Slashdot Mirror
Firefox Disables Microsoft .NET Addon
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
I just checked my addons and whilst I don't have the Microsoft addon, I do have an AVG one which is disabled. Clicking on the more information link (https://en-gb.www.mozilla.com/en-GB/blocklist/) presents me with a page that says:
Whilst it is nice to see they've done it, it's a shame that they didn't test the end to end user flow.
Avantslash - View Slashdot cleanly on your mobile phone.
I might be mistaken but don't these add-ons/plugins from Microsoft specifically allow certain web pages to render properly under Firefox which otherwise would have required users to run IE? If so Microsoft centric IT Enterprise users who have started using Firefox at work might revert back to IE. This might reduce the gains that Firefox has been achieving in Microsoft centric IT Enterprise shops.
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Chrome Frame.
Microsoft has deservedly taken a LOT of sh*t for forcing this addon into Firefox unannounced - AND preventing you from disabling or uninstalling it - unless you yank it out of the registry. It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"
From the TFA, it is clear that Microsoft approves of this particular move. I quote
It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.
I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article and implement it themselves. At least, not my mom.
Quidquid latine dictum sit, altum videtur
While some slashdotters think otherwise, Java/Windows install base is huge thanks to couple of very popular apps and tiny games. Since companies these days looks for multi platform, multi arch; MS needed to show that their herd has been installed/infected by .NET too.
So, they haxor the user agent to show that clueless CTO that their 90% of users have .NET so they should use it instead of massively multi platform Java.
Anyway, as you see, karma is a real bitch and if Sun had a real management, they could milk this issue but... Lucky for MS, Sun is under auto pilot, even under Larry Ellison's Oracle.
Actually, it was patched on Tuesday.
That issue is nothing (they asked for it in fact).
The issue which should make to books about the tech irony is Virtual PC for Mac 7.x (if anyone uses, UPDATE!). MS found a theorotical (not sure) issue which Virtual PC's emulated X86/Hypervisor can MODIFY the OS X memory from "there".
While they were decent to fix it very quickly and shipped an update (7.0.3) confusing Mac users, that is one big amazing issue for you. Imagine by running (emulating in fact) a Windows, you risk your OS X memory locations with overwrite.
Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).
Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.
I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..
Anyone else an explanation why that plugin avoided legal consequences?
Insert
Last night I was browsing through the headlines on Slashdot's front page. At one point I came across the headline "Sneaky Microsoft Add-On Put Firefox Users At Risk" (story here). While I was reading the text underneath that headline, Firefox's prompt (indicating that it had detected the relevant plugin) popped up. It was so startling that I started wondering whether the browser was reading my mind! Weird stuff.
The TFA makes a reference [...]
You mean The TFA Article.
For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions
Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'
Sigs. We don't need no steenking sigs.
FYI, it doesn't help at all !!!
I have Microsoft disabled (I run Gentoo Linux), and my Firefox failed miserably to disable the .Net plug-in. I spent a day clicking on the menus and recompiling updates, and I still don't get the pop-up :(
On the bright side, my system now runs 1.27% faster compared to yesterday. It feels like 10% faster, really.
A friend had a problem with a CD burner app (Nero I think?) and asked me to take a look at it (they weren't too tech savvy). So I took a look and Googled the error and found that it was a problem with a registry key that would screw randomly. The fix was to delete it and if the error came back the fix was to change it to a specific value (which would cause nagging warnings but not make the program fail outright, so deleting it first was the better solution). So when I had fixed it I told him offhandedly, not expecting him to understand, that it was a problem with the registry and if it happens again to give me a call. So a week later he calls and says it had the same problem but I didn't need to come round because he had found a registry cleaner, for cheap, only $39.95... I never mention the word "registry" to non-tech people now.
MS09-054 is labelled as an Internet Explorer update, so it's not obvious that Firefox users need to apply it. We're working with Microsoft on getting that fixed. Microsoft did definitely agree to it; I'm the one they told, on the telephone, before I requested the block be pushed out. I don't know why you think I was lying -- I didn't "imply" it, I flat out said that they agreed, which is the case. Do I have a history of lying about such things?
Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."
Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.
That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...
-- If you try to fail and succeed, which have you done? - Uli's moose
After last Patch Tuesday (yes, this is a confession I do have some Windows boxes), Firefox on my systems developed an issue with pages displaying in sort of a text-only mode when using the Refresh button(1). Page load times were also longer than usual. Those issues disappeared immediately once Mozilla's block of the .NET addon & the WPF plugin arrived.
This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.
After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.
(1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.
Yandelvayasna grldenwi stravenka
There's no cat and mouse -- they agreed to this blocking. I have in fact encouraged them to use a different extension ID if and when they make a fixed ClickOnce/WPF add-on that can be installed by active user choice rather than by default!
Because there is no way to distinguish patched from unpatched systems -- the WPF plugin doesn't expose any version information, unlike Flash and other such systems, and it didn't get updated with MS09-054. If I had known about this vulnerability before they posted on their blog, I would have told them to provide just such a distinction, so that we could disable only unpatched setups! We can remove from the blocklist as quickly as we added, but I wanted to protect users while we made sure that Firefox users would apply this patch, and figure out how to do better with this subsystem going forward. Microsoft agreed, and -- my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.
Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?
It's proprietary and full of ads! Just what I wanted, an extension that checks for updates of my Adobe Reader software. Uninstalled. The Firefox team should send a message. Firefox add-ons are not yours to take over like the Windows startup.
That statement is consistent with what I heard from Microsoft, though their post has been updated since that conversation. And MSFT has seen that text; if it's not correct, I'm sure I'll hear it from them, and will be happy to correct it. (I wrote the text pretty quickly, since it was late on Friday night and we were getting inbound already from the blocklist addition.) But that's really ancillary to the issue, which is that Firefox users are vulnerable to a problem that we learned about this week, which is labelled as an IE problem/patch. Microsoft and Mozilla agreed that we should block the plugin and add-on to mitigate the risk while we made sure that FF users were going to install that IE patch. This isn't an us-vs-them thing, but I don't know who you're talking to at Microsoft who is saying different things.
So your argument against people switching away from MS, is that people use MS??
That's the classical excuse of to beta human: I can't do it, because nobody does it.
And why does "nobody" do it? Because everybody uses that "argument" to not do it!
The best thing is, that it isn't even remotely true that nobody does it. You're reading a comment from someone doing it right now. But it's so convenient to ignore it that, isn't it?
Maybe that's the difference between alphas and betas. Alphas have no problem being the first in the club, to start dancing. No they even grab a girl and make a show out of it! ^^ (Because they know that that makes them the leader. Something that is very handy and feels great. Killing any insecurity-based awkwardness.)
So if one person can do it, then two can too. Including handling MS file formats. Including the ability to be in a MS (SMB) network. And so on.
So if two can do it, everybody can.
Which means nobody needs to use MS software. But they want it! Why? Because it's less effort. One can be lazy. And the excuses "always work", to lie even to oneself, about wanting to switch.
"Oh, if only others would use it! Then I would too! But in this situation? No way!" Except that you wouldn't. Or if you would, then I wonder what a pathetic kind of cattle you are, for always trying to conform, even if it's not what you like.
Hell, I'd even prefer to hear that you actually prefer Windows, and that this is mostly because you don't like all the work required to switch. That would at least be honest. And while not agreeing with the view, I could absolutely comprehend and accept it.
Do yourself a favor, stop imitating others just to be "accepted", stop caring what others think of you, build your own set of values, be you, do what you like, and strongly stand behind your reality. That is a basic human right of everybody. And we will not hate you for it. No, we will love you for it. (Isn't it strange, how doing the opposite of what you did, will give you what you always wanted? ^^)
P.S.: If anywhere you found that my assumptions are wrong, *of course* you can tell me how wrong I am. But only if. ^^ (And moderation is no replacement.)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
If you go to about:config in firefox and toggle the value of extensions.blocklist.enabled from true to false and restart firefox then the plugins will work.
Power does not corrupt - power attracts the corrupt.
Yes, sorry, I should have said that we can't distinguish it without custom code pushed through a patch, because it doesn't affect any files that we load or touch.
I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.
my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.
You did the right thing. Please ignore silly comments from the peanut gallery.
All diplomacy aside, I appreciate any efforts to lock down the walls against invasive bullshit I was tricked into installing and had to crawl through my registry with a flashlight and hip waders in order to kill. Further, anybody who doesn't have a problem with Microsoft tampering with third party software they have no business touching is probably not the sort of person whose complaints are worth clogging up your conscience with.
Cheers!
-FL
As Mr. Morden said to Londo Mollari when Londo asked why not just destroy the Narn homeworld ... "one thing at a time, Ambassador, one thing at a time".
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
Vulnerability to malware is very profitable for Microsoft and its main customers, computer manufacturers. When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has security risks. See the New York Times article Corrupted PC's Find New Home in the Dumpster.
Vulnerability is a business model for Microsoft, in my opinion and that of many people.
But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.
But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.
Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.
So, maybe just being evil is another part of Microsoft's business model.
While I was angry at Microsofts silent installation of this component in Firefox and there is part of me that is ready to cheer on Mozilla for disabling it, I also feel disappointed by the reaction to this.
Not only are they vulnerable versions of Microsoft's add-on disabled, but also all versions indiscriminately, including the patched version that Microsoft rolled out last this Tuesday. Just as some people may have been impacted by Microsoft's original silent installation, how does Mozilla know whether an end user actually uses sites that depend on that add-on or not?
Imagine what would have happened if Mozilla remotely disabled everyone's Flash plug-in each time a new vulnerability was discovered in it? There have been 0-day exploits in the wild for Flash and just think about it's install base. Or the Adobe Reader plug-in? Lord knows it's a more deserving candidate given its history.
In this case there may be some justification in that the unrequested component might pose yet unknown risks, but now I have to wonder what Microsoft's strategy will be during their next update cycle - to re-enable it given that they've fixed the hole in question? Did Mozilla just give Microsoft precedent that would support it disabling Chrome Frame in future?
As a customer of both parties I feel that I've been dragged into someone else's war, which is being waged with my computer as the battle field.
Is there any software which actually uses these .NET Helper and Windows Presentation Foundation plugins? Do these expose an API to let javascript code interact with the .NET framework or something? Do they let people write Firefox extensions in a .NET language? Do they let specially crafted Microsoft websites run .NET code in Firefox?
If users have nothing to gain from these plugins, then there is no reason they should exist.
Mike,
Hi.
I have over 100+ boxes at work that depend on this plugin. When I get into work tomorrow, if they're not working (they run FF), then I'm not going to have much choice but to switch back to IE, am I?
I frankly did not know you guys had this ability to unilaterally disable things I depend on. That is a bit disturbing. It's going to unexpectedly cost me HOURS tomorrow.
Can you at least switch the block to only block unpatched versions? I'd agree with that.
Mike, I haven't seen anyone else say this, so allow me. As a grateful firefox user and evangelist, thanks for your efforts, contributions, and patience in putting up with all of us. Please pass this thanks on to your co-team members.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
"On the bright side, my system now runs 1.27% faster compared to yesterday."
Which means that time you spent recompiling everything should pay for itself after about 90 more days of straight Firefox usage.
He who lights his taper at mine, receives light without darkening me.
People, please let this idea die VERY quickly. Chrome is NOT there to get an install base for Chrome. It is there to get an install base for modern browsers with fast javascript/DOM.
Googles operates in the browser and in order to be able to get the next generation products out there, it needs to ensure that those products can be run. IE/MS ain't capable of this, so they both push MS by making them scared to completly loose the browser AND by capabilities to IE to make it play catch up with the real browsers.
In a way, what Google is doing is installing electricity cabling into every house. NOT because it wants to be in the utility business but because it has all these design for electric machines and they ain't going to be selling them to people who use candles and woodstoves.
MS on the other hand does NOT want people to have modern browsers, or rather not browsers that act like browsers. Its business relies on activex and .net and the like to keep apps closely tied to their windows OS.
MS fears projects like gmail and worse wave. It knows that its software is increasingly a major cost of computers (check it, hardware prices go down, MS prices go up) and while so far its software offers a lot more features, the sign of netbooks is that, a lot of them ain't needed. I got a netbook (with linux) that is not nearly as capable as a full PC. I can't game on it, its office tools are simplistic but guess what, it is all I really need.
MS has been selling XP, a lot, for netbooks but it has been doing it at a fraction of the price it would like to charge and really, it only sold XP so cheaply because else Linux would have been installed. You would be right in assuming a LOT of people would replace Linux with an OLD XP copy (license of an old PC you threw away is still valid) but MS doesn't even want the idea that there maybe yet another OS out there. An OS that while not perfect is good enough. People are already getting dangerously exposed to this idea by their cellphones. Quick poll, who has Windows Mobile and is willing to admit it? Everyone knows that an iPhone gets you the girls, this even goes for girls.
MS ideally wants to sell you their OS for 300+ dollars, that doesn't fit well for a 300- netbook or indeed a mobile phone, but that is MS business model, and ideally, you should spend another 300 for the office suit. (please, MS fanboys, do NOT link to student discounts or OEM versions. Full price for the box in the MS store.)
Google is doing something completly different. It is saying. Nah, you don't need a 300 dollar OS with a 300 dollar productivity suite. Just a browser (free) on free/cheap OS and you got all you really need. For free. Sure, there are some angles (your data is on the google servers) but for a lot of people, it is good enough.
AND that, is what scares MS. Because... even if people would still use windows, the window sthey would be using is their old XP. This is already the case in a many companies. And without the cashcows of Windows/Office, how can MS afford all its other attempts to control markets?
The browser wars are back, but they are being fought for a different reason. Chrome is NOT netscape 2.0
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Not really if you look at where the real competition is occurring.
The REAL product that Microsoft is trying to protect is the Windows platform. This is how Microsoft maintains their monopoly. IE is merely a means to try to control the web market to use Windows only across the board. The windows platform maintains much of its monopoly power by controlling the software to run on only Windows. Microsoft has long known that 3rd party developers were a big factor in building their monopoly, and keeping them on Windows maintains that monopoly.
This plugin lets you run parts of .Net on Firefox, correct? .Net is largely Windows only software, correct? So by having Firefox (an increasingly popular web browser on Windows) run .Net software, Microsoft is trying to maintain .Net on web browsers as a viable platform. By doing this they try to ensure that you'll need a Windows computer to run .Net software on a browser. The alternative is that Web developers increasingly reject .Net components because of the increasing popularity of FireFox (and .Net not running on FireFox, thus developers don't want to lose the market share and choose non .Net alternatives). That's bad for Microsoft, since it means more inter-operability with other OS's, which would decrease the relevance of Windows.
Pretty clever, really. Frankly I think the Firefox developers should stop this nonsense not only because of the security concerns, but mainly because it's an attempt to control Firefox by Microsoft. Does Mozilla really want to answer to whatever Microsoft decides to inject into Firefox this week?
I also think it's a anti-competitive move by Microsoft and an abuse of their monopoly power. I doubt anyone will do anything about it though.
AccountKiller
Though it has been exhaustively stated already, it bears repeating...so I'll repeat it: the .NET plugin or extension (whatever it is) does not allow users to disable or uninstall it via normal interfaces. Basically, without Mozilla's patch, you have to do some file system & registry spelunking to close this breach; like someone mentioned, that's not something the average user is going to look forward to, and for many is far beyond their scope of capabilities. To my knowledge, no other plugin or extension exhibits this bad behavior, nor are they foisted on the user via sleight-of-hand as a "security update." Furthermore, to those who balk that Mozilla can't differentiate between unpatched and patched versions, once again, this plugin came from MS. If it's their plugin for their .NET framework, that is exclusive to their OS, wouldn't that sort of make it their responsibility to have it include version info, or some way to check, via the filesystem or registry details, the .NET file version numbers/installed ver info and report it back to firefox? Hell, wouldn't it be on them to ask the user if they want to install it, along with making it fully removable in the first place? How, precisely, should Mozilla, an entirely separate org who I don't imagine ever anticipated having such a wonky problem be created for their browser's extensions, handle this, if not via the patch they released? Why is everyone defending Bill & Steve?
I think this was a real fumble for MS, and Mozilla took steps to prevent critical problems--don't know about the best steps, but at least they were quick to action. Imagine if this had not been done, and exploits for the problem started popping up like wildfire, or widespread browser/OS crashes became common; how many users would firefox lose, due to a problem entirely of someone else's making? Let's not get confused over who's the bad guy. MS has the most to gain from any perceived flaws in a competing product, and their track record isn't exactly one that shows overwhelming care and concern for the end user. Even if not malicious, and chances are it's not, it still is another mark of incompetence on the overall company that they're releasing flawed software and forgetting courtesies like asking the user if they actually want the changes, not to mention not allowing them to revert it without 'popping the hood'.
Odi profanum vulgus et arceo
I agree with your points, that is what I was getting at with the question. Microsoft is really pushing it a little to far when it comes to placing .new code in a third party application. The problem is that with most microsoft code there are going to be bugs throughout it, this is even more so when dealing with a third party application like firefox. I think they should stick to their os and leave the rest to others because they end up causing more issues than they solve.
And this is why more and more people don't trust software that isn't open source. Sure, your browser may be free software, but since the operating system is closed source, others can still play dirty tricks on you. If there is any non-free software on your computer, you don't really control it.
Please correct me if I got my facts wrong.
I believe that by tomorrow you will have a number of options, though switching browsers is certainly one of them. I hope to post an update to our security blog about it tonight.
(Do your boxes depend on the WPF plugin or the ClickOnce add-on, out of curiosity? And can I ask what you did before Windows .NET Framework 3.5 SP1 installed this plugin? Or are all the apps in question more recent than February? Genuinely interested, trying to learn more about the scope of people's use here.)