Apple, Microsoft, Google Attacked For Evil Plugins

nk497 writes "A Mozilla exec has attacked Apple, Microsoft and Google for installing plugins without users' permission. 'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Asa Dotzler asks. 'That is precisely how a Trojan horse operates... These additional pieces of software installed without my consent may not be malicious but the means by which they were installed was sneaky, underhanded, and wrong.' He called on them to 'stop being evil.'"

Yes

[metrix007]

Yes...I should not have to check addons to firefox to make sure nothing dodgy has been installed. Of course, this behaviour will continue as long as it is technically possible, so why doesn't Mozilla simply make it impossible? Only allow installing addons through firefox, with explicit prompts.

Re:Yes

[drachenstern]

Because not all extensions can be "disabled" from the UI. Then there's others, like Java, which don't remove old versions... go figure.

Re:Yes

[Krneki]

Exactly, lock the plug-ins with a password. This is something I'm waiting since a long time ago.

It's my browser and I don't like changes being made without my explicit confirmation.

Re:Yes

[140Mandak262Jamuna]

These dumped extensions can be disabled and uninstalled only from a root account. If you are using a lower privilege account for day to day ops, the uninstall button is grayed out. These extensions are assumed to be installed for "all users" and one low privileged user would/should not be able to take them out. It is a pain to log out, and log in as superuser just to disable one extension that some corporate creep decides to shove on my machine.

Re:Yes

[mellon]

You are right in principle, but not in practice. The problem is that the security model for software package installations allows for privilege escalation in an unconstrained (not chrooted) environment. This means that the installer can do whatever it wants to Mozilla, and there's nothing Mozilla can do to stop it.

The solution to this problem is to use a different installation model and a different security model. Two examples are Bitfrost and iOS. Both use a security model where apps are constrained as to what they can access, and how they can access it. Installers aren't allowed to scribble all over the filesystem. Consequently, app installers would not be *able* to modify the Mozilla install, so this simply wouldn't be an issue.

So basically what's going on here is that these companies are taking advantage of a broken security model while they can. Hopefully as technology marches forward, this broken security model will become obsolete, although I see no evidence that Microsoft or Apple are working on it.

Re:Yes

[mysidia]

so why doesn't Mozilla simply make it impossible?

Because they shouldn't have to? Due to understood ownership of the application's own files by that application and the system admin?

Apple, Google, Microsoft should list their plugins in the Addons directory, just like everyone else has to. If they think users will strongly benefit from a plugin and want to make things easy, they should at least prompt first, before messing with a different application's files.

Because the functionality Microsoft/Google/Apple are abusing is important useful functionality for system administrators to deploy plugins system-wide or network-wide. Or install a plugin once globally, without each user needing to maintain and update their own copy of every popular plugin that is needed.

Just because Microsoft has no business using this functionality as an underhanded way to try to hoc their own plugins does not mean the easy deployment of browser with plugins pre-loaded should not be allowed.

Re:Yes

[QuoteMstr]

This approach is doomed.

The browser has to somewhere remember that a user approved an extension. It does this by writing state to disk. A malicious extension installer can simply modify this saved state to make the browser think the user installed and approved the payload. The same goes for a startup message advertising extensions that have been installed since the last browser run.

You can't win this fight without OS involvement. The correct solution is application-level sandboxing, which quite a few people are working on.

Re:Yes

[Corporate+Troll]

True, but keep in mind that only a privileged user would be able to install anything that has such a payload. So... Not a problem.

Re:Yes

[David_W]

We'd actually need to invent a new word to convey the stupidity of it.

"Java-esque"?

Re:Yes

[Tharsman]

Exactly what I was thinking. How about they stop being enablers and turn those stealth instals into install requests the user can turn down immediately?

Re:Yes

[Tharsman]

The limitation of not being able to disable add-ons from the UI is not something that HAS to be so, besides, the activation off the plugin can be put off until a user agrees to it's presence.

After all, if Google, MS and Apple are doing it, imagine what more malicious software can sneak in.

Re:Yes

[theCoder]

Normally, I'd agree, but the OP specifically talked about a user supplied password to be able to add a plugin. That password could control access to a private key that is used to sign a hash of the valid list of plugins. On startup, Firefox could use the public key to validate the list of plugins, and throw up a big error if the list is invalid (because someone snuck one in).

Of course, recovering from this state would be difficult -- maybe Firefox could provide a way to disable plugins until the new list matched it's hash? But it would at least alert the user that something fishy was going on. Think of it as a tripwire for plugins.

Re:Yes

[The+Moof]

It also doesn't help stealth plug-in installations. Not to mention Firefox has no method to remove installed plug-ins, only disable them. Mozilla's official method is to hunt down the file on your system and delete it.

Needless to say, Mozilla's Plug-in handling leaves a lot to be desired.

Re:Yes

[QuoteMstr]

Encrypt the list of enabled plugins with a user password

"Encryption" is the wrong word here. What we're talking about is digital signing. The way it would work is that upon installation, the browser would generate a public-private keypair, encrypt the private key with a password of the user's choice, and save the resulting public key and encrypted private key to persistent storage.

At all times, the browser would store the list of enabled plugins and sign it with the encrypted private key. Nobody can generate a valid signature for a list of enabled plugins without the password, and the browser will not use a plugin list unless it comes with a valid signature.

All this is fine as far as it goes, but it'll only work until our malicious plugin installer patches the browser binary and makes it skip the key check; the malware could also replace both the public and the private key with replacements of its choosing. Either way, the user may or may not eventually notice that something is wrong, but if he does, it probably won't be a while, and he probably won't be able to track the malfunction back to the evil installer.

Malware vendors can also wait for the user to type his password when installing a different plugin, then use that password to generate a valid signature for a plugin list that includes anything desired.

The moral is that applications still need to be sandboxed. They're not protected from each other. Without OS-level protection, applications can do horrible things (often without needing elevated privileges at all). Half-measures aren't the answer.

Re:Yes

[QuoteMstr]

My interpretation was in the spirit of intellectual charity, not arrogance; i.e., I gave you the benefit of the doubt, employing the only interpretation that makes any sense.

Encryption without authentication is worthless. Either you're using symmetric encryption and you make the user enter the password every time the browser wants to read the plugin list (or worse, store the key on disk), or you're using asymmetric encryption and creating a message that can be decrypted by a given public key is simple.

Encryption *and* authentication is pointless in this case because the browser needs to be able to decrypt plugin information at all times using only information in persistent storage. Encryption does not provide any security properties in this context.

So we're left with authentication itself being the task at hand, which I assumed is what you meant. But instead of having an adult conversation about the issue, you have a temper tantrum. I'm through.

Re:Yes

[Lucky75]

Then the installers just need to go through your files and change the flag on the addon to enable it. Unless it's encrypted somewhere, but then the programs just need to go through your files and look for the key. The only way to prevent this is to have the user enter a password or something. However, most users are too stupid to understand what they're doing anyway.

anti-trust!

[alphatel]

But MS, G and A all have our best interests at heart. No program should be able to circumvent this explicitly allowable behavior!

Solution: Warning box

[GodWasAnAlien]

Warning: A third party plugin, PluginNameHere, has been installed without user consent:

DELETE KEEP

Re:Solution: Warning box

[baka_toroi]

"Son, what should I do?" I will remember you forever when my mom calls me about that dialog box. Thank yo, GodWasAnAlien (BTW, don't you mean "Christ"?)

Re:Solution: Warning box

[thePowerOfGrayskull]

You could if you tracked which ones were installed through the browser, vs which ones simply showed up in the plugins directory and were never 'approved' by the user. It doesn't seem difficult.

While you couldn't offer to delete them (because priv acct might be required) you *could* only enable them after explicit user approval.

Re:Solution: Warning box

[d3ac0n]

The thing is, nontechnical users don't WANT "neutral" verbiage. Part of the problem with many computer dialogs is not that they don't make sense, it's that they don't help you assess the VALUE of the warning they are giving.

Since most computer users don't have a frame of reference or knowledge from which to assess the value of warnings they receive, we have to supply that for them in the dialog message.

I think that we can all agree that installing something, ANYTHING, into our browsers without explicit user permission is BAD. Thus, the warning should reflect that. An overly neutral warning will just produce, at best, confusion and at worst, blind "yes" clicks.

Something along the lines of: "Alert. The following add-on [name of add-on] was recently installed without your explicit permission by [program] Do you wish to approve or deny this plugin access to Firefox? [approve] [deny]"
  Is far more useful to the average user than your "neutral" message.

Re:Add Yahoo as well

[PNutts]

Just last night I was testing something that required Yahoo messenger. After accurately deselecting all the various optional bullshit software it still installed the fucking Yahoo toolbar and who knows what else. What a scam.

I installed Yahoo! Messager last week and it did not install anything I deselected. But since you posted as AC all I can say is you did it wrong.

Don't stop them from adding, auto remove...

[gurps_npc]

Not that difficult to code in a startup screen "X addons installed since last restart. Should I remove?"

Re:Don't stop them from adding, auto remove...

One could write a plugin that does just that!

Re:Don't stop them from adding, auto remove...

[MobyDisk]

Only slightly less difficult than that, is making the installer mark the add-ons as already approved. Even so, it is still a good idea because while installing a plug-in without permission is a gray area, pretending that the user clicked "yes I want this" when they didn't is probably illegal.

people don't seem to mind

One thing I've slowly come to realize is that most people do not mind a big company or other entity controlling their computers. They're quite happy to run javascript trackers, download web bugs, run any executable without knowing whether it's safe, and so on.

Many of us here have an aversion to these things. If we see a plugin installed without our permission, we'll figure out how to remove it. But most people do not place any value in having control over their own hardware, so they see no value in doing that.

The end result of this is going to be a highly controlled internet, because the number of people who care about its freedom and openness is very tiny compared to the number who don't. The market forces will decide, and those are clearly on the side of the "you may control my computer in any way you want, Mr Multinational Corporation".

PS - my CAPTCHA for this message was "disallow".

Re:people don't seem to mind

[spacefiddle]

I would alter "do not mind" to "have no clue and don't understand the potential implications of." The end result will be a highly controlled everything, because people are neither taught nor encouraged to think about things that don't relate to their immediate button-pushing responsibilities, coupled with a fair amount of casual despair about having any control over their own lives.

Most enduser types I've talked to about such things tend to give me lines like "Ah, none of this stuff affects me," "Whaddyagonna do, they'll do what they want anyway" and "Pfff, they wouldn't do anything really bad."

Re:people don't seem to mind

[erroneus]

There is much truth in what you speak here. But it gets worse.

Turns out that this is all done because Apple, Microsoft and Google (and more) have all done studies to determine the preferences of most users. The goal is to make things easier. It doesn't matter if easier makes them more vulnerable, easier is preferred by the general public. (Now if only the TSA and government would get this message! We don't care to be "safer" if it's inconvenient!)

If they have to be bothered to install or even be prompted to install things, this will add to the level of frustration a user will experience.

Does anyone remember the period of time in which you could hear the words "computer illiterate" spoken with a certain level of pride? "Oh, I'm computer illiterate..." Seriously? It's true and there is still a small number of people out there who wear their ignorance as a badge of honor. We have a HUGE world of user psychology to overcome before we can get to a place where people are aware and cautious.

For the moment, "ignorance is an excuse" for the problems they experience. If they actually take control of their own machines and something bad happens, it becomes THEIR OWN fault which is a responsibility they do not want to accept. It is far easier for them to curse and blame the faceless others out there rather than blame themselves for their own lack of interest.

TL;DR? Users want to blame anyone but themselves when they have problems. If they learn anything, it becomes a burden of responsibility they simply do not want.

Re:people don't seem to mind

The CAPTCHAs are themed to the article. Slashdot has been doing this for a long time now. People like you keep posting their CAPTCHAs as if it is some humorous and unlikely coincidence that the word has a contextual applicability to the article topic.

This is on purpose. The system is explicitly designed to do this. Stop acting surprised.

Re:people don't seem to mind

[BitZtream]

Most people place less value on 'managing their computer' than they do on 'living their life', that I'll agree to.

Saying people place no value in having control over their own hardware is retarded. You have 0 control on how your processor operates internally don't you? Or do you work for Intel or AMD and have some sort of direct control over it?

Most people don't care about what slashdot users care about. A 'perfect computer setup' is not anywhere on their list of priorities, which I realize is completely blasphemy to most slashdotters, but the reality of it is, most other people have other things in their lives that they value more than dicking around with their PC.

You place a high value on controlling your PC, they place a high value on something else.

You live in a hypocritical fantasy where you pretend you have complete control over your PC, while you utterly ignore all the aspects of it that you have absolutely no control over.

Oh okay, but what about Mint

[SmallFurryCreature]

The Mint Linux distro installs a default custom search that not only removes a lot of functionality from google but also takes up half the page size on a 12.1 inch netbook with a plain ugly design, just to make some cash. Fixing it is possible but come on! I donate cash already to various projects, but Mint can kiss my hairy ass. I need that left column in Google search because else it gives me results from the beginning of the ice age on any query related to current events.

But companies just can't accept that we don't want their crap. Especially American companies. Please ATI, I know about WoW, if I wanted to play it, I would have played it by now. So stop trying to slip the trial on my gaming machine. No thanks MSI, I do NOT want a dumb virus checker with my windows, I do not even want windows. And if I want games I get the one with my ATI card not some god awful free game with god knows what installed along with it.

I would love to serve one of the execs.

Bill Gates: "One milk shake please"

Me: *FAP FAP FAP*. *HATCHOO*. *SPIT*.

Me: "Sure, and enjoy the free extra I added in regoniztion of the quality software you shovelled on me."

Anyone knows if the McD at Redmond is hiring?

Re:Oh okay, but what about Mint

[slackbheep]

Clearly you didn't see the genius of his plan, once he gets Gates pregnant: BAM.

Re:Oh okay, but what about Mint

[Jah-Wren+Ryel]

Actually he and his wife have given a couple talks at TED (TED.com) about the foundation he and his wife have setup.

Yeah, he went from being the 800lb gorilla in computers to being the 800lb gorilla in charities.
I predict the same level of destruction to that ecosystem too.

Misread title

When I read the title I understood: "Apple, Microsoft, Google Attacked by Evil Penguins ". I should not have tried to read it again, it completely destroyed the original effect.

Re:Add Yahoo as well

[Monkeedude1212]

Maybe in his configured UI the Checkboxes were actually X's - and he thought an X beside the item means "Do Not Want" - a common mistake when using X-indicative checkboxes.

But really, it's no different than when I want to Install Adobe PDF Reader and work, and it's all "Hey, do you want the Google Toolbar? I'll just go ahead and check the box for you. I know that you waste a fraction of a second each time unchecking that box, and that frustrates a lot of IT professionals, but thats just how I roll. I mean, IE already has a built in "Search Bar" which most people who use Google will switch it to google instead of Live search, but the important thing is to find all the technically illiterate masses who use computers and make sure they have the Google Toolbar so they use Google more. God forbid if they don't like Bing as their default search provider they actually set Google as their home-page and just use Google anyways - THEY NEED THAT TOOLBAR.

Honestly, I used to be completely and utterly serenely happy with Google. They provided just the right services I wanted and genuinely stayed out of my way. I didn't really care if they were collecting information on me, they were so clever about it I didn't notice.

But nothing makes me angrier than this silly ridiculous "Add My Browser Toolbar" Bull that ALL these companies are working together on. I mean, if you already have the google Toolbar installed, instead of asking you if you want it again, Adobe Reader Installer knows that and will ask "Hey, do you want this free version of Norton?" Seriously? As if cramming 1 optional program down my throat was bad enough.

Has anybody tried uninstalling and Re-installing adobe reader with all of the Auto-Opted-In "Side Packages" to see exactly how many companies have kissed Adobes ass? I'm now curious but I wouldn't want to do it on my machine. (I totally need to virtualize my workstation...)

Microsoft, Apple and Google

[bradgoodman]

See no evil, Hear no evil, Speak no Evil

that's the price of popularity

[bl8n8r]

when you have 300 jillion people using your product, you can afford not to care.  No it's not fair, but that's capitalism.

And

[ISoldat53]

Make it easier to remove them.

Re:Beyond Firefox

[EvilMonkeySlayer]

Actually, if you go to the google earth download page undernearth the TOS there is an "advanced setup" option that expands to some tick boxes you can untick to download a version of google earth that doesn't include the horrible updater and a version that doesn't require admin rights that can install to the users directory.

Google but not Adobe?

[Enderandrew]

I have Google Chrome and Google Earth installed. I don't have any Google plugins installed in Firefox. So I'm not sure what he is talking about, unless something changed with Google Earth recently.

Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.

Microsoft is the worst offender here, where they use Windows Update to push a Firefox .NET Assistant extension, don't ask your permission, and don't allow you to remove it.

Re:Google but not Adobe?

[tokul]

Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.

http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
Try to avoid installing Adobe download manager harder.

Re:So because Mozilla's security model is flawed

[Lundse]

Yes. It is the other's fault.

The human body is very easy to puncture with a knife, this does not make slashing open your neighbour OK.
Cars can drive beyond the speed limit, houses can be broken into, people can be swindled, telephones called by telemarketers, etc. etc.

None of this makes it OK to do any of these things, and just because Firefox is built around a certain design principle (that it should be easy to modify) does not make it OK for others to modify it against the user's wishes.

Re:Add Yahoo as well

[amRadioHed]

Maybe in his configured UI the Checkboxes were actually X's - and he thought an X beside the item means "Do Not Want" - a common mistake when using X-indicative checkboxes.

Really? I find that a bit surprising. In all my years I've never encountered a single person who was confused by what an X in a box means, not in computers or in the real world where the practice is just as common.

original article

[Eil]

Here's Asa's blog post, so that you don't have to click through the "news" article, which is almost entirely a copy-and-paste of Asa's post.

Doomed to failure.

[davev2.0]

This solution requires Mozilla to fix things on their end rather than complaining about big companies doing something Mozilla didn't bother to prevent.

Re:Doomed to failure.

[Zumbs]

No, it requires Mozilla to hack Windows and OSX to ensure that programs running with administrator rights cannot change resourses used by Firefox. Which will get pretty messy.

Re:And F-Secure installs trojans now

[Khyber]

'but the installer does not explicitly tell you that it will install a Firefox extension."

Guess what I sued EA for and got them to settle on PDQ?

That EXACT same behavior with SecuROM.

I think, given how easily EA settled, that one would have a winnable case against any other company. EA settled to stop irreparable damage to their shady business model, I can only imagine every other company doing the exact same thing if you took them to task over it.

Java has quirks.

[Futurepower(R)]

Java has ALWAYS been a badly managed language. Sometimes programs (not web sites) will only run correctly with an old version of Java.

Those who supply Java programs often have to deliver an entire Java run-time package to make sure their programs will run.

The quirky management of Java was extremely strong public relations for Sun. Notice that Sun no longer exists.

Re:Java has quirks.

[bberens]

I recall the day when Sun released a new patch for Java. Everyone auto-updated and all of a sudden the transparency of labels in our app was broken all over the place. Luckily for us there were only a hand full of people using our app on a Windows desktop OS (most are CE). So rather than going back and redoing the layout for all of our screens we just handed people a functioning JRE. That was an annoying day when a bug was introduced into our app by the platform vendor.

Re:Is this guy on crack?

[frostfreek]

All I have to say in response to this is ".NET Framework Assistant". http://www.computerworld.com/s/article/9139459/Sneaky_Microsoft_plug_in_puts_Firefox_users_at_risk

Turning the problem around

[QuietLagoon]

The Mozilla exec is trying to turn a FireFox security hole (i.e., the ability to load plug-ins without the user's knowledge or consent) into something else (other companies are evil for exploiting the security hole).

.
The solution is simple, Mozilla needs to fix the security hole in FireFox, and while they are at it, provide a means to uninstall plug-ins that does not rquire me to go rummaging through the filesystem looking for oddly-named files and deleting them.

Re:Bill Gates != Microsoft anymore. Re:Oh okay,

[mcgrew]

"I’ll tell you why I like the cigarette business. It costs a penny to make. Sell it for a dollar. It’s addictive. And there’s fantastic brand loyalty." —Buffett, quoted in Barbarians at the Gate: The Fall of RJR Nabisco (from wikipedia)

If you want me to like Bill Gates, saying he has Warren Buffet's approval won't do it.

Yes and No

[huzur79]

When an Automatic Update from Microsoft Update or Apples Software update installs a plugin, I have an issue with that like how .net was added to firefox without users knowing. When something installs from a users explicit decision such as installing iTunes or MS Live and it installs a plugin he's wrong. User initiated installs is the permission granted to Apple or Microsoft or Google to install whatever is being offered. If the user fails to read the finer details of what’s being installed or reads the installer options such as, include whatever plugin, it’s not their fault. There is a difference between Automatic non user initiated plugin installs from updates and user initiated software installs that include a plugin. Firefox could easily just audit its plugins from last start to see if anything has been added in the unofficial way and warn the user or by default disable it and ask the user to enable it. Its in there power to do something about it but instead they take the lazy route or political route to complain about it instead. So one must ask what is the Agenda saying Microsoft, Apple and Google are evil when they have the power to code changes to prevent it vs saying the Maker of Internet Explorer and the Maker of Safari and the Maker of Chrome are evil. Oh I think I just answered the Political question with that last line.

Ubuntu does it too!

[datakid23]

I love linux and I've been using Ubuntu since 5.10 - but let's not forget that it's not just evil corporations that do this! Ubuntu has a plugin that's installed when you install firefox, without asking.

Not additional software

[harryjohnston]

At least on Windows, the plugins in question aren't "additional pieces of software" that are being installed secretly. They're part of the software package you chose to install, both conceptually and technologically.

This doesn't necessarily justify the fact that any particular software package doesn't make its browser add-on functionality optional and/or opt-in. It's just an observation.

Incidentally, I could swear that Firefox has been prompting me lately whenever a new add-on is discovered, and giving me the chance to disable it. Problem solved, I'd think, although I suppose you could argue that it should be opt-in rather than opt-out.

Mozillas Fault

[Tom]

So, why does Firefox then enable and run those plugins, eh? If you really think they are evil, put your money where your mouth is, keep an internal list of enabled plugins, not editable from outside sources, and if a new plugin is detected, throw up a dialog asking the user if he wants it enabled or not.

If you provide the functionality, don't whine if people use it. If your browser will happily activate and use any plugins I throw into its plugin directory, stop crying if I do.

Simple English

[leptechie]

Dear User Firefox/IE/Safari/Opera/Chrome detected that two plugins were recently installed from a source outside your browser. If you were informed about this by the program that installed it, please review this information anyway.

• pluginName has a link to the author's website and a description here, and the process to deactivate, uninstall or upgrade the plugin can be found at this link. If you were not notified by the author that this plugin would be installed, please contact them at this email address or report it to the Development Team at this link.
• OtherPluginName does not appear to have either: (1) information on the author, (2) any links to processes for deactivation, uninstallation or upgrade, and/or (3) a contact address for you to submit problems or questions to the author. The plugin has been disabled as a precaution, you can re-enable it here. You can read more about unsafe or stealth plugins here. Know your Rights.

Disable All, Disable Incomplete, Enable All