Slashdot Mirror
Firefox Disables Microsoft .NET Addon
ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.
Microsoft has put billions of dollars into developing the most effective and efficient security vulnerabilities to date. I can only watch in awe and wonder.
Sam ty sig.
From the TFA, it is clear that Microsoft approves of this particular move. I quote
It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.
I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article and implement it themselves. At least, not my mom.
Quidquid latine dictum sit, altum videtur
For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions
Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'
Sigs. We don't need no steenking sigs.
Oh, I think not. The "functionality" added is Windows specific. Websites _should not_ be OS specific. And Microsoft had _no business_ shoving their plug-in silently into Firefox. And most of all. .NET is now a security nightmare: Brian LaMacchia, one of the authors of ".NET Framework Security", resigned from .NET development rather than continue with it. (LaMacchia's career is fascinating: if you'd like to follow a trail of an expert engineer getting involved in projects that are doomed for mishandling security, perhaps in spite of his best efforts, check out his career.)
FYI, it doesn't help at all !!!
I have Microsoft disabled (I run Gentoo Linux), and my Firefox failed miserably to disable the .Net plug-in. I spent a day clicking on the menus and recompiling updates, and I still don't get the pop-up :(
On the bright side, my system now runs 1.27% faster compared to yesterday. It feels like 10% faster, really.
A friend had a problem with a CD burner app (Nero I think?) and asked me to take a look at it (they weren't too tech savvy). So I took a look and Googled the error and found that it was a problem with a registry key that would screw randomly. The fix was to delete it and if the error came back the fix was to change it to a specific value (which would cause nagging warnings but not make the program fail outright, so deleting it first was the better solution). So when I had fixed it I told him offhandedly, not expecting him to understand, that it was a problem with the registry and if it happens again to give me a call. So a week later he calls and says it had the same problem but I didn't need to come round because he had found a registry cleaner, for cheap, only $39.95... I never mention the word "registry" to non-tech people now.
MS09-054 is labelled as an Internet Explorer update, so it's not obvious that Firefox users need to apply it. We're working with Microsoft on getting that fixed. Microsoft did definitely agree to it; I'm the one they told, on the telephone, before I requested the block be pushed out. I don't know why you think I was lying -- I didn't "imply" it, I flat out said that they agreed, which is the case. Do I have a history of lying about such things?
Was it without consent though? I'm sure it would have been buried in the small print somewhere when installing/updating the .Net framework.
You better check again, as the plugin tries to re-install itself silently when a .NET service is called from a website in Firefox, and also via the recent batch of patches from Microsoft. The only way to be sure is to double-check and not only nuke the appropriate registry entry, but the entire sub-folder of your .NET installation the plugin is installed to, as well as resetting the ID string in About:Config. Then you should proceed to disable that update from being downloaded or displayed via Automatic Updates.
The really disturbing thing I found, is that after sneakily re-installing itself via the latest patch from MS, the plugin is not displayed at all in the Addons/Extensions portion of the Firefox configuration screen. The only reason I even found it reinstalled, was that warning from Firefox when the nasa.gov site attempted to load the plugin while viewing their photo galleries.
Yes, it was my fault to have updates set on Automatic/Automatic, which has since been remedied on this system. I was irresponsibly lazy on the matter.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
Because there is no way to distinguish patched from unpatched systems -- the WPF plugin doesn't expose any version information, unlike Flash and other such systems, and it didn't get updated with MS09-054. If I had known about this vulnerability before they posted on their blog, I would have told them to provide just such a distinction, so that we could disable only unpatched setups! We can remove from the blocklist as quickly as we added, but I wanted to protect users while we made sure that Firefox users would apply this patch, and figure out how to do better with this subsystem going forward. Microsoft agreed, and -- my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.
It's not just a useragent string, but it allows remote code execution. https://bugzilla.mozilla.org/show_bug.cgi?id=522777
I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.
Vulnerability to malware is very profitable for Microsoft and its main customers, computer manufacturers. When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has security risks. See the New York Times article Corrupted PC's Find New Home in the Dumpster.
Vulnerability is a business model for Microsoft, in my opinion and that of many people.
But that doesn't explain everything about Microsoft's manner of doing business. Windows Vista was released against the wishes of some Microsoft managers. Remember Windows ME and DOS 3.0 and DOS 4.0? The problems in those products made a huge amount of money for Microsoft. Because of the problems people migrated to the next version quickly, and paid the full price again. Releasing bad versions, apparently deliberately, is profitable when a company has a virtual monopoly and many buyers lack technical knowledge.
But, as they say in late-night informercials, there's more. Windows XP had serious problems until the release of service pack 2, only four years ago. Maybe Windows XP SP2 could be called the first release version.
Windows 7, apparently a small update to Vista that fixes the most annoying problems, allows no easy path to migrate from Windows XP. Anyone who doesn't want to re-install and re-configure all programs must migrate to Vista first, then to Windows 7, and pay the full price again for two versions, not just one.
So, maybe just being evil is another part of Microsoft's business model.
Mike, I haven't seen anyone else say this, so allow me. As a grateful firefox user and evangelist, thanks for your efforts, contributions, and patience in putting up with all of us. Please pass this thanks on to your co-team members.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
People, please let this idea die VERY quickly. Chrome is NOT there to get an install base for Chrome. It is there to get an install base for modern browsers with fast javascript/DOM.
Googles operates in the browser and in order to be able to get the next generation products out there, it needs to ensure that those products can be run. IE/MS ain't capable of this, so they both push MS by making them scared to completly loose the browser AND by capabilities to IE to make it play catch up with the real browsers.
In a way, what Google is doing is installing electricity cabling into every house. NOT because it wants to be in the utility business but because it has all these design for electric machines and they ain't going to be selling them to people who use candles and woodstoves.
MS on the other hand does NOT want people to have modern browsers, or rather not browsers that act like browsers. Its business relies on activex and .net and the like to keep apps closely tied to their windows OS.
MS fears projects like gmail and worse wave. It knows that its software is increasingly a major cost of computers (check it, hardware prices go down, MS prices go up) and while so far its software offers a lot more features, the sign of netbooks is that, a lot of them ain't needed. I got a netbook (with linux) that is not nearly as capable as a full PC. I can't game on it, its office tools are simplistic but guess what, it is all I really need.
MS has been selling XP, a lot, for netbooks but it has been doing it at a fraction of the price it would like to charge and really, it only sold XP so cheaply because else Linux would have been installed. You would be right in assuming a LOT of people would replace Linux with an OLD XP copy (license of an old PC you threw away is still valid) but MS doesn't even want the idea that there maybe yet another OS out there. An OS that while not perfect is good enough. People are already getting dangerously exposed to this idea by their cellphones. Quick poll, who has Windows Mobile and is willing to admit it? Everyone knows that an iPhone gets you the girls, this even goes for girls.
MS ideally wants to sell you their OS for 300+ dollars, that doesn't fit well for a 300- netbook or indeed a mobile phone, but that is MS business model, and ideally, you should spend another 300 for the office suit. (please, MS fanboys, do NOT link to student discounts or OEM versions. Full price for the box in the MS store.)
Google is doing something completly different. It is saying. Nah, you don't need a 300 dollar OS with a 300 dollar productivity suite. Just a browser (free) on free/cheap OS and you got all you really need. For free. Sure, there are some angles (your data is on the google servers) but for a lot of people, it is good enough.
AND that, is what scares MS. Because... even if people would still use windows, the window sthey would be using is their old XP. This is already the case in a many companies. And without the cashcows of Windows/Office, how can MS afford all its other attempts to control markets?
The browser wars are back, but they are being fought for a different reason. Chrome is NOT netscape 2.0
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?
Not really if you look at where the real competition is occurring.
The REAL product that Microsoft is trying to protect is the Windows platform. This is how Microsoft maintains their monopoly. IE is merely a means to try to control the web market to use Windows only across the board. The windows platform maintains much of its monopoly power by controlling the software to run on only Windows. Microsoft has long known that 3rd party developers were a big factor in building their monopoly, and keeping them on Windows maintains that monopoly.
This plugin lets you run parts of .Net on Firefox, correct? .Net is largely Windows only software, correct? So by having Firefox (an increasingly popular web browser on Windows) run .Net software, Microsoft is trying to maintain .Net on web browsers as a viable platform. By doing this they try to ensure that you'll need a Windows computer to run .Net software on a browser. The alternative is that Web developers increasingly reject .Net components because of the increasing popularity of FireFox (and .Net not running on FireFox, thus developers don't want to lose the market share and choose non .Net alternatives). That's bad for Microsoft, since it means more inter-operability with other OS's, which would decrease the relevance of Windows.
Pretty clever, really. Frankly I think the Firefox developers should stop this nonsense not only because of the security concerns, but mainly because it's an attempt to control Firefox by Microsoft. Does Mozilla really want to answer to whatever Microsoft decides to inject into Firefox this week?
I also think it's a anti-competitive move by Microsoft and an abuse of their monopoly power. I doubt anyone will do anything about it though.
AccountKiller
All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?
For anyone curious as to the real state of affairs behind this MS plugin issue, you might be interested in a few things. For everyone else just enjoying a good anti-Microsoft circle-jerk, ignore this post.
The plugins being discussed do more than just change the User Agent of the browser. They allow for XAML applications to run in Firefox and ClickOnce program distribution. For everyone that normally cries about Microsoft pushing IE and trying to lock users into their browser, this is an attempt to allow people to use an alternative browser while still having access to their other Microsoft-centric technologies (.NET in this case). Isn't this a good thing?
This is the bug in question. There is a lot of interesting comment there, including the fact that while everyone is crying about Microsoft "secretly" adding the plugin and preventing users from disabling it, Mozilla doesn't even give users an option to enable it! Their blocklist is all or nothing. Why doesn't that bother anyone here? One poster is very insightful:
But perhaps the best thing about this entire issue, is that Mozilla didn't block the plugins until AFTER they were patched and the mechanism of the block is retarded. Mozilla is claiming that Microsoft agreed to issuing the block of the affected plugins, and that might be true, but only to an extent. Mozilla is currently blocking the plugins based on the name of the plugin, not the version, which means users who have installed the patched version of the plugs (at this point almost everyone using Windows Update) are still unable to use the plugins and have no way to re-enable them.
So essentially, by issuing this patch, Mozilla is doing nothing but hurting its business customers. Slashdotters can scratch their heads trying to figure out who uses these technologies, but the answer is a lot of businesses do. This absolute, non-scriptable and non-changeable block of these plugins will just remind corporations that open source isn't ready for the big leagues and they should just stick with Microsoft and IE. The sad thing is that if this kind of knee-jerk, carte-blanche blocking behavior becomes the norm for Mozilla, they will probably be right! Taking this kind of control away from the users is simply unacceptable, doubly so for businesses.
If you're wondering what MS says about this, you might take a look at this:
So there it is -- pretty much everyone
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
I consider any plugin installed without my consent to be malicious, especially if it's a plugin FOR SOMEONE ELSE'S SOFTWARE.