Microsoft Explains Mystery Firefox Extension

Ricky writes with a followup to news we discussed a couple days ago that a Microsoft toolbar update was installing an IE add-on and a Firefox extension without the user's consent. Quoting Ars: "Microsoft has fixed the distribution scope of a toolbar update that, without the user's knowledge, installed an add-on in Internet Explorer and an extension in Firefox called Search Helper Extension. Microsoft told us that the new update is actually the same as the old one; the only difference is the distribution settings. In other words, the update will no longer be distributed to toolbars that it shouldn't be added to. End users won't see the tweak, Microsoft told Ars, and also offered an explanation on what the mystery add-on actually does. 'The Search Enhancement Pack is a shared component used by the Windows Live Toolbar, MSN Toolbar, and Bing Bar. This component enables toolbar search functionality, like the toolbar search suggestions drop down. It is not the toolbar. It is a component used by the toolbars.'"

English Doc?

[commodore64_love]

(looking perplexed)

I still don't understand why it was added to Firefox when I'm not using MSN, Bing, or any other crap
.

Re:English Doc?

[arth1]

Wrong. It got added to Firefox if any of the toolbars were detected on the system, even if it was for IE. So someone with an OEM install of Windows with an IE toolbar, but who never used IE, would still get the Firefox add-on forced upon him.

Now why Firefox would allow extensions to be installed from the outside without the user's permission is the question I have. That makes Firefox a good target for malware writers.

Re:English Doc?

[rvw]

Wrong. It got added to Firefox if any of the toolbars were detected on the system, even if it was for IE. So someone with an OEM install of Windows with an IE toolbar, but who never used IE, would still get the Firefox add-on forced upon him.

Now why Firefox would allow extensions to be installed from the outside without the user's permission is the question I have. That makes Firefox a good target for malware writers.

I suppose Firefox isn't running when this happens. So it can't block anything. Firefox can block addons to be installed if they are activated from a page that Firefox visits. This is a different situation. And if Firefox is running, it's probably possible to install something that is activated after a restart. And if it shouldn't, this is Windows, MS territory, and they may be able to do anything if they want to.

Re:English Doc?

[AusIV]

How do you propose Firefox prevent the installation of an extension by software that has direct file system access? Firefox is open source, so anyone can look and see how an extension is installed. Third party software need only update the right files and the extension would be installed. Firefox had no control over any step.

Now, this doesn't make Firefox a good target for malware writers. Anyone who can execute arbitrary code on your system doesn't need Firefox to cause problems.

Re:English Doc?

[buchner.johannes]

Now why Firefox would allow extensions to be installed from the outside without the user's permission is the question I have. That makes Firefox a good target for malware writers.

Windows Update can remove or rewrite your Firefox install any way you like, Firefox can't in any way control that.
Also, your profile folder can be rewritten in any way by user run program (malware). There is no way Firefox could prevent that.

The only way to prevent things like this is OS security packages that enforce security policies (program A can write to folder B, program C may have TCP sockets). AFAIK RSBAC and SELinux are capable of this on Linux. But user home dirs, no way (how?).

Re:English Doc?

[Polumna]

You're obviously right, but there's an implication worth mentioning for this specific instance. *Microsoft* would have had to violate the DMCA publicly. Even if they did it with some legal sleight-of-hand, it would at least make for a >500 comment slashdot story. :P

Always pushing...

[popo]

Why must constant vigilance be required? There need to be fines against companies who install software without consent. It doesn't matter who you are, it should be an illegal act.

Re:Always pushing...

[jack2000]

None of that would be a problem if Mozilla had made it so third party programs can't install plugins.

Typical Microsoft.

[jack2000]

No excuse, no sir. And here i was foolishly thinking they would make a public apology.

Why is this allowed from FF?

[beakerMeep]

I remember when this happened with some Silverlight thing in the past, but I can't remember what the reason was the Mozilla devs gave for allowing this type of silent local add on installation.

Found an old bugzilla debate/bug from 2009 (!) about when this happened previously. It seems some consider it a moot point because Firefox reports add-ons have been installed when it boots. Did this MS update get around that somehow?

Here's the link: https://bugzilla.mozilla.org/show_bug.cgi?id=476430

And the old story from the last time MS did this: http://voices.washingtonpost.com/securityfix/2009/06/microsoft_patch_to_fix_firefox.html

Hand Wave

[FrostedWheat]

"This isn't the extension you're looking for."

Re:Huh?

[erroneus]

1. Yes, we are all in favor of automatic updates... for Microsoft Software. This includes Office and Windows and more. But Not Mozilla Firefox.
2. Firefox does it's own automatic updates. It tells the users when there are updates for addons and for Firefox itself. Let Firefox manage itself! Microsoft only needs to place the update out on the web and tell its own addon where to find them. If people want this addon, they will install it and it will remain updated.

This made things worse

[Posting=!Working]

Nothing was said about silently installing an extension to Firefox being completely wrong. No mention that it won't happen again. They've just about publicly admitting that they see nothing wrong with secretly installing changes to other companies software without need, notice, justification or a way to remove it.

Fuck Microsoft. Everybody who had this happened needs to file a complaint with the police under the hacking laws, installing unauthorized modifications to software of a competitor without permission is illegal, it doesn't matter if Microsoft does it, it's still illegal. Here in Kentucky, it's either a class A or B misdemeanor, depending on whether your time undoing it can be considered monetary damage.

Also, we only have Microsoft's word that it just affects search results in their toolbar. For all we know it's logging credit card numbers, recording your webcam, and copying your personal information and contents of your c:/porn folder for public display/blackmail later. They probably aren't, but then again, what have they done that's trustworthy lately?

"WGA thinks your copy of XP is unauthorized because you added memory and a graphics card. Your credit card has been charged $399.99 for a license."

This is why I don't use toolbars

[FlyByPC]

No toolbars installed == no MS update. I don't even use Google's toolbar -- and I more-or-less trust them (at least more than M$, anyway).

Toolbars?

[BCW2]

People are still foolish enough to add them? Wow, I thought they were all mal ware just like all pop ups. Who has time to check which ones aren't?

"Microsoft explains..."

[QuietLagoon]

Microsoft has always been under the false impression that just because "Microsoft explains" a bad deed, that the deed suddenly becomes OK.