Slashdot Mirror
Firefox Disables Microsoft .NET Addon
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
You have JavaScript disabled or are using a browser without JavaScript. This Plugin Check page does not work without the awesome power of JavaScript. Please enable this Content Preference and reload the page. Or disable all your plugins and keep JavaScript disabled... you'd be in good company, that's how RMS rolls.
I might be mistaken but don't these add-ons/plugins from Microsoft specifically allow certain web pages to render properly under Firefox which otherwise would have required users to run IE? If so Microsoft centric IT Enterprise users who have started using Firefox at work might revert back to IE. This might reduce the gains that Firefox has been achieving in Microsoft centric IT Enterprise shops.
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Chrome Frame.
Blocklist banned both of plugins without any version limits. Even if MS release updated plugin versions, plugins will remain blocked. I suspect that MS will create new plugs and try to sneak them back to Firefox with .NET "security" updates.
I think Mozilla team even considers removing features abused by MS plugs.
That issue is nothing (they asked for it in fact).
The issue which should make to books about the tech irony is Virtual PC for Mac 7.x (if anyone uses, UPDATE!). MS found a theorotical (not sure) issue which Virtual PC's emulated X86/Hypervisor can MODIFY the OS X memory from "there".
While they were decent to fix it very quickly and shipped an update (7.0.3) confusing Mac users, that is one big amazing issue for you. Imagine by running (emulating in fact) a Windows, you risk your OS X memory locations with overwrite.
Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).
Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.
I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..
Anyone else an explanation why that plugin avoided legal consequences?
Insert
After last Patch Tuesday (yes, this is a confession I do have some Windows boxes), Firefox on my systems developed an issue with pages displaying in sort of a text-only mode when using the Refresh button(1). Page load times were also longer than usual. Those issues disappeared immediately once Mozilla's block of the .NET addon & the WPF plugin arrived.
This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.
After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.
(1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.
Yandelvayasna grldenwi stravenka
That statement is consistent with what I heard from Microsoft, though their post has been updated since that conversation. And MSFT has seen that text; if it's not correct, I'm sure I'll hear it from them, and will be happy to correct it. (I wrote the text pretty quickly, since it was late on Friday night and we were getting inbound already from the blocklist addition.) But that's really ancillary to the issue, which is that Firefox users are vulnerable to a problem that we learned about this week, which is labelled as an IE problem/patch. Microsoft and Mozilla agreed that we should block the plugin and add-on to mitigate the risk while we made sure that FF users were going to install that IE patch. This isn't an us-vs-them thing, but I don't know who you're talking to at Microsoft who is saying different things.
I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.
Vulnerability to malware is very profitable for Microsoft and its main customers, computer manufacturers. When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has security risks. See the New York Times article Corrupted PC's Find New Home in the Dumpster.
Vulnerability is a business model for Microsoft, in my opinion and that of many people.
But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.
But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.
Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.
So, maybe just being evil is another part of Microsoft's business model.
Hey I agree with it not being installed by default, but I can't install it at all.
Mike,
Hi.
I have over 100+ boxes at work that depend on this plugin. When I get into work tomorrow, if they're not working (they run FF), then I'm not going to have much choice but to switch back to IE, am I?
I frankly did not know you guys had this ability to unilaterally disable things I depend on. That is a bit disturbing. It's going to unexpectedly cost me HOURS tomorrow.
Can you at least switch the block to only block unpatched versions? I'd agree with that.
Wouldn't a better option be to allow automated/no-registration bug reports on a different bug tracker? Have a bug wrangler or two push the useful information on to the real tracker, and aggressively delete the crap.
Though it has been exhaustively stated already, it bears repeating...so I'll repeat it: the .NET plugin or extension (whatever it is) does not allow users to disable or uninstall it via normal interfaces. Basically, without Mozilla's patch, you have to do some file system & registry spelunking to close this breach; like someone mentioned, that's not something the average user is going to look forward to, and for many is far beyond their scope of capabilities. To my knowledge, no other plugin or extension exhibits this bad behavior, nor are they foisted on the user via sleight-of-hand as a "security update." Furthermore, to those who balk that Mozilla can't differentiate between unpatched and patched versions, once again, this plugin came from MS. If it's their plugin for their .NET framework, that is exclusive to their OS, wouldn't that sort of make it their responsibility to have it include version info, or some way to check, via the filesystem or registry details, the .NET file version numbers/installed ver info and report it back to firefox? Hell, wouldn't it be on them to ask the user if they want to install it, along with making it fully removable in the first place? How, precisely, should Mozilla, an entirely separate org who I don't imagine ever anticipated having such a wonky problem be created for their browser's extensions, handle this, if not via the patch they released? Why is everyone defending Bill & Steve?
I think this was a real fumble for MS, and Mozilla took steps to prevent critical problems--don't know about the best steps, but at least they were quick to action. Imagine if this had not been done, and exploits for the problem started popping up like wildfire, or widespread browser/OS crashes became common; how many users would firefox lose, due to a problem entirely of someone else's making? Let's not get confused over who's the bad guy. MS has the most to gain from any perceived flaws in a competing product, and their track record isn't exactly one that shows overwhelming care and concern for the end user. Even if not malicious, and chances are it's not, it still is another mark of incompetence on the overall company that they're releasing flawed software and forgetting courtesies like asking the user if they actually want the changes, not to mention not allowing them to revert it without 'popping the hood'.
Odi profanum vulgus et arceo
Forget about the names involved and examine the situation more closely. A company took it upon itself to introduce an unknown security risk into a competitor's product by way of a stealth install. Said company further complicated the matter by making it next to impossible for average users to uninstall - provided they even became aware of the issue - and compounded it even further by having subsequent updates reinstall the software by stealth again.
I think that given this situation Mozilla did the right thing. Until Microsoft learns to work above board where Firefox plugins are concerned, Mozilla can and should disable them. It would be nice in the future if Mozilla offered users the option - and I think they will - to retain use of a plugin after being told it poses a security risk, but the only action I see in need of correction at the moment is for Microsoft to ask users explicitly for permission to install an add-on to non-Microsoft software on a system.
Power does not corrupt - power attracts the corrupt.
I agree with your points, that is what I was getting at with the question. Microsoft is really pushing it a little to far when it comes to placing .new code in a third party application. The problem is that with most microsoft code there are going to be bugs throughout it, this is even more so when dealing with a third party application like firefox. I think they should stick to their os and leave the rest to others because they end up causing more issues than they solve.
The real question is: what took them so long?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
> In what universe is it acceptable for vendor A to modify vendor B's software on User C's
> (i.e. my) computer?
This one. Various antivirus software hooks into Firefox and modifies its behavior (in Kaspersky's case by activating normally inactive codepaths that make DOM manipulation 100x slower or so in many case). Various software (Adobe, etc) drop binary plug-ins into both IE and Firefox (and anything else they can). Various software of dubious provenance throws various dlls into the Firefox process that do ... something. Mostly crash a lot, given the lists of dlls and the crash correlations to those in the mozilla crash database....
I agree that this behavior sucks, but it seems to be the norm, at least on Windows.