm sure they can also be disabled in msconfig (Run...) and Windows Defender.

And yes, I know about Foxit Reader and other alternatives.

SSL

[Mr_Plattz]

Can someone please fix the SSL problem associated with https://en-gb.www.mozilla.com/en-GB/blocklist/ kthx

I Don't trust just disabling

[fast+turtle]

the damn thing because of the manner in which it installed. It's a registry entry, whicm means that unless Firefox/Mozilla pulls it from the registry itself, I doubt it is actually disabled beacuse it's not a plug-in/add-on.

Call me paranoid but since the plug-in/add-on is not installed into the proper firefox extensions/plug-in folder, I can't see how Firefox can control the behaviour of the damn thing so take the assured disabling route of deleing all of the registry keys for the damn thing under the Mozilla/Firefox entries. Did that and the add-on was gone right away without restarting firefox and that sugests to me that it can't be disabled by Firefox/Mozilla using the traditional methods.

Re:I Don't trust just disabling

[maxume]

Firefox is running the the damn thing because of the registry entry. Firefox can avoid running it by ignoring the damn registry entry. Firefox supports running plugins based on registry entries because it is nice for people managing lots of systems.

add-on/plugin versions

[lseltzer]

Somewhat tangential to the subject: your plug-in check page showed a lot of my plugins as not reporting version information.

Is there a standard interface for this that many plugins are ignoring, or do you have to fish out version information from files?

Invalid certificate - no site

And what's even worse: It only has a 'check certificate' and and 'abort' button. There's no way to get to the webpage.

If the site didn't have a cert at all, firefox would happily display it, but with an invalid cert you don't even get an option to do that.

Re:Invalid certificate - no site

> If the site didn't have a cert at all, firefox would happily display it

You're confusing HTTPS with HTTP. The former requires that the connection is authenticated before the request is sent.

It never ceases to amaze me how many people advocate for a mechanism where the browser would simply ignore authentication failures and send the request anyhow, merely informing the user "I've just sent your credit card details to a phishing site, in case you care".

Re:Invalid certificate - no site

The reason it only gives you 'Check Certificate' and 'Abort' is because they want to to at least look at the reason the certificate isn't valid before you decide to go ahead. If you actually clicked on 'Check certificate' you would be presented with information from the certificate and an option to add an exception.

How about just disabling /. fanbois

Fixed

I can't believe this.

[Fantastic+Lad]

my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.

You did the right thing. Please ignore silly comments from the peanut gallery.

All diplomacy aside, I appreciate any efforts to lock down the walls against invasive bullshit I was tricked into installing and had to crawl through my registry with a flashlight and hip waders in order to kill. Further, anybody who doesn't have a problem with Microsoft tampering with third party software they have no business touching is probably not the sort of person whose complaints are worth clogging up your conscience with.

Cheers!

-FL

Re:I can't believe this.

[CSMatt]

I see that you did there, and it was a lovely attempt at a straw man. The fact that the plug-in had no right to be on the system at all is irreverent. What is relevant is that Mozilla tried to disable it without offering an option to leave it on there or the ability to undo what Mozilla thinks is best, giving the user final say on the action. What if it wasn't Microsoft's add-on, but something you knowingly installed? Would you feel different then?

Re:I can't believe this.

[Arker]

The fact that the plug-in had no right to be on the system at all is irreverent.

It may be irreverent but it is definitely relevant as all heck.

What if it wasn't Microsoft's add-on, but something you knowingly installed? Would you feel different then?

And what if milk was rum? What if day was night? What if life was death?

How silly can you possibly be?

But I will try to fix that up so it makes sense to answer. How about what if, despite the fact that you didnt knowingly install this crap, you do actually want it on your machine? Then let MS know they need to do it right! That means it cannot install silently, but only with active user consent, and it must allow uninstallation by the normal means. MS' failure to put out the plugin in a form that is not malware is on them, not on Mozilla!

Re:I can't believe this.

[CSMatt]

Let me explain my situation at the current moment.

I almost never run Windows anymore, so up until now I didn't even know about this stunt by Microsoft in the first place. However, Firefox is still my primary browser, so while Microsoft's move is upsetting (and I want to take the time right here to say that at no point did I disagree with anything in your last paragraph), at the current moment I am far more concerned that I may have lost my control over my browser if Mozilla is able to arbitrarily disable any add-on that they want to, regardless of reason, without offering an opt-out mechanism. Firefox's update system, by contrast, is fully automatic and enabled by default yet I can still choose to disable parts or all of the update system should I want to do so. Apparently the only way to disable this is by some obscure about:config entry, which was not mentioned anywhere on the linked Mozilla page on blocked sites and that I only found out about by reading another Slashdot comment. Whether this particular add-on is supposed to be on the machine at all is, in my opinion, another concern entirely, and separate arguments can be made against it. My personal concern at the moment is Mozilla's mandatory kill switch.

At no point does any of this excuse Microsoft's silent installation of something that will harm the Web in the long run, but neither do their actions excuse the fact that Mozilla can now kill any add-on they want.

Re:I can't believe this.

[luserSPAZ]

Uh, you can disable the blacklist, if you really want to. It's just enabled by default because we think it's the right thing to do. The vast majority of people do not know they even have these things installed, nevertheless how they would update them or otherwise mitigate their risk.

Also, if you read the original blog post, Mike Shaver spoke to Microsoft before making this decision. Mozilla does not employ the blacklist without consulting with the vendor in question first.

Re:I can't believe this.

[Fantastic+Lad]

What if it wasn't Microsoft's add-on, but something you knowingly installed? Would you feel different then?

Of course I would. But that's not what happened. I have a lot of respect for the Mozilla folks who created my favorite browser and didn't charge me a red cent for the service. I don't believe for a second that they intended malice or even committed a thoughtless disregard.

They acted fast to lock out a security risk which was stealth-installed by Microsoft. In a few instances, some people want that piece of Microsoft code back in place, and as I understand it, the Mozilla team is at this moment working to accommodate them.

It's all about intent, and I am impressed with the choices and actions taken by the Mozilla programming staff.

-FL

and people wonder why MS has security problems

[ummit]

In what universe is it acceptable for vendor A to modify vendor B's software on User C's (i.e. my) computer? To modify it at all, let alone with security-impacting ramifications?

Earth to Microsoft: drive-by downloads are among the worst of vulnerabilities. They must be avoided at all costs. And the way to avoid them is not to be more careful when writing and installing unnecessary little browser plug-ins. The way to avoid them is not to install unnecessary little browser plug-ins in the first place. (And if you simply must install unnecessary little browser plug-ins, do it with your own grotty browser, not the non-Microsoft one I installed specifically to avoid all the security concerns of yours.)

Sheesh.

Re:and people wonder why MS has security problems

[RAMMS+EIN]

And this is why more and more people don't trust software that isn't open source. Sure, your browser may be free software, but since the operating system is closed source, others can still play dirty tricks on you. If there is any non-free software on your computer, you don't really control it.

Re:and people wonder why MS has security problems

[Phroggy]

In what universe is it acceptable for vendor A to modify vendor B's software on User C's (i.e. my) computer?

Probably the universe in which User C goes out of their way to install Vendor B's software, knowing full well that Vendor B has included an add-on mechanism that allows for third parties such as Vendor A to create extensions that augment the behavior of Vendor B's software.

That Vendor A would slip such an extension into the installer for a security patch to Vendor A's software, without the knowledge of User C, is of course a problem. That problem has already been discussed at length.

Re:and people wonder why MS has security problems

[jim_v2000]

Unless you're claiming that open-source software is free of vulnerabilities, I don't see your argument here.

Re:and people wonder why MS has security problems

[BZ]

> In what universe is it acceptable for vendor A to modify vendor B's software on User C's
> (i.e. my) computer?

This one. Various antivirus software hooks into Firefox and modifies its behavior (in Kaspersky's case by activating normally inactive codepaths that make DOM manipulation 100x slower or so in many case). Various software (Adobe, etc) drop binary plug-ins into both IE and Firefox (and anything else they can). Various software of dubious provenance throws various dlls into the Firefox process that do ... something. Mostly crash a lot, given the lists of dlls and the crash correlations to those in the mozilla crash database....

I agree that this behavior sucks, but it seems to be the norm, at least on Windows.

It's part of the Microsoft business model, IMO.

Vulnerability to malware is very profitable for Microsoft and its main customers, computer manufacturers. When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has security risks. See the New York Times article Corrupted PC's Find New Home in the Dumpster.

Vulnerability is a business model for Microsoft, in my opinion and that of many people.

But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.

But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.

Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.

So, maybe just being evil is another part of Microsoft's business model.

Re:It's part of the Microsoft business model, IMO.

[Sirusjr]

I fail to see how it would be beneficial to do an upgrade rather than a flat out re-format followed by re-install. The problem is the only reasonably priced versions of Windows 7 are upgrade versions that require me to have Vista on that machine. Thanks but I think I'll stick with XP on my home desktop for the time being.

Re:It's part of the Microsoft business model, IMO.

[dwinks616]

"Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one." Anyone that even bothers with the "upgrade" rather than backing up their data and doing a clean install deserves to have to pay twice.

Re:It's part of the Microsoft business model, IMO.

[jasonwc]

You can do a fresh install with an Upgrade disk. Just choose the custom install option and when the install finishes, "upgrade" over the current install. You really don't need to buy a Full Version. I've done several fresh installs with upgrade disks. This functionality is not advertised of course.

Re:It's part of the Microsoft business model, IMO.

[Whisperwolf]

There is a problem with that, because Microsoft have recently changed their licensing policy for XP (amongst others). Now unless you have the ORIGINAL disk supplied with the machine, or can create a keyed disk from the rescue partition of a machine (which becomes impossible if it's so riddled with malware that Windows won't run) you can't reactivate Windows. If you use a different Windows disk, even if your machine has a valid certificate of authenticity sticker on the side, it will fail to pass "genuine product authentication" - and Microsoft are now refusing to re-authenticate because they say they've changed the rules to say if you don't have the original disk supplied with the machine, you MUST buy a new license.

Re:It's part of the Microsoft business model, IMO.

[MojoStan]

I fail to see how it would be beneficial to do an upgrade rather than a flat out re-format followed by re-install. The problem is the only reasonably priced versions of Windows 7 are upgrade versions that require me to have Vista on that machine. Thanks but I think I'll stick with XP on my home desktop for the time being.

You qualify for Windows 7's reduced upgrade pricing if you have Windows XP, too. From the Microsoft Store's pre-order page:

• "You qualify for Windows 7 upgrade versions if you're running genuine Windows Vista or Windows XP on your PC."

Windows Vista is only required if you want to do the undesirable "in place" upgrade over your old OS installation. To install the upgrade version of Windows 7 on a Windows XP PC, you are required to do a "clean" installation (back up, erase old OS, install new OS, re-install apps). However, Windows XP users do qualify for "upgrade pricing."

I agree that it's always better (but more time-consuming) to do a clean install anyway, even if an "in place" upgrade is possible. Windows Easy Transfer (it's on the Windows 7 DVD) makes it somewhat easy by backing up user accounts and settings in addition to files.

Re:It's part of the Microsoft business model, IMO.

[Kaboom13]

I don't know about their official policy, but reinstalling machines with oem versions of Windows with the key on the sticker is something I do all the time, in fact I did it twice on Friday. 99% of the time you have no activation problems, when you do you call the number and the automated computer voice helps you activate with no issues, including with WGA. What may be your problem is the media used, you need OEM media for OEM keys. I would really like to see a concrete, reproducible example of the problem your talking about.

Re:It's part of the Microsoft business model, IMO.

[SteveFoerster]

You bet. In fact, my laptop came with XP on it and so that's exactly what I did.

Re:It's part of the Microsoft business model, IMO.

[RobertM1968]

Exactly how useful is any of that if I have thousands of dollars worth of programs, and like most computer users, cannot find a combination of (a) the media, and/or (b) the install keys?

Just curious. And no, I do not fit that category. I've got shelves full of my disks, packaging and keys... but most users do fit that category. Seems people who waited until Microsoft fixed Vista (and called that Service Pack Windows 7) are being punished for not laying out the cash for Vista. Why couldn't Windows 7 just install over XP in the same fashion Vista did? There aren't any radical enough changes in Windows 7 to prevent Microsoft from having allowed that capability just as they did with Vista. And dont give me the "well, XP isnt really supported" argument either (just in case you were considering it). Vista was a mistake that should not have been released until it was complete.

Re:It's part of the Microsoft business model, IMO.

[starfire83]

You know, I always laugh when anti-Microsoft zealots mention that Microsoft is "evil" when in fact they are just doing smart business. I bet you're a card carrying FOSS zealot that loves to use crippled, unpolished FOSS out of sheer principle since MS (or M$?) is so "evil."

I also laugh especially at the anti-Microsoft zealots that call Windows 7 "Vista SP3" or a "small update" to Vista when in fact it is anything but that (was XP Win2k SP5?). But I guess you wouldn't really know just how good Win7 is since you can't be bothered to actually give it a whirl since MS is so "evil." I've been using Win7 since the first public beta and it's the best OS I've ever used and I'm not new to the OS landscape (Gentoo, Slackware, Red Hat/Fedora, Ubuntu, random small linux distros like SourceMage, OS/2, Mac OS 9-X.5, DOS, Win3.1-Win7). It's definitely a large step up from Vista in terms of performance, stability, bloatiness, and general user-friendliness.

You've also apparently missed the very large campaign that MS has done in recent months of "Buy Vista now and get Windows 7 FREE." So you don't even have to buy Windows twice, only once. It even works for older Vista license keys. You'd get the corresponding upgrade version of Win7 that you got of Vista. But I guess you can't be bothered to check your facts since MS is so "evil."

Yeah, Vista wasn't that great at first. But as soon as SP1 dropped it got much, much better and wasn't riddled with half the problems it had at launch (most of which weren't MS's fault but software and hardware manufacturers being lazy). Vista fundamentally changed the Windows programming scape and software and hardware manufacturers sat around with their thumbs up their asses not wanting to change their broken code when there were tons of betas and release clients for Vista floating around on MSDN for a long time. Vista's launch was anything but rushed.

There also comes a point when backwards compatibility becomes a system security liability and it just has to go. So upgrading to Win7 from XP makes sense not only in the fact that it's a completely different kernel design but an entire OS version behind (5.1 to 6.1). Upgrading in the typical sense just wouldn't work at all. However, the emulation options under Vista and 7 for WinXP actually work most of the time.

You can disagree with Microsoft's business tactics all you like but please at least get your facts straight and have a little bit of an objective perspective.

Re:It's part of the Microsoft business model, IMO.

[codeguy007]

How recently? I recently re-installed windows on several HP systems with only the stickers and they passed the WGA no problem. With a couple, I did need to call in with but I had no problem getting them validated. Just told them I was reinstalling which was the truth. I am guessing with those someone copied the license key from work used it at home.

Re:It's part of the Microsoft business model, IMO.

[master_p]

I agree with you, but I find those people in the article you posted 'strange'. All it takes to have a secure Windows XP computer is to:

1) have an antivirus program.
2) use a browser other than IE.
3) use a firewall.

Can it be so difficult for non-technical users? googling for 'how to secure my PC' brings up thousands of web pages that essentially give the above advice.

It's quite strange that even CS professors don't know how to secure their XP computer.

hur hur hur

[pizzach]

I might feel more sorry for you if I had a Windows machine I could install the addon on. Why wasn't the page written in Silverlight or something? :-3

Does anybody actually use these forced plugins?

[Dwedit]

Is there any software which actually uses these .NET Helper and Windows Presentation Foundation plugins? Do these expose an API to let javascript code interact with the .NET framework or something? Do they let people write Firefox extensions in a .NET language? Do they let specially crafted Microsoft websites run .NET code in Firefox?

If users have nothing to gain from these plugins, then there is no reason they should exist.

Re:Does anybody actually use these forced plugins?

[Shados]

No, it just lets the browser run XBAP applications as well as (I think) Click Once applications (The .NET version of Java webstart)

It is fairly common in the enterprise, and there's a handful of them around the open web. They actually work REALLY well, and are probably far more secure than html/javascript applications. And the plugin COULD be uninstalled/disabled in its last updated version.

This is just a major overreaction really. If Microsoft makes everything IE/Windows only, people scream. When they don't, people scream too. Woohoo. The only thing they really need to be slapped upside down over is that the plugin couldn't be uninstalled in its first version, and the update wasn't distributed automatically. Then again, its not like you couldn't uninstall .NET.

Re:Does anybody actually use these forced plugins?

[shutdown+-p+now]

Is there any software which actually uses these .NET Helper and Windows Presentation Foundation plugins?

Yes, though very few at the moment. Lessons of ActiveX and other proprietary technologies were learned.

It's somewhat more common on intranet, though (but that is a very different kettle of fish anyway).

Do these expose an API to let javascript code interact with the .NET framework or something?

No.

Do they let people write Firefox extensions in a .NET language?

No.

Do they let specially crafted Microsoft websites run .NET code in Firefox?

Kinda. It's largely equivalent to Java applets.

Re:Does anybody actually use these forced plugins?

[jim_v2000]

"If users have nothing to gain from these plugins, then there is no reason they should exist."

Since they DO exist, one would logically assume that there was a reason to make and release them. That said, there have been a few posts in this thread about people who have lost functionality from the plugins being disabled.

Mozilla should not follow Microsoft- no phone home

[gooneybird]

I do not like Firefox "phoning home" anymore than I like Microsoft "phoning home". I do not care if it's open source or not. I am here to tell Mozilla to STOP phoning home. I don't care what it's for or however good the intentions are... This combined with the apparent complete lack of concern for bugs and stability of Firefox 3.5.x and the apparent desire to just keep pumping out more versions and features, instead of actually releasing a quality version, is making me definitely consider alternatives. It appears that as the Mozilla organization grows in size, it's becoming similar to Microsoft.. This can't be a good thing. And the cut-n-paste has been broken since v3.0 - are they ever going to fix it? - Or just keep putting out newer versions that the more newer it is, the more it crashes.

What's even scarier...

[pongo000]

...is that I didn't even *know* I had this add-on installed until I saw a small pop-up advising me it had been disabled. This was on my iBook, BTW. I know that I never installed it myself (I have no use for .NET, especially on a Mac), but I cannot figure out how it was installed.

Worse yet: I can't even remove it, because the uninstall button has been disabled. Note to the Mozilla folks: Don't disable something and then prevent users from making it disappear.

Re:What's even scarier...

[BZ]

It's installed on Mac when you install Flip4Mac, iirc. Completely silently, of course.

Re:What's even scarier...

[pongo000]

Thanks, that would explain it.

Google is NOT competing for browser share

[SmallFurryCreature]

People, please let this idea die VERY quickly. Chrome is NOT there to get an install base for Chrome. It is there to get an install base for modern browsers with fast javascript/DOM.

Googles operates in the browser and in order to be able to get the next generation products out there, it needs to ensure that those products can be run. IE/MS ain't capable of this, so they both push MS by making them scared to completly loose the browser AND by capabilities to IE to make it play catch up with the real browsers.

In a way, what Google is doing is installing electricity cabling into every house. NOT because it wants to be in the utility business but because it has all these design for electric machines and they ain't going to be selling them to people who use candles and woodstoves.

MS on the other hand does NOT want people to have modern browsers, or rather not browsers that act like browsers. Its business relies on activex and .net and the like to keep apps closely tied to their windows OS.

MS fears projects like gmail and worse wave. It knows that its software is increasingly a major cost of computers (check it, hardware prices go down, MS prices go up) and while so far its software offers a lot more features, the sign of netbooks is that, a lot of them ain't needed. I got a netbook (with linux) that is not nearly as capable as a full PC. I can't game on it, its office tools are simplistic but guess what, it is all I really need.

MS has been selling XP, a lot, for netbooks but it has been doing it at a fraction of the price it would like to charge and really, it only sold XP so cheaply because else Linux would have been installed. You would be right in assuming a LOT of people would replace Linux with an OLD XP copy (license of an old PC you threw away is still valid) but MS doesn't even want the idea that there maybe yet another OS out there. An OS that while not perfect is good enough. People are already getting dangerously exposed to this idea by their cellphones. Quick poll, who has Windows Mobile and is willing to admit it? Everyone knows that an iPhone gets you the girls, this even goes for girls.

MS ideally wants to sell you their OS for 300+ dollars, that doesn't fit well for a 300- netbook or indeed a mobile phone, but that is MS business model, and ideally, you should spend another 300 for the office suit. (please, MS fanboys, do NOT link to student discounts or OEM versions. Full price for the box in the MS store.)

Google is doing something completly different. It is saying. Nah, you don't need a 300 dollar OS with a 300 dollar productivity suite. Just a browser (free) on free/cheap OS and you got all you really need. For free. Sure, there are some angles (your data is on the google servers) but for a lot of people, it is good enough.

AND that, is what scares MS. Because... even if people would still use windows, the window sthey would be using is their old XP. This is already the case in a many companies. And without the cashcows of Windows/Office, how can MS afford all its other attempts to control markets?

The browser wars are back, but they are being fought for a different reason. Chrome is NOT netscape 2.0

Re:Google is NOT competing for browser share

[nacturation]

Google is doing something completly different. It is saying. Nah, you don't need a 300 dollar OS with a 300 dollar productivity suite. Just a browser (free) on free/cheap OS and you got all you really need. For free.

Of course, others like their computing without advertisements and are willing to pay money for that.

Re:Google is NOT competing for browser share

That's why I saw an Television Ad on a Very well known news network. Yes their goals are to be faster, better etc.. but don't kid yourself or others that Google is altruistic in its pursuits.

Re:Google is NOT competing for browser share

[uuddlrlrab]

Of course, others like their computing without advertisements and are willing to pay money for that.

...

...Wut?

Re:Google is NOT competing for browser share

Isn't that the same that MS is doing with .Net?

Though it's more like installing a hole in an outside wall so that you can toss your shit out on to the street.

How to override?

That's great and all, but one of my core beliefs is that the user should be able to override anything (even if it means certain death). Bury it really deep, throw up a bunch of dialogs, whatever; it is my computer, I'll take the risk if I so choose. It doesn't appear to be possible to override this setting; that is unfortunate.

Thanks Microsoft!

[tomer]

Thanks Microsoft for not pushing Silverlight plugin to every Windows box and enabling it on both Firefox and Internet Explorer.

Thanks YOU for creating Operating Systems not controlled by Microsoft (such as Linux).

Posting to undo moderation

[wampus]

FIX THE STUPID FUCKING MODERATION INTERFACE!

Filter error: Don't use so many caps. It's like YELLING.
Filter error: Don't use so many caps. It's like YELLING.
Filter error: Don't use so many caps. It's like YELLING.

I AM!

.Net vulnerability; fix is broken

[yelvington]

Moments after Firefox on my Windows PC complained about the .Net extension (which I do NOT remember installing), I got a system notification telling me about an important Microsoft security fix that included .Net.

So I accepted the update. And it failed.

The ineptitude is just mid-boggling.

At this point, iTunes and a couple of games are the only reasons Windows is still installed at my house. I would much rather ditch Windows entirely for Ubuntu. I know Apple doesn't want to enable Linux as a rising competitor, but a portable iTunes would be a big stake in the heart of the beast.

mozillawnd!

[yanyan]

Mozillawnd! w00t!

correct decision

Anyone who makes web pages that require a plugin, is making non-platform agnostic web pages, and is clearly an incompetent web developer!
Such a plugin doesn't shouldn't even exist, so who cares if it is gone? I'm just pleased that Mozilla made the correct decision to shutdown this broken mess, before it does real damage. Personally, I think this type of plugin should be blocked for good, since all it does is break web interoperability by encouraging poor developers/stupid people to (presumably) unknowingly write broken web apps.

Old Problem = New Marketing?

[tunapez]

Running a 10 day old install of 7 RC x64, but I seem to recall removing this from my other Win/Ubuntu machines back in June. After hearing the new cacophony a few days ago, I found and disabled the plug-in to see if I would be missing anything before I uninstalled it completely(7RC did have disable & remove buttons). Caturday morning I started up FF(3.5.3) to a prompt to restart FF to disable the add-on I had already disabled. Before restarting, I noticed the Disable button was greyed out, and the enable & uninstall buttons were gone. Same after restart. So, my add-on is now "doubly" disabled and I have to edit the reg to remove now? Glad to see the pro-action, but this has the pomp & reek of a marketing campaign for the new add-on checker.

Meh, FF jumped the shark already, IMO. I use it(and IE) because it is what the customers use and it has AB+ & NoScript. Guess it's time to use Opera FT while looking for the next pre-bloated-from-success browser that plays nice w/ JRE, JS & Flash. sigh....

Re:The real reason why they want to hack user agen

As a Java and .NET developer, it's too bad. I vastly prefer .NET. With Mono, it can even be multiplatform.

What the hell, people?..

[uuddlrlrab]

Though it has been exhaustively stated already, it bears repeating...so I'll repeat it: the .NET plugin or extension (whatever it is) does not allow users to disable or uninstall it via normal interfaces. Basically, without Mozilla's patch, you have to do some file system & registry spelunking to close this breach; like someone mentioned, that's not something the average user is going to look forward to, and for many is far beyond their scope of capabilities. To my knowledge, no other plugin or extension exhibits this bad behavior, nor are they foisted on the user via sleight-of-hand as a "security update." Furthermore, to those who balk that Mozilla can't differentiate between unpatched and patched versions, once again, this plugin came from MS. If it's their plugin for their .NET framework, that is exclusive to their OS, wouldn't that sort of make it their responsibility to have it include version info, or some way to check, via the filesystem or registry details, the .NET file version numbers/installed ver info and report it back to firefox? Hell, wouldn't it be on them to ask the user if they want to install it, along with making it fully removable in the first place? How, precisely, should Mozilla, an entirely separate org who I don't imagine ever anticipated having such a wonky problem be created for their browser's extensions, handle this, if not via the patch they released? Why is everyone defending Bill & Steve?

I think this was a real fumble for MS, and Mozilla took steps to prevent critical problems--don't know about the best steps, but at least they were quick to action. Imagine if this had not been done, and exploits for the problem started popping up like wildfire, or widespread browser/OS crashes became common; how many users would firefox lose, due to a problem entirely of someone else's making? Let's not get confused over who's the bad guy. MS has the most to gain from any perceived flaws in a competing product, and their track record isn't exactly one that shows overwhelming care and concern for the end user. Even if not malicious, and chances are it's not, it still is another mark of incompetence on the overall company that they're releasing flawed software and forgetting courtesies like asking the user if they actually want the changes, not to mention not allowing them to revert it without 'popping the hood'.

Re:What the hell, people?..

[shutdown+-p+now]

Though it has been exhaustively stated already, it bears repeating...so I'll repeat it: the .NET plugin or extension (whatever it is) does not allow users to disable or uninstall it via normal interfaces.

False. You could always disable it (by clicking the "Disable" button in Firefox Extension Manager, as usual). You couldn't uninstall it in the first version of the plugin, but that had been fixed a while ago by a patch (to the plugin).

Re:What the hell, people?..

[uuddlrlrab]

That's fine. So they fixed the issue their first software update introduced. It still remains that there was not a single dialog box, nothing to ask if someone wanted to install this functionality. I still wonder, though, if there's something peculiar going on. It was only within the past two months, three at most, that I did a .NET update on a machine, only to experience the problem as described with the first release of this. Who knows? Could be I missed the specific kb???whateverthehell .NET update that had the fix, just got the buggy first version. MS, how about you consolidate bug fixes for things, and do a better job of making sure you're not still offering out-of-date "updates" that introduce as many or more bugs than they fix? Bill, Steve, any thoughts?

And in other news. . .

[JSBiff]

There've been a few anonymous reports from Redmond, WA that people have been seeing chairs randomly flying through office windows at MS Headquarters.

also with Flash!

[YesIAmAScript]

I updated Firefox, it said "you better update Flash", and so I went to update Flash and Adobe tried to insert a new plugin into my browser!

This seems like a poor bargain to me. Firefox pushes us to the Adobe site so we can update our buggy Adobe add on to be less insecure and Adobe takes the opportunity to put another add on in, which probably has its own bugs.

Anyway, I clicked no to that offer to install Adobe DLM, and somehow managed to install the new Flash anyway.

You are as gay as AIDS

crawl back in your hole and die, M$ drone.

Wait, its okay for Firefox to have a kill switch?

[fluffy99]

Given all the past fuss about Amazon, Apple, and Microsoft to have the ability to remotely disable features, software or addons it's suddenly not an issue that Firefox has the capability of pushing changes? While I think the Firefox devs gave some serious thought before throwing this switch, I don't think this is a no-brainer. What about environments where they need the .net add-on? Are they forced to go back to using IE? Do you see Microsoft disabling the old versions of Firefox or Adobe Flash?

If you want to read a mix of retarded, informative, and stupid comments have a look at the bug report https://bugzilla.mozilla.org/show_bug.cgi?id=522777. For example - "Firefox shouldn't have to rely on IE patches for security" - this is not related to IE. It also seems to be political as they have no interest in determining if they have the .net update that negates the vulnerability (the vulnerability is not in the firefox add-on, its in .net which becomes accessible from within Firefox if the addon is enabled).

Re:The real reason why they want to hack user agen

With Mono, it can even be multiplatform.

Hahahahahahahahahahahahahahahahahahahahahahaha

Bogus

Microsoft released a patch for the vulnerability on Tuesday. So basically they are blocking because there may be unpatched versions of the .net system component that the plugin requires. Then this same logic should be applied to Flash and Acrobat which have vulnerabilites in older versions. Am I missing something here or is this the exact same situation?

Re:Bogus

[Renraku]

A car analogy: If Ford could decide to add a part to your car next time you took it to be serviced, without asking or telling you what it did, and they had a history of shitty engineering, would you really want to have to take your car back in a week because the unauthorized add-on was found to cause the vehicle to burst into flames, or the doors not to be able to latch shut?

Re:Wait, its okay for Firefox to have a kill switc

[Mike+Shaver]

We have interest in determining if the Firefox user in question has applied the IE patch in question, but we do not have the means.

It is related to IE, because the patch in question is explicitly labelled as affecting Internet Explorer, and makes no mention of the fact that it can impact Firefox users who have not gone out of their way to disable part of .NET Framework 3.5 SP1. (That's one of the things we're working on getting fixed, as it happens.)

Re:The real reason why they want to hack user agen

[jamstar7]

While some slashdotters think otherwise, Java/Windows install base is huge thanks to couple of very popular apps and tiny games. Since companies these days looks for multi platform, multi arch; MS needed to show that their herd has been installed/infected by .NET too.

Coulda swore Windows was so popular because it shipped on just about everything computer-related back in the day, and still does to this day for desktop & laptops, and those popular apps found homes because of its wide spread distribution. Most commercial app writers write to Windows because it's out there. If Linux were to have the same market penetration, the commercial app writers would be writing to Linux with ports to OS-X.

You mean you don't know how, not "can't"...

[rts008]

Open Firefox, type:"about:config" in the address bar, hit "enter", click on okay/continue on the warning, then scroll down to "extensions.blocklist.x" and change x (or whatever is there instead of x) to "enabled".

You are limiting yourself by using "can't" in your vocabulary. I was told not to use that word unless I was a lumberjack every time I used that word as a kid.
Lumberjacks have a tool to move logs around called a 'cant hook', and unless I was moving logs I did not need that word in my vocabulary.

The Real Question is...

[Nom+du+Keyboard]

The real question is: what took them so long?

It's amazing...

It's amazing that Microsoft continue to release crap like this, indeed force it on users, whilst at the same time complaining that things like Google Chrome Frame is a serious security concern and crap like this needs to be stopped...

Dislike unilateral action by Firefox

[gigi]

Mike, I also use these extensions, and I wish you gave me the options of enabling them.

I am unhappy that something I use gets unilaterally removed by Firefox.

At the same time, Firefox makes no effort to remove truly hostile software like ICQSearch - I spent at least an hour removing ICQ from Firefox, and it suddenly comes back to life a week later.

Weeeeelll....

[jonaskoelker]

Sure, your browser may be free software, but since the operating system is closed source, others can still play dirty tricks on you.

I think that's because I don't read all the code I'm running; I happen to be prevented because it's closed source, but similar things can happen on Linux.

It'd be really interesting to have a good idea why such things won't or don't happen on Linux. Possibly peer review ("enough eyeballs") and people/companies being afraid of PR backlash if they put in dirty laundry that gets found out (accountability, i.e. a disincentive), plus enough people just wanting to make $NAME the best piece of software it can be?

Let me be clear about what I'm saying. I'm not saying open source is bad (far from it; I love it). I'm not saying this shit happens to Linux in practice. What I am saying is that "you can read the source" is not the real reason why it doesn't happen to Linux. The real reason has to have to do with peoples' incentives and the fact that enough of the people with pure enough intentions actually do read the source and catch the evil code. [Similarly for BSD, Haiku, etc., I presume, but with much less experience.]

(is this the point where I talk about "On Trusting Trust" and the Debian SSH issue?)

Re:Wait, its okay for Firefox to have a kill switc

[fluffy99]

It's semantics, but the vulnerability is within .Net and not specific to IE. I don't suppose it really matters in the end, but this does contribute to the perception that IE is "infecting" Firefox. It's really a common vulnerability that has been exposed in both browsers. No different than if they shared a common rendering dll that had an issue.

I believe Microsoft chose to roll this up in the IE cummulative update to minimize some dependency problems (and to perhaps keep the total Patch Tuesday count a little lower?)

I like the comments given in https://bugzilla.mozilla.org/show_bug.cgi?id=522777#c71.

What

Firefox IS a full spyware system.

WPF: Windows Presentation Foundation

[Arancaytar]

Moar like WTF amirite.

Re:Wait, its okay for Firefox to have a kill switc

[Mike+Shaver]

http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx says pretty clearly that it's an IE vulnerability: "While the vulnerability is in an IE component", which fits with the information I have. I think perhaps the WPF plugin uses that IE component?

Freedom of Power

[isochroma]

For those who want to decide for themselves what code runs on their machine, rather than Mozilla corporation invading their computer and deciding for them:

http://kb.mozillazine.org/Extensions.blocklist.enabled

1. about:config
2. extensions.blocklist.enabled: True -> False
3. Insurance: extensions.blocklist.url: delete string contents

Done!

Re:Mozilla should not follow Microsoft- no phone h

[jim_v2000]

Phoning home? It's a plugin blacklist that Firefox downloads. It's not sending any of your data to Mozilla.

Re:Wait, its okay for Firefox to have a kill switc

[fluffy99]

That technet blog says the vulnerability is in XBAP, which is part of the .NET framework.http://msdn.microsoft.com/en-us/library/aa970060.aspx and not IE. The lines between some of the IE and .NET libraries are pretty blurred at times though, given the level of integration.

ClickOnce add-on unblocked

[Mike+Shaver]

We just got confirmation from Microsoft this evening that the .NET Framework Assistant add-on (used to provide ClickOnce stuffs) was NOT a vector for this vulnerability, so we've removed it from the blocklist. The WPF plugin is still there, though we're working on a way to let sophisticated users and enterprises override the block if they know that they have applied the relevant IE patch to their system.

o/~ the more you know o/~

Re:Wait, its okay for Firefox to have a kill switc

[fluffy99]

From http://www.xbap.org/blog/

"What are the requirements for running a XBAP application? You will need to install the .Net 3 Framework runtime from Microsoft to run XBAP."

The XBAP functionality is part of the net framework and not natively in IE. The Windows Presentation Foundation add-on to Firefox gives Firefox the ability to access XBAP.

As I understand it, the MS09-054 patch fixes the IE vector and the actual vulnerability is part of MS09-061.

Re:Wait, its okay for Firefox to have a kill switc

[Mike+Shaver]

Pretty sure it's XBAP's use of mshtml that's the problem for 09-054; 09-061 is a different vuln that is also exposed through some .NET widget.

Re:The real reason why they want to hack user agen

[starfire83]

Why would you prefer Java over, well, anything? I have not run into any well-programmed business-class Java program that doesn't either: crash, runs slow as hell, or will not run without a specific version of the Java runtimes installed. Anything is better than Java, imo. Don't get me started on some of the Avaya Java apps. Ugh the nightmares.

MS didn't put any version on their plugin!

MS didn't put any versioning information on their plug-in, so it's their own damn fault that the Firefox team had to disable it shotgun style! MS's fix was to an underlying OS facility on which the plugin depended -- Firefox had no way to see that update had occurred. Totally MS's screw-up.

WTF?

What the hell is everyone talking about?
MS released a patch to the add-in to enable you to disable it in FireFox. So all this crap where people are saying "oh evil MS won't let us disable the add-on, hurrah Mozilla for blocking it" are talking arse.

ClickOnce allows you to run a .NET app without having to run an installer on the machine and installs to a sandboxed area that has less permissios on the machine. In addition this will work even on machine that are locked down due to the sandboxing, thus it allows a massively richer application to be used than a website could ever provide.

IE for an IE...

[PensivePeter]

... I'd love Microsoft to respond and block the PITA updaters from Sun, Adobe and others that regularly screw up a perfectly working and secure configuration on Windows (Vista and 7), insisting on my attention despite being told where to get off and in any case requiring admin privileges to just go online and download even more bloatware.
And then they whine because MSFT are making it more difficult. It's as if they're saying "please make your OS more flexible so that we can still run our badly designed software..."
Oh wait, I forgot, that's a business model...

Firefox is coincidentally unstable this morning

[DanJ_UK]

Ironically, my browser's crashed 5 or 6 times more than normal this morning after disabling that plugin; I'm sure it's completely unrelated though.

<conspiracy>
Or is it?
</conspiracy>

MS has patched the root cause....

[heffrey]

....so when is Mozilla going to detect the presence of that batch and back off? If it doesn't it runs the risk of attracting criticism for freezing out a direct competitor.

Update From Microsoft

[lseltzer]

Microsoft has updated their advisory and blog on the matter to address Firefox

Re:Update From Microsoft

[lseltzer]

Use this link instead of the one in the parent. I updated to indicate that Mozilla has unblocked.

Mozilla unblocks the Microsoft code

[lseltzer]

Mike Shaver has posted a blog explaining that they are unblocking the Microsoft code because Microsoft has clarified their advisory.

Just Updated

[ITJC68]

This was funny. I was just reading this story and firefox gave me the prompt and had me restart. LOL. Nice.

A cat fight.ooooew

[hesaigo999ca]

Nicely done FF, I just can't wait until M$ cries over this, stating now that FF isn't playing fair and discriminating against their apps.
I love it when M$ drops the ball, and someone (with talent) picks it up and hands it back to them, slightly more polished then before.

yes, thank you!

We do appreciate all your hard work - THANK YOU!

Batch file to remove the WPF plugin

[mattb47]

I’ve coded a batch file to remove the Windows Presentation Foundation plugin (along with the accompanying Firefox .NET extension.)

My batch previously just removed the extension, but then I found out about this cruft as well.

This can then be easily added to a login script or such so you can remove it from multiple systems.

You can grab it from my blog here:
http://borchtech.blogspot.com/2009/10/updated-code-on-net-35-network.html

I hope this is useful to others...

The back and forth not helping

This back-and-forth between Microsoft and Firefox is NOT helping debug Firefox on Vista. Example:
  http://annoyances-resolved.blogspot.com/2009/10/firefox-vista-close-button-blinking.html