Slashdot Mirror
Firefox Disables Microsoft .NET Addon
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
I just checked my addons and whilst I don't have the Microsoft addon, I do have an AVG one which is disabled. Clicking on the more information link (https://en-gb.www.mozilla.com/en-GB/blocklist/) presents me with a page that says:
Whilst it is nice to see they've done it, it's a shame that they didn't test the end to end user flow.
Avantslash - View Slashdot cleanly on your mobile phone.
You have JavaScript disabled or are using a browser without JavaScript. This Plugin Check page does not work without the awesome power of JavaScript. Please enable this Content Preference and reload the page. Or disable all your plugins and keep JavaScript disabled... you'd be in good company, that's how RMS rolls.
Because Microsoft is not only creating or competing with Internet Explorer. The addon adds .NET version in to useragent so websites can see if it's installed.
I might be mistaken but don't these add-ons/plugins from Microsoft specifically allow certain web pages to render properly under Firefox which otherwise would have required users to run IE? If so Microsoft centric IT Enterprise users who have started using Firefox at work might revert back to IE. This might reduce the gains that Firefox has been achieving in Microsoft centric IT Enterprise shops.
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Chrome Frame.
Microsoft has deservedly taken a LOT of sh*t for forcing this addon into Firefox unannounced - AND preventing you from disabling or uninstalling it - unless you yank it out of the registry. It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"
From the TFA, it is clear that Microsoft approves of this particular move. I quote
It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.
I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article and implement it themselves. At least, not my mom.
Quidquid latine dictum sit, altum videtur
While some slashdotters think otherwise, Java/Windows install base is huge thanks to couple of very popular apps and tiny games. Since companies these days looks for multi platform, multi arch; MS needed to show that their herd has been installed/infected by .NET too.
So, they haxor the user agent to show that clueless CTO that their 90% of users have .NET so they should use it instead of massively multi platform Java.
Anyway, as you see, karma is a real bitch and if Sun had a real management, they could milk this issue but... Lucky for MS, Sun is under auto pilot, even under Larry Ellison's Oracle.
Blocklist banned both of plugins without any version limits. Even if MS release updated plugin versions, plugins will remain blocked. I suspect that MS will create new plugs and try to sneak them back to Firefox with .NET "security" updates.
I think Mozilla team even considers removing features abused by MS plugs.
Actually, it was patched on Tuesday.
That issue is nothing (they asked for it in fact).
The issue which should make to books about the tech irony is Virtual PC for Mac 7.x (if anyone uses, UPDATE!). MS found a theorotical (not sure) issue which Virtual PC's emulated X86/Hypervisor can MODIFY the OS X memory from "there".
While they were decent to fix it very quickly and shipped an update (7.0.3) confusing Mac users, that is one big amazing issue for you. Imagine by running (emulating in fact) a Windows, you risk your OS X memory locations with overwrite.
Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).
Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.
I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..
Anyone else an explanation why that plugin avoided legal consequences?
Insert
Last night I was browsing through the headlines on Slashdot's front page. At one point I came across the headline "Sneaky Microsoft Add-On Put Firefox Users At Risk" (story here). While I was reading the text underneath that headline, Firefox's prompt (indicating that it had detected the relevant plugin) popped up. It was so startling that I started wondering whether the browser was reading my mind! Weird stuff.
For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions
Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'
Sigs. We don't need no steenking sigs.
Ya, it was funny. I was actually reading about how they were dangerous to have while i was prompted by Firefox to remove them.
Troll is not a replacement for I disagree.
FYI, it doesn't help at all !!!
I have Microsoft disabled (I run Gentoo Linux), and my Firefox failed miserably to disable the .Net plug-in. I spent a day clicking on the menus and recompiling updates, and I still don't get the pop-up :(
On the bright side, my system now runs 1.27% faster compared to yesterday. It feels like 10% faster, really.
A friend had a problem with a CD burner app (Nero I think?) and asked me to take a look at it (they weren't too tech savvy). So I took a look and Googled the error and found that it was a problem with a registry key that would screw randomly. The fix was to delete it and if the error came back the fix was to change it to a specific value (which would cause nagging warnings but not make the program fail outright, so deleting it first was the better solution). So when I had fixed it I told him offhandedly, not expecting him to understand, that it was a problem with the registry and if it happens again to give me a call. So a week later he calls and says it had the same problem but I didn't need to come round because he had found a registry cleaner, for cheap, only $39.95... I never mention the word "registry" to non-tech people now.
Microsoft has ALREADY released a fix, so mozilla's blocking it doesn't force them to do anything. Also, mozilla asked microsoft if blocking it would be a good idea, microsoft said _yes_, and mozilla blocked it. All this I learned from looking at the links in the summary. Hmm, actually RTFA has some advantages.
MS09-054 is labelled as an Internet Explorer update, so it's not obvious that Firefox users need to apply it. We're working with Microsoft on getting that fixed. Microsoft did definitely agree to it; I'm the one they told, on the telephone, before I requested the block be pushed out. I don't know why you think I was lying -- I didn't "imply" it, I flat out said that they agreed, which is the case. Do I have a history of lying about such things?
So, when do we expect a microsoft update to change te blocklist? Or will they simply rename their plugin+give it a new extension id?
.sig: No such file or directory
Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."
Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.
That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...
-- If you try to fail and succeed, which have you done? - Uli's moose
The Firefox plugin itself was not the insecure part, it was items within the OS. Because of this, when Microsoft patched the vulnerability they didn't have to patch the plugin. So unless Microsoft re-releases the plugin with a higher version number there's no way for Firefox to do a version check to only allow patched systems to allow the plugin again. This is not an issue for me, but in the thread there are multiple people who are IT guys who claim their corporations rely on the plugin and their mission critical items won't work without it. There's a workaround via disabling the blocklistings via about:config but that's not a very graceful fix.
IMO this whole deal was handled very sloppily and I feel that this is all just petty bickering between Mozilla and Microsoft. Mozilla saw an opportunity to stick it to Microsoft and they took it. I don't want, or need, any part of this. It's easy enough to switch to Opera.
Even so, why do you block patched systems?
I like to play games through http://2dfighter.com/default.aspx and this extension let me do so through firefox, now I can't reactivate it at all, and I can't install a new version because it's been removed from the website. Thanks Mozilla, now I have to go back to IE to use 2df.
After last Patch Tuesday (yes, this is a confession I do have some Windows boxes), Firefox on my systems developed an issue with pages displaying in sort of a text-only mode when using the Refresh button(1). Page load times were also longer than usual. Those issues disappeared immediately once Mozilla's block of the .NET addon & the WPF plugin arrived.
This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.
After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.
(1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.
Yandelvayasna grldenwi stravenka
Because there is no way to distinguish patched from unpatched systems -- the WPF plugin doesn't expose any version information, unlike Flash and other such systems, and it didn't get updated with MS09-054. If I had known about this vulnerability before they posted on their blog, I would have told them to provide just such a distinction, so that we could disable only unpatched setups! We can remove from the blocklist as quickly as we added, but I wanted to protect users while we made sure that Firefox users would apply this patch, and figure out how to do better with this subsystem going forward. Microsoft agreed, and -- my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.
Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?
It's proprietary and full of ads! Just what I wanted, an extension that checks for updates of my Adobe Reader software. Uninstalled. The Firefox team should send a message. Firefox add-ons are not yours to take over like the Windows startup.
Can someone please fix the SSL problem associated with https://en-gb.www.mozilla.com/en-GB/blocklist/ kthx
the damn thing because of the manner in which it installed. It's a registry entry, whicm means that unless Firefox/Mozilla pulls it from the registry itself, I doubt it is actually disabled beacuse it's not a plug-in/add-on.
Call me paranoid but since the plug-in/add-on is not installed into the proper firefox extensions/plug-in folder, I can't see how Firefox can control the behaviour of the damn thing so take the assured disabling route of deleing all of the registry keys for the damn thing under the Mozilla/Firefox entries. Did that and the add-on was gone right away without restarting firefox and that sugests to me that it can't be disabled by Firefox/Mozilla using the traditional methods.
Mod me up/Mod me down: I wont frown as I've no crown
That statement is consistent with what I heard from Microsoft, though their post has been updated since that conversation. And MSFT has seen that text; if it's not correct, I'm sure I'll hear it from them, and will be happy to correct it. (I wrote the text pretty quickly, since it was late on Friday night and we were getting inbound already from the blocklist addition.) But that's really ancillary to the issue, which is that Firefox users are vulnerable to a problem that we learned about this week, which is labelled as an IE problem/patch. Microsoft and Mozilla agreed that we should block the plugin and add-on to mitigate the risk while we made sure that FF users were going to install that IE patch. This isn't an us-vs-them thing, but I don't know who you're talking to at Microsoft who is saying different things.
So your argument against people switching away from MS, is that people use MS??
That's the classical excuse of to beta human: I can't do it, because nobody does it.
And why does "nobody" do it? Because everybody uses that "argument" to not do it!
The best thing is, that it isn't even remotely true that nobody does it. You're reading a comment from someone doing it right now. But it's so convenient to ignore it that, isn't it?
Maybe that's the difference between alphas and betas. Alphas have no problem being the first in the club, to start dancing. No they even grab a girl and make a show out of it! ^^ (Because they know that that makes them the leader. Something that is very handy and feels great. Killing any insecurity-based awkwardness.)
So if one person can do it, then two can too. Including handling MS file formats. Including the ability to be in a MS (SMB) network. And so on.
So if two can do it, everybody can.
Which means nobody needs to use MS software. But they want it! Why? Because it's less effort. One can be lazy. And the excuses "always work", to lie even to oneself, about wanting to switch.
"Oh, if only others would use it! Then I would too! But in this situation? No way!" Except that you wouldn't. Or if you would, then I wonder what a pathetic kind of cattle you are, for always trying to conform, even if it's not what you like.
Hell, I'd even prefer to hear that you actually prefer Windows, and that this is mostly because you don't like all the work required to switch. That would at least be honest. And while not agreeing with the view, I could absolutely comprehend and accept it.
Do yourself a favor, stop imitating others just to be "accepted", stop caring what others think of you, build your own set of values, be you, do what you like, and strongly stand behind your reality. That is a basic human right of everybody. And we will not hate you for it. No, we will love you for it. (Isn't it strange, how doing the opposite of what you did, will give you what you always wanted? ^^)
P.S.: If anywhere you found that my assumptions are wrong, *of course* you can tell me how wrong I am. But only if. ^^ (And moderation is no replacement.)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Maybe your system can't work with it, but they do publish the file version information for this update.
Somewhat tangential to the subject: your plug-in check page showed a lot of my plugins as not reporting version information.
Is there a standard interface for this that many plugins are ignoring, or do you have to fish out version information from files?
And what's even worse: It only has a 'check certificate' and and 'abort' button. There's no way to get to the webpage.
If the site didn't have a cert at all, firefox would happily display it, but with an invalid cert you don't even get an option to do that.
I haven't talked to anyone at Microsoft. I'm just reading what they're putting out publicly.
Yes, sorry, I should have said that we can't distinguish it without custom code pushed through a patch, because it doesn't affect any files that we load or touch.
I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.
my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.
You did the right thing. Please ignore silly comments from the peanut gallery.
All diplomacy aside, I appreciate any efforts to lock down the walls against invasive bullshit I was tricked into installing and had to crawl through my registry with a flashlight and hip waders in order to kill. Further, anybody who doesn't have a problem with Microsoft tampering with third party software they have no business touching is probably not the sort of person whose complaints are worth clogging up your conscience with.
Cheers!
-FL
In what universe is it acceptable for vendor A to modify vendor B's software on User C's (i.e. my) computer? To modify it at all, let alone with security-impacting ramifications?
Earth to Microsoft: drive-by downloads are among the worst of vulnerabilities. They must be avoided at all costs. And the way to avoid them is not to be more careful when writing and installing unnecessary little browser plug-ins. The way to avoid them is not to install unnecessary little browser plug-ins in the first place. (And if you simply must install unnecessary little browser plug-ins, do it with your own grotty browser, not the non-Microsoft one I installed specifically to avoid all the security concerns of yours.)
Sheesh.
As Mr. Morden said to Londo Mollari when Londo asked why not just destroy the Narn homeworld ... "one thing at a time, Ambassador, one thing at a time".
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
It feels like 10% faster, really.
Dear fellow Gentoo User, this is just your headache from watching programs compile. Take your medicine now.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
Vulnerability to malware is very profitable for Microsoft and its main customers, computer manufacturers. When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has security risks. See the New York Times article Corrupted PC's Find New Home in the Dumpster.
Vulnerability is a business model for Microsoft, in my opinion and that of many people.
But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.
But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.
Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.
So, maybe just being evil is another part of Microsoft's business model.
my system now runs 1.27% faster compared to yesterday. It feels like 10% faster, really
Ahhh you must have complied using something other than 386! Congrads on useing "make menuconfig"!!!
Now if I could only learn how to get that damn make-kpkg to work right in Debian so the modules get included in the .dep file... What is a .dep file anyhow? is it just some tar file? I really wanna make a complete custom kernel package that I can move to my other system.... sigh
"Documentation" vs "developers, developers, developers!"
While I was angry at Microsofts silent installation of this component in Firefox and there is part of me that is ready to cheer on Mozilla for disabling it, I also feel disappointed by the reaction to this.
Not only are they vulnerable versions of Microsoft's add-on disabled, but also all versions indiscriminately, including the patched version that Microsoft rolled out last this Tuesday. Just as some people may have been impacted by Microsoft's original silent installation, how does Mozilla know whether an end user actually uses sites that depend on that add-on or not?
Imagine what would have happened if Mozilla remotely disabled everyone's Flash plug-in each time a new vulnerability was discovered in it? There have been 0-day exploits in the wild for Flash and just think about it's install base. Or the Adobe Reader plug-in? Lord knows it's a more deserving candidate given its history.
In this case there may be some justification in that the unrequested component might pose yet unknown risks, but now I have to wonder what Microsoft's strategy will be during their next update cycle - to re-enable it given that they've fixed the hole in question? Did Mozilla just give Microsoft precedent that would support it disabling Chrome Frame in future?
As a customer of both parties I feel that I've been dragged into someone else's war, which is being waged with my computer as the battle field.
I might feel more sorry for you if I had a Windows machine I could install the addon on. Why wasn't the page written in Silverlight or something? :-3
Once you start despising the jerks, you become one.
Is there any software which actually uses these .NET Helper and Windows Presentation Foundation plugins? Do these expose an API to let javascript code interact with the .NET framework or something? Do they let people write Firefox extensions in a .NET language? Do they let specially crafted Microsoft websites run .NET code in Firefox?
If users have nothing to gain from these plugins, then there is no reason they should exist.
I do not like Firefox "phoning home" anymore than I like Microsoft "phoning home". I do not care if it's open source or not. I am here to tell Mozilla to STOP phoning home. I don't care what it's for or however good the intentions are... This combined with the apparent complete lack of concern for bugs and stability of Firefox 3.5.x and the apparent desire to just keep pumping out more versions and features, instead of actually releasing a quality version, is making me definitely consider alternatives. It appears that as the Mozilla organization grows in size, it's becoming similar to Microsoft.. This can't be a good thing. And the cut-n-paste has been broken since v3.0 - are they ever going to fix it? - Or just keep putting out newer versions that the more newer it is, the more it crashes.
As I said elsewhere, a lot of plugins seem not to report their version information. Why don't you disable them too?
According to your plugin checker the following plugins on my system don't report version information:
Java(TM) Platform SE 6 U13 Java(TM) Platform SE binary
Microsoft Office Live Plug-in for Firefox Office Live Update v1.4
Java Deployment Toolkit 6.0.150.3 NPRuntime Script Plug-in Library for Java(TM) Deploy
ActiveTouch General Plugin Container ActiveTouch General Plugin Container Version 104
Adobe Acrobat Adobe PDF Plug-In For Firefox and Netscape
Microsoft® Windows Media Player Firefox Plugin np-mswmp
Google Update Google Update
iTunes Application Detector iTunes Detector Plug-in
See this screen shot.
Many of these have had vulnerabilities in the past.
Mike,
Hi.
I have over 100+ boxes at work that depend on this plugin. When I get into work tomorrow, if they're not working (they run FF), then I'm not going to have much choice but to switch back to IE, am I?
I frankly did not know you guys had this ability to unilaterally disable things I depend on. That is a bit disturbing. It's going to unexpectedly cost me HOURS tomorrow.
Can you at least switch the block to only block unpatched versions? I'd agree with that.
Mike, I haven't seen anyone else say this, so allow me. As a grateful firefox user and evangelist, thanks for your efforts, contributions, and patience in putting up with all of us. Please pass this thanks on to your co-team members.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
> Now if I could only learn how to get that damn make-kpkg to work right in .dep file... What is a .dep file
> Debian so the modules get included in the
> anyhow?
".dep"? Never heard of it. Nothing to do with Debian, certainly.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
This is OT, but:
.deb file, use the --initrd parameter as well as a script, such as
/usr/share/doc/kernel-package/examples/etc/kernel/postrm.d/initramfs
/usr/share/doc/kernel-package/examples/etc/kernel/postinst.d/initramfs
...as is mentioned in /usr/share/doc/kernel-package/README.gz
man depmod
depmod - program to generate modules.dep and map files
If you mean you want the modules in the
...is that I didn't even *know* I had this add-on installed until I saw a small pop-up advising me it had been disabled. This was on my iBook, BTW. I know that I never installed it myself (I have no use for .NET, especially on a Mac), but I cannot figure out how it was installed.
Worse yet: I can't even remove it, because the uninstall button has been disabled. Note to the Mozilla folks: Don't disable something and then prevent users from making it disappear.
"On the bright side, my system now runs 1.27% faster compared to yesterday."
Which means that time you spent recompiling everything should pay for itself after about 90 more days of straight Firefox usage.
He who lights his taper at mine, receives light without darkening me.
People, please let this idea die VERY quickly. Chrome is NOT there to get an install base for Chrome. It is there to get an install base for modern browsers with fast javascript/DOM.
Googles operates in the browser and in order to be able to get the next generation products out there, it needs to ensure that those products can be run. IE/MS ain't capable of this, so they both push MS by making them scared to completly loose the browser AND by capabilities to IE to make it play catch up with the real browsers.
In a way, what Google is doing is installing electricity cabling into every house. NOT because it wants to be in the utility business but because it has all these design for electric machines and they ain't going to be selling them to people who use candles and woodstoves.
MS on the other hand does NOT want people to have modern browsers, or rather not browsers that act like browsers. Its business relies on activex and .net and the like to keep apps closely tied to their windows OS.
MS fears projects like gmail and worse wave. It knows that its software is increasingly a major cost of computers (check it, hardware prices go down, MS prices go up) and while so far its software offers a lot more features, the sign of netbooks is that, a lot of them ain't needed. I got a netbook (with linux) that is not nearly as capable as a full PC. I can't game on it, its office tools are simplistic but guess what, it is all I really need.
MS has been selling XP, a lot, for netbooks but it has been doing it at a fraction of the price it would like to charge and really, it only sold XP so cheaply because else Linux would have been installed. You would be right in assuming a LOT of people would replace Linux with an OLD XP copy (license of an old PC you threw away is still valid) but MS doesn't even want the idea that there maybe yet another OS out there. An OS that while not perfect is good enough. People are already getting dangerously exposed to this idea by their cellphones. Quick poll, who has Windows Mobile and is willing to admit it? Everyone knows that an iPhone gets you the girls, this even goes for girls.
MS ideally wants to sell you their OS for 300+ dollars, that doesn't fit well for a 300- netbook or indeed a mobile phone, but that is MS business model, and ideally, you should spend another 300 for the office suit. (please, MS fanboys, do NOT link to student discounts or OEM versions. Full price for the box in the MS store.)
Google is doing something completly different. It is saying. Nah, you don't need a 300 dollar OS with a 300 dollar productivity suite. Just a browser (free) on free/cheap OS and you got all you really need. For free. Sure, there are some angles (your data is on the google servers) but for a lot of people, it is good enough.
AND that, is what scares MS. Because... even if people would still use windows, the window sthey would be using is their old XP. This is already the case in a many companies. And without the cashcows of Windows/Office, how can MS afford all its other attempts to control markets?
The browser wars are back, but they are being fought for a different reason. Chrome is NOT netscape 2.0
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
My assumption is that none of these plugins are slipped into Firefox by an update to an unrelated software without informing the user or requiring their action beforehand, so users do not even know they might be vulnerable (though I cannot recall whether I was prompted to install the Google Update plugin), and that none of these plugins prevent the user from removing or disabling them from within Firefox.
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
Thanks Microsoft for not pushing Silverlight plugin to every Windows box and enabling it on both Firefox and Internet Explorer.
Thanks YOU for creating Operating Systems not controlled by Microsoft (such as Linux).
Even presuming you tell the truth, did they really agree that Mozilla should "patch" by removing both vulnerable and patched versions, deny the user an option to choose not to block, and prevent him from (re)installing a non-vulnerable version?
Or did you add all these steps yourself, after being told it's to remove the vulnerable plugins (implicitly with the end user's consent).
Sorry, no, I do not trust you. You haven't given me a reason to. Just because you're the enemy of my enemy doesn't make you my friend. And that you continue to maintain the social illusion of this having absolutely nothing to do with making a small jab at Microsoft gives me a small incentive not to trust you.
FIX THE STUPID FUCKING MODERATION INTERFACE!
Filter error: Don't use so many caps. It's like YELLING.
Filter error: Don't use so many caps. It's like YELLING.
Filter error: Don't use so many caps. It's like YELLING.
I AM!
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Not really if you look at where the real competition is occurring.
The REAL product that Microsoft is trying to protect is the Windows platform. This is how Microsoft maintains their monopoly. IE is merely a means to try to control the web market to use Windows only across the board. The windows platform maintains much of its monopoly power by controlling the software to run on only Windows. Microsoft has long known that 3rd party developers were a big factor in building their monopoly, and keeping them on Windows maintains that monopoly.
This plugin lets you run parts of .Net on Firefox, correct? .Net is largely Windows only software, correct? So by having Firefox (an increasingly popular web browser on Windows) run .Net software, Microsoft is trying to maintain .Net on web browsers as a viable platform. By doing this they try to ensure that you'll need a Windows computer to run .Net software on a browser. The alternative is that Web developers increasingly reject .Net components because of the increasing popularity of FireFox (and .Net not running on FireFox, thus developers don't want to lose the market share and choose non .Net alternatives). That's bad for Microsoft, since it means more inter-operability with other OS's, which would decrease the relevance of Windows.
Pretty clever, really. Frankly I think the Firefox developers should stop this nonsense not only because of the security concerns, but mainly because it's an attempt to control Firefox by Microsoft. Does Mozilla really want to answer to whatever Microsoft decides to inject into Firefox this week?
I also think it's a anti-competitive move by Microsoft and an abuse of their monopoly power. I doubt anyone will do anything about it though.
AccountKiller
Moments after Firefox on my Windows PC complained about the .Net extension (which I do NOT remember installing), I got a system notification telling me about an important Microsoft security fix that included .Net.
So I accepted the update. And it failed.
The ineptitude is just mid-boggling.
At this point, iTunes and a couple of games are the only reasons Windows is still installed at my house. I would much rather ditch Windows entirely for Ubuntu. I know Apple doesn't want to enable Linux as a rising competitor, but a portable iTunes would be a big stake in the heart of the beast.
Mozillawnd! w00t!
I know I didn't intentionally install most of these, and the Acrobat and Windows Media Player ones are, I believe, the only ones I specifically installed or agreed to.
Recent versions of the Windows Presentation Foundation plug-in have enable/disable, so that can't be the reason for it.
I stand by my subject line: Mozilla is being inconsistent here.
Maybe they don't pose as grave a vulnerability as the .NET one.
Odi profanum vulgus et arceo
And you think Windows is user proof? They can't even use the web browser without getting infected with god knows what.
Running a 10 day old install of 7 RC x64, but I seem to recall removing this from my other Win/Ubuntu machines back in June. After hearing the new cacophony a few days ago, I found and disabled the plug-in to see if I would be missing anything before I uninstalled it completely(7RC did have disable & remove buttons). Caturday morning I started up FF(3.5.3) to a prompt to restart FF to disable the add-on I had already disabled. Before restarting, I noticed the Disable button was greyed out, and the enable & uninstall buttons were gone. Same after restart. So, my add-on is now "doubly" disabled and I have to edit the reg to remove now? Glad to see the pro-action, but this has the pomp & reek of a marketing campaign for the new add-on checker.
Meh, FF jumped the shark already, IMO. I use it(and IE) because it is what the customers use and it has AB+ & NoScript. Guess it's time to use Opera FT while looking for the next pre-bloated-from-success browser that plays nice w/ JRE, JS & Flash. sigh....
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
Though it has been exhaustively stated already, it bears repeating...so I'll repeat it: the .NET plugin or extension (whatever it is) does not allow users to disable or uninstall it via normal interfaces. Basically, without Mozilla's patch, you have to do some file system & registry spelunking to close this breach; like someone mentioned, that's not something the average user is going to look forward to, and for many is far beyond their scope of capabilities. To my knowledge, no other plugin or extension exhibits this bad behavior, nor are they foisted on the user via sleight-of-hand as a "security update." Furthermore, to those who balk that Mozilla can't differentiate between unpatched and patched versions, once again, this plugin came from MS. If it's their plugin for their .NET framework, that is exclusive to their OS, wouldn't that sort of make it their responsibility to have it include version info, or some way to check, via the filesystem or registry details, the .NET file version numbers/installed ver info and report it back to firefox? Hell, wouldn't it be on them to ask the user if they want to install it, along with making it fully removable in the first place? How, precisely, should Mozilla, an entirely separate org who I don't imagine ever anticipated having such a wonky problem be created for their browser's extensions, handle this, if not via the patch they released? Why is everyone defending Bill & Steve?
I think this was a real fumble for MS, and Mozilla took steps to prevent critical problems--don't know about the best steps, but at least they were quick to action. Imagine if this had not been done, and exploits for the problem started popping up like wildfire, or widespread browser/OS crashes became common; how many users would firefox lose, due to a problem entirely of someone else's making? Let's not get confused over who's the bad guy. MS has the most to gain from any perceived flaws in a competing product, and their track record isn't exactly one that shows overwhelming care and concern for the end user. Even if not malicious, and chances are it's not, it still is another mark of incompetence on the overall company that they're releasing flawed software and forgetting courtesies like asking the user if they actually want the changes, not to mention not allowing them to revert it without 'popping the hood'.
Odi profanum vulgus et arceo
later in the day I have asked Microsoft for their explanation of all this. No answers yet. Probably none till tomorrow.
There've been a few anonymous reports from Redmond, WA that people have been seeing chairs randomly flying through office windows at MS Headquarters.
I updated Firefox, it said "you better update Flash", and so I went to update Flash and Adobe tried to insert a new plugin into my browser!
This seems like a poor bargain to me. Firefox pushes us to the Adobe site so we can update our buggy Adobe add on to be less insecure and Adobe takes the opportunity to put another add on in, which probably has its own bugs.
Anyway, I clicked no to that offer to install Adobe DLM, and somehow managed to install the new Flash anyway.
http://lkml.org/lkml/2005/8/20/95
I agree with your points, that is what I was getting at with the question. Microsoft is really pushing it a little to far when it comes to placing .new code in a third party application. The problem is that with most microsoft code there are going to be bugs throughout it, this is even more so when dealing with a third party application like firefox. I think they should stick to their os and leave the rest to others because they end up causing more issues than they solve.
Thanks for the info. Yeah it's offtopic but I've been scewing with it all morning...
grads,
Luke
Microsoft has issued a download that will remove the .NET-related addon politely.
http://www.microsoft.com/downloads/details.aspx?FamilyID=cecc62dc-96a7-4657-af91-6383ba034eab&displaylang=en
It didn't even ask for a reboot (not sure how that works, if it has to alter the registry) and Firefox seems to be happy now.
Given all the past fuss about Amazon, Apple, and Microsoft to have the ability to remotely disable features, software or addons it's suddenly not an issue that Firefox has the capability of pushing changes? While I think the Firefox devs gave some serious thought before throwing this switch, I don't think this is a no-brainer. What about environments where they need the .net add-on? Are they forced to go back to using IE? Do you see Microsoft disabling the old versions of Firefox or Adobe Flash?
If you want to read a mix of retarded, informative, and stupid comments have a look at the bug report https://bugzilla.mozilla.org/show_bug.cgi?id=522777. For example - "Firefox shouldn't have to rely on IE patches for security" - this is not related to IE. It also seems to be political as they have no interest in determining if they have the .net update that negates the vulnerability (the vulnerability is not in the firefox add-on, its in .net which becomes accessible from within Firefox if the addon is enabled).
So your argument against people switching away from MS, is that people use MS?? That's the classical excuse of to beta human: I can't do it, because nobody does it. And why does "nobody" do it? Because everybody uses that "argument" to not do it!
Exactly. Why do most countries still speak languages other than English? Their argument always is "because everyone else around here speaks xyz".
If your argument made any sense, it would be in favor of keeping multiple OS platforms and multiplatform tools.
There is no war. We decided together that this was the right step to take right now to protect our mutual users, based on our understanding of the problem and outcomes.
Mike, any user NOT installing the IE updates on Windows is an idiot, because the COM components of IE are used in many applications. Thus not patching IE even if they haven't opened it in ages is the stupidest thing they could ever do (followed by not updating Flash Player) for the security of their system. So saying that people won't install the patch because it has the letters IE in the name is bull. The patch is listed as a CRITICAL update, not recommended but CRITICAL. On the other hand should MS introduce an optional update to install an updated version of the plug-ins? I'm thinking so...
To those who are going to make the inevitable comments about the use of the COM IE components supporting MS browser monopoly: your right, but there is no guaranteed alternative, and I have yet to see a COM interface for FF, or Chrome.
Any and all content posted above may be ignored, considered irrelevant, or otherwise dismissed.
I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.
(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)
I keep hearing this, but I have yet to see closed source software that comes with a warranty.
We have interest in determining if the Firefox user in question has applied the IE patch in question, but we do not have the means.
It is related to IE, because the patch in question is explicitly labelled as affecting Internet Explorer, and makes no mention of the fact that it can impact Firefox users who have not gone out of their way to disable part of .NET Framework 3.5 SP1. (That's one of the things we're working on getting fixed, as it happens.)
A car analogy: If Ford could decide to add a part to your car next time you took it to be serviced, without asking or telling you what it did, and they had a history of shitty engineering, would you really want to have to take your car back in a week because the unauthorized add-on was found to cause the vehicle to burst into flames, or the doors not to be able to latch shut?
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Coulda swore Windows was so popular because it shipped on just about everything computer-related back in the day, and still does to this day for desktop & laptops, and those popular apps found homes because of its wide spread distribution. Most commercial app writers write to Windows because it's out there. If Linux were to have the same market penetration, the commercial app writers would be writing to Linux with ports to OS-X.
Understanding the scope of the problem is the first step on the path to true panic.
No, they want it because it's bundled with the computer. Except for geeks like (most?) of us, bare OS-less computers turn into paperweights. One of my old customers remarked way back in the day, "We pay people like you to handle the computer details, we're busy making MONEY." And other than geeks like (most?) of us, the last thing we wanna do when we get home from the 9 to 5 is work on a computer.
Spare me the 'learning curve' line. There is a learning curve involved with Windows and Microsoft products, otherwise there wouldn't be any of those 'For Dummies' books in the computer stores & book stores to teach Joe Sixpack a good portion of what he needs/should know.
Understanding the scope of the problem is the first step on the path to true panic.
Open Firefox, type:"about:config" in the address bar, hit "enter", click on okay/continue on the warning, then scroll down to "extensions.blocklist.x" and change x (or whatever is there instead of x) to "enabled".
You are limiting yourself by using "can't" in your vocabulary. I was told not to use that word unless I was a lumberjack every time I used that word as a kid.
Lumberjacks have a tool to move logs around called a 'cant hook', and unless I was moving logs I did not need that word in my vocabulary.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
I'd say it had something to do with the Tower of Babel.
The real question is: what took them so long?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Mike, I also use these extensions, and I wish you gave me the options of enabling them.
I am unhappy that something I use gets unilaterally removed by Firefox.
At the same time, Firefox makes no effort to remove truly hostile software like ICQSearch - I spent at least an hour removing ICQ from Firefox, and it suddenly comes back to life a week later.
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
There is no desktop web browser market anymore, MS killed that years ago and even opera which hung on for a while has now given up trying to sell thier desktop browser.
Microsofts goal is to keep people on windows (and prefferably office too but that is not relevent here). Whether that is through relying on IE or relying on a MS plugin for .NET in firefox doesn't really make a whole lot of difference.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Sure, your browser may be free software, but since the operating system is closed source, others can still play dirty tricks on you.
I think that's because I don't read all the code I'm running; I happen to be prevented because it's closed source, but similar things can happen on Linux.
It'd be really interesting to have a good idea why such things won't or don't happen on Linux. Possibly peer review ("enough eyeballs") and people/companies being afraid of PR backlash if they put in dirty laundry that gets found out (accountability, i.e. a disincentive), plus enough people just wanting to make $NAME the best piece of software it can be?
Let me be clear about what I'm saying. I'm not saying open source is bad (far from it; I love it). I'm not saying this shit happens to Linux in practice. What I am saying is that "you can read the source" is not the real reason why it doesn't happen to Linux. The real reason has to have to do with peoples' incentives and the fact that enough of the people with pure enough intentions actually do read the source and catch the evil code. [Similarly for BSD, Haiku, etc., I presume, but with much less experience.]
(is this the point where I talk about "On Trusting Trust" and the Debian SSH issue?)
It's semantics, but the vulnerability is within .Net and not specific to IE. I don't suppose it really matters in the end, but this does contribute to the perception that IE is "infecting" Firefox. It's really a common vulnerability that has been exposed in both browsers. No different than if they shared a common rendering dll that had an issue.
I believe Microsoft chose to roll this up in the IE cummulative update to minimize some dependency problems (and to perhaps keep the total Patch Tuesday count a little lower?)
I like the comments given in https://bugzilla.mozilla.org/show_bug.cgi?id=522777#c71.
Moar like WTF amirite.
http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx says pretty clearly that it's an IE vulnerability: "While the vulnerability is in an IE component", which fits with the information I have. I think perhaps the WPF plugin uses that IE component?
Phoning home? It's a plugin blacklist that Firefox downloads. It's not sending any of your data to Mozilla.
Don't take life so seriously. No one makes it out alive.
That technet blog says the vulnerability is in XBAP, which is part of the .NET framework.http://msdn.microsoft.com/en-us/library/aa970060.aspx and not IE. The lines between some of the IE and .NET libraries are pretty blurred at times though, given the level of integration.
We just got confirmation from Microsoft this evening that the .NET Framework Assistant add-on (used to provide ClickOnce stuffs) was NOT a vector for this vulnerability, so we've removed it from the blocklist. The WPF plugin is still there, though we're working on a way to let sophisticated users and enterprises override the block if they know that they have applied the relevant IE patch to their system.
o/~ the more you know o/~
From http://www.xbap.org/blog/
"What are the requirements for running a XBAP application? You will need to install the .Net 3 Framework runtime from Microsoft to run XBAP."
The XBAP functionality is part of the net framework and not natively in IE. The Windows Presentation Foundation add-on to Firefox gives Firefox the ability to access XBAP.
As I understand it, the MS09-054 patch fixes the IE vector and the actual vulnerability is part of MS09-061.
How about providing an option to re-enable the plugin or add-on, regardless of what Mozilla says and regardless of whether it is the vulnerable version or not? Hide it in the preferences if you must, but make it possible and not excessively difficult to find (i.e.: don't bury it in about:config or something). I am the sole administrator of my computer, and I should always have the final say on what gets installed, uninstalled, updated, upgraded, or changed on my computer, and that should never be usurped by anyone, be it Microsoft, Apple, Cannonical, or Mozilla, without my explicit concent.
Pretty sure it's XBAP's use of mshtml that's the problem for 09-054; 09-061 is a different vuln that is also exposed through some .NET widget.
Hrmm either that would result in Flash getting the thorough clean-up it needs, or being effectively eliminated from the web. Either way, I dont see a downside. This is a great idea!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Doesn't matter, it has been installed behind peoples back and without any possibility of disabling. It is no better than the Sony rootkit.
Why would you prefer Java over, well, anything? I have not run into any well-programmed business-class Java program that doesn't either: crash, runs slow as hell, or will not run without a specific version of the Java runtimes installed. Anything is better than Java, imo. Don't get me started on some of the Avaya Java apps. Ugh the nightmares.
Hear, hear! The Firefox team did the right thing. MS needs to play by the rules of any third-party applications with which it wants to interact. They should have used the 'front door' when installing their plugin, and had proper versioning information. They should live with the consequences of their backhanded install procedure, just like anyone else.
ERROR 144 - REBOOT ?
... I'd love Microsoft to respond and block the PITA updaters from Sun, Adobe and others that regularly screw up a perfectly working and secure configuration on Windows (Vista and 7), insisting on my attention despite being told where to get off and in any case requiring admin privileges to just go online and download even more bloatware.
And then they whine because MSFT are making it more difficult. It's as if they're saying "please make your OS more flexible so that we can still run our badly designed software..."
Oh wait, I forgot, that's a business model...
".dep"? Never heard of it. Nothing to do with Debian, certainly
DAMN! that must have been my whole problem right there! THANKS!!!
Ironically, my browser's crashed 5 or 6 times more than normal this morning after disabling that plugin; I'm sure it's completely unrelated though.
<conspiracy>
Or is it?
</conspiracy>
- Dan
....so when is Mozilla going to detect the presence of that batch and back off? If it doesn't it runs the risk of attracting criticism for freezing out a direct competitor.
Microsoft has updated their advisory and blog on the matter to address Firefox
Mike Shaver has posted a blog explaining that they are unblocking the Microsoft code because Microsoft has clarified their advisory.
This was funny. I was just reading this story and firefox gave me the prompt and had me restart. LOL. Nice.
Mozilla could take a leaf out of Microsoft's book. MS won't let third-party Ogg Vorbis files play on their Plays4Sure devices, because they want the user experience to be consistent across the entire Plays4Sure "platform", and having a media file play on one device but not another is, according to them, not a good thing for the consumer. Therefore Mozilla should, according to MS's play-book, act to prevent .Net components from working in Mozilla, because that creates a fractured Firefox platform experience. Someone will probably point out to me some feature or add-on that only works on GNU/Linux Firefox now...
Nicely done FF, I just can't wait until M$ cries over this, stating now that FF isn't playing fair and discriminating against their apps.
I love it when M$ drops the ball, and someone (with talent) picks it up and hands it back to them, slightly more polished then before.
Didn't ya RTFM??? Just set your ARCH to ~x86 and emerge www-misc/disable-mafia$oft-plugin-crapola-0.4428-r1.ebuild. With all the required deps it should take no more than a week, assuming at least a quad-core machine and that you're using distcc. :)
Nonaggression works!
I’ve coded a batch file to remove the Windows Presentation Foundation plugin (along with the accompanying Firefox .NET extension.)
My batch previously just removed the extension, but then I found out about this cruft as well.
This can then be easily added to a login script or such so you can remove it from multiple systems.
You can grab it from my blog here:
http://borchtech.blogspot.com/2009/10/updated-code-on-net-35-network.html
I hope this is useful to others...