Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Explains Mystery Firefox Extension

Posted by Soulskill on from the barn-doors-and-horses dept.

Ricky writes with a followup to news we discussed a couple days ago that a Microsoft toolbar update was installing an IE add-on and a Firefox extension without the user's consent. Quoting Ars: "Microsoft has fixed the distribution scope of a toolbar update that, without the user's knowledge, installed an add-on in Internet Explorer and an extension in Firefox called Search Helper Extension. Microsoft told us that the new update is actually the same as the old one; the only difference is the distribution settings. In other words, the update will no longer be distributed to toolbars that it shouldn't be added to. End users won't see the tweak, Microsoft told Ars, and also offered an explanation on what the mystery add-on actually does. 'The Search Enhancement Pack is a shared component used by the Windows Live Toolbar, MSN Toolbar, and Bing Bar. This component enables toolbar search functionality, like the toolbar search suggestions drop down. It is not the toolbar. It is a component used by the toolbars.'"

29 of 142 comments (clear)

  1. English Doc? by commodore64_love · · Score: 5, Insightful

    (looking perplexed)

    I still don't understand why it was added to Firefox when I'm not using MSN, Bing, or any other crap
    .

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    1. Re:English Doc? by Voulnet · · Score: 2, Informative

      It wasn't added to Firefox users who didn't use MSN or Bing toolbars.

    2. Re:English Doc? by arth1 · · Score: 4, Interesting

      Wrong. It got added to Firefox if any of the toolbars were detected on the system, even if it was for IE. So someone with an OEM install of Windows with an IE toolbar, but who never used IE, would still get the Firefox add-on forced upon him.

      Now why Firefox would allow extensions to be installed from the outside without the user's permission is the question I have. That makes Firefox a good target for malware writers.

    3. Re:English Doc? by rvw · · Score: 4, Informative

      Wrong. It got added to Firefox if any of the toolbars were detected on the system, even if it was for IE. So someone with an OEM install of Windows with an IE toolbar, but who never used IE, would still get the Firefox add-on forced upon him.

      Now why Firefox would allow extensions to be installed from the outside without the user's permission is the question I have. That makes Firefox a good target for malware writers.

      I suppose Firefox isn't running when this happens. So it can't block anything. Firefox can block addons to be installed if they are activated from a page that Firefox visits. This is a different situation. And if Firefox is running, it's probably possible to install something that is activated after a restart. And if it shouldn't, this is Windows, MS territory, and they may be able to do anything if they want to.

    4. Re:English Doc? by AusIV · · Score: 4, Insightful

      How do you propose Firefox prevent the installation of an extension by software that has direct file system access? Firefox is open source, so anyone can look and see how an extension is installed. Third party software need only update the right files and the extension would be installed. Firefox had no control over any step.

      Now, this doesn't make Firefox a good target for malware writers. Anyone who can execute arbitrary code on your system doesn't need Firefox to cause problems.

    5. Re:English Doc? by buchner.johannes · · Score: 3, Interesting

      Now why Firefox would allow extensions to be installed from the outside without the user's permission is the question I have. That makes Firefox a good target for malware writers.

      Windows Update can remove or rewrite your Firefox install any way you like, Firefox can't in any way control that.
      Also, your profile folder can be rewritten in any way by user run program (malware). There is no way Firefox could prevent that.

      The only way to prevent things like this is OS security packages that enforce security policies (program A can write to folder B, program C may have TCP sockets). AFAIK RSBAC and SELinux are capable of this on Linux. But user home dirs, no way (how?).

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    6. Re:English Doc? by Hurricane78 · · Score: 2, Interesting

      Uuum because Windows Update is software that has to have full control over the system to do its job of updating core system files. And because Firefox, being a normal user program and maybe not even running, can’t override a program with full access and rights to everything.

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    7. Re:English Doc? by arth1 · · Score: 2, Insightful

      Which means that they had the Bing or MSN toolbar installed. That in no way contradicts Voulnet's post that you're calling "wrong".

      Bzzt. Good thing for your karma that you post as AC. The claim was that it wouldn't install unless you used these toolbars, not whether you had them installed.

    8. Re:English Doc? by Polumna · · Score: 5, Funny

      You're obviously right, but there's an implication worth mentioning for this specific instance. *Microsoft* would have had to violate the DMCA publicly. Even if they did it with some legal sleight-of-hand, it would at least make for a >500 comment slashdot story. :P

    9. Re:English Doc? by arth1 · · Score: 2, Informative

      The toolbar doesn't have to be installed by you. If the Windows version is OEM, it might have been pre-installed by the manufacturer. And if you've installed a program that requires java, it might have installed java with the silent option, and the Yahoo toolbar is opt-out. And a plethora of other options, including it being installed and disabled. If you don't use IE at all, chances are you never noticed it.

    10. Re:English Doc? by Your.Master · · Score: 2, Insightful

      Except that if Microsoft circumvented the DRM, it would be flagrantly illegal and could not happen by accident.

      We're not talking about defending against a hypothetical foreign attack by a malicious adversary here, we're talking about preventing unwanted accidental or incidental installs.

  2. Huh? by Zumbs · · Score: 2

    The Search Enhancement Pack is a shared component used by the Windows Live Toolbar, MSN Toolbar, and Bing Bar. This component enables toolbar search functionality, like the toolbar search suggestions drop down. It is not the toolbar. It is a component used by the toolbars.

    And this explains why it was silently added to Firefox how? Wouldn't the reasonable way of accomplishing this be to download the pack with the extensions in question?

    --
    The truth may be out there, but lies are inside your head
    1. Re:Huh? by erroneus · · Score: 3, Insightful

      1. Yes, we are all in favor of automatic updates... for Microsoft Software. This includes Office and Windows and more. But Not Mozilla Firefox.
      2. Firefox does it's own automatic updates. It tells the users when there are updates for addons and for Firefox itself. Let Firefox manage itself! Microsoft only needs to place the update out on the web and tell its own addon where to find them. If people want this addon, they will install it and it will remain updated.

  3. Always pushing... by popo · · Score: 4, Insightful

    Why must constant vigilance be required? There need to be fines against companies who install software without consent. It doesn't matter who you are, it should be an illegal act.

    --
    ------ The best brain training is now totally free : )
    1. Re:Always pushing... by Voulnet · · Score: 2

      The worst part is that you can't find it Control Panel->Add/Remove--> Installed Updates so you can uninstall it. You basically need to hack around to be able to remove it.

    2. Re:Always pushing... by jack2000 · · Score: 3, Insightful

      None of that would be a problem if Mozilla had made it so third party programs can't install plugins.

    3. Re:Always pushing... by Nerdfest · · Score: 2, Insightful

      Open API's are generally a good thing, although these days you seem to need some sort of user confirmation to stop them from being abused. The open API is not the bad part, the abuse is.

    4. Re:Always pushing... by Derek+Pomery · · Score: 2, Informative

      http://www.frontmotion.com/Firefox/

      --
      -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
  4. Typical Microsoft. by jack2000 · · Score: 3

    No excuse, no sir. And here i was foolishly thinking they would make a public apology.

  5. Why is this allowed from FF? by beakerMeep · · Score: 4, Interesting

    I remember when this happened with some Silverlight thing in the past, but I can't remember what the reason was the Mozilla devs gave for allowing this type of silent local add on installation.

    Found an old bugzilla debate/bug from 2009 (!) about when this happened previously. It seems some consider it a moot point because Firefox reports add-ons have been installed when it boots. Did this MS update get around that somehow?

    Here's the link: https://bugzilla.mozilla.org/show_bug.cgi?id=476430

    And the old story from the last time MS did this: http://voices.washingtonpost.com/securityfix/2009/06/microsoft_patch_to_fix_firefox.html

    --
    meep
  6. Hand Wave by FrostedWheat · · Score: 4, Funny

    "This isn't the extension you're looking for."

  7. This made things worse by Posting=!Working · · Score: 4, Interesting

    Nothing was said about silently installing an extension to Firefox being completely wrong. No mention that it won't happen again. They've just about publicly admitting that they see nothing wrong with secretly installing changes to other companies software without need, notice, justification or a way to remove it.

    Fuck Microsoft. Everybody who had this happened needs to file a complaint with the police under the hacking laws, installing unauthorized modifications to software of a competitor without permission is illegal, it doesn't matter if Microsoft does it, it's still illegal. Here in Kentucky, it's either a class A or B misdemeanor, depending on whether your time undoing it can be considered monetary damage.

    Also, we only have Microsoft's word that it just affects search results in their toolbar. For all we know it's logging credit card numbers, recording your webcam, and copying your personal information and contents of your c:/porn folder for public display/blackmail later. They probably aren't, but then again, what have they done that's trustworthy lately?

    "WGA thinks your copy of XP is unauthorized because you added memory and a graphics card. Your credit card has been charged $399.99 for a license."

    --
    This sentence no verb.
  8. Again? by Anonymous Coward · · Score: 2, Informative

    Didn't they do a similar thing with a .net addon?

    Oh yes, they did.

  9. This is why I don't use toolbars by FlyByPC · · Score: 3, Interesting

    No toolbars installed == no MS update. I don't even use Google's toolbar -- and I more-or-less trust them (at least more than M$, anyway).

    --
    Paleotechnologist and connoisseur of pretty shiny things.
  10. Re:That will happen when you vote for it by IANAAC · · Score: 2, Insightful

    People buy it because they need it much like they need gas.

    People don't *need* it at all. They get it most of the when they purchase a new PC.

    No matter how easy Ubuntu (or whatever flavor of Linux we could talk about) is to install, people have already got an operating system on their PC and won't bother to install another one unless MS does something to truly piss them off. I say this as someone who pretty much immediately installs Ubuntu on any new machine I buy.

  11. Re:That will happen when you vote for it by pizzach · · Score: 2, Insightful

    People don't *need* gas at for transport either. They could just live close enough to work to bike or walk.

    No matter how easy Ubuntu (or whatever flavor of Linux we could talk about) is to install, people have already got an operating system on their PC and won't bother to install another one unless MS does something to truly piss them off. I say this as someone who pretty much immediately installs Ubuntu on any new machine I buy.

    Most people wouldn't change their operating system even if MS pissed them off. Most people don't know they have the option and they don't have a clue how to do it. This is part of the basis for my previous assertion. You might like doing what you do. Some people love biking, too.

    If you look at job descriptions, many are asking for ability to use specific programs instead of generic skills. Many web programming gigs still require testing for older version of Internet Explorer. AutoCAD does not run on linux. Many people don't realize that OpenOffice opens Word documents with high accuracy. Many companies ask that resumes are submitted in specifically doc format. Not PDF. Newer versions of Internet Explorer don't run in Wine. Games are still mostly on Windows. Sometimes there just plain aren't Linux drivers available for some hardware. People like what they know and dislike change.

    These are some of the generic reasons floating in people's minds, even if many are misguided. You can spend your time shooting down a large number of the above down with the people you meet. I am sure someone will do that in a reply to this exact post, even though they are preaching to the choir. There are a lot of people out in the worcld who don't know that they don't need Windows, and they likely won't rethink computer and software purchases that quickly when the correct answer seems simple right now.

    And so, that is why I made the general assertion that Windows sales are mostly inelastic. When the market share of Windows does drop below a certain point, my assertion will suddenly not hold any weight anymore.

    --
    Once you start despising the jerks, you become one.
  12. Toolbars? by BCW2 · · Score: 3, Insightful

    People are still foolish enough to add them? Wow, I thought they were all mal ware just like all pop ups. Who has time to check which ones aren't?

    --
    Professional Politicians are not the solution, they ARE the problem.
  13. "Microsoft explains..." by QuietLagoon · · Score: 3, Interesting

    Microsoft has always been under the false impression that just because "Microsoft explains" a bad deed, that the deed suddenly becomes OK.

  14. Here we go again. by penguinman1337 · · Score: 2, Interesting

    M$ still thinks that they own every PC in the world. It doesn't matter if it even runs Windows or not. They've demonstrated this time and time again. Anyone remember the Suse linux controversy a couple years back? They still haven't gotten the idea through their corporate heads that the end user has a choice now on what to do with their system. Lets say you buy a computer with windows pre-installed. They pretty much say now that by even opening the box you agree to their EULA. Even if the first time you boot is solely to pop open the DVD drive to put in a Linux install CD. Last comp i bought didn't even have a initial "You officially sign your life and your computer over to us" dialog come up. And you know how they supposedly give refunds on the windows tax to ppl who never use it. Good luck on that one. M$ is still the same bully they always were, they just try to put a nice face on it from time to time.

    If i ever get a chance to interview an M$ executive, I'm going to ask if they feel that they have any rights to a comp that was built by me from parts, and had slackware installed as the only OS from the beginning. I think their response would show everyone exactly how they feel. Hell, anything other than a straight "No" would show their true colors.