Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple, Microsoft, Google Attacked For Evil Plugins

Posted by CmdrTaco on from the also-wear-more-hats dept.

nk497 writes "A Mozilla exec has attacked Apple, Microsoft and Google for installing plugins without users' permission. 'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Asa Dotzler asks. 'That is precisely how a Trojan horse operates... These additional pieces of software installed without my consent may not be malicious but the means by which they were installed was sneaky, underhanded, and wrong.' He called on them to 'stop being evil.'"

27 of 293 comments (clear)

  1. Yes by metrix007 · · Score: 5, Insightful

    Yes...I should not have to check addons to firefox to make sure nothing dodgy has been installed. Of course, this behaviour will continue as long as it is technically possible, so why doesn't Mozilla simply make it impossible? Only allow installing addons through firefox, with explicit prompts.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
    1. Re:Yes by drachenstern · · Score: 3, Informative

      Because not all extensions can be "disabled" from the UI. Then there's others, like Java, which don't remove old versions... go figure.

      --
      2^3 * 31 * 647
    2. Re:Yes by Krneki · · Score: 4, Insightful

      Exactly, lock the plug-ins with a password. This is something I'm waiting since a long time ago.

      It's my browser and I don't like changes being made without my explicit confirmation.

      --
      Love many, trust a few, do harm to none.
    3. Re:Yes by mellon · · Score: 3, Insightful

      You are right in principle, but not in practice. The problem is that the security model for software package installations allows for privilege escalation in an unconstrained (not chrooted) environment. This means that the installer can do whatever it wants to Mozilla, and there's nothing Mozilla can do to stop it.

      The solution to this problem is to use a different installation model and a different security model. Two examples are Bitfrost and iOS. Both use a security model where apps are constrained as to what they can access, and how they can access it. Installers aren't allowed to scribble all over the filesystem. Consequently, app installers would not be *able* to modify the Mozilla install, so this simply wouldn't be an issue.

      So basically what's going on here is that these companies are taking advantage of a broken security model while they can. Hopefully as technology marches forward, this broken security model will become obsolete, although I see no evidence that Microsoft or Apple are working on it.

    4. Re:Yes by QuoteMstr · · Score: 3, Insightful

      This approach is doomed.

      The browser has to somewhere remember that a user approved an extension. It does this by writing state to disk. A malicious extension installer can simply modify this saved state to make the browser think the user installed and approved the payload. The same goes for a startup message advertising extensions that have been installed since the last browser run.

      You can't win this fight without OS involvement. The correct solution is application-level sandboxing, which quite a few people are working on.

    5. Re:Yes by Corporate+Troll · · Score: 3, Insightful

      True, but keep in mind that only a privileged user would be able to install anything that has such a payload. So... Not a problem.

    6. Re:Yes by David_W · · Score: 4, Funny

      We'd actually need to invent a new word to convey the stupidity of it.

      "Java-esque"?

    7. Re:Yes by theCoder · · Score: 3, Informative

      Normally, I'd agree, but the OP specifically talked about a user supplied password to be able to add a plugin. That password could control access to a private key that is used to sign a hash of the valid list of plugins. On startup, Firefox could use the public key to validate the list of plugins, and throw up a big error if the list is invalid (because someone snuck one in).

      Of course, recovering from this state would be difficult -- maybe Firefox could provide a way to disable plugins until the new list matched it's hash? But it would at least alert the user that something fishy was going on. Think of it as a tripwire for plugins.

      --
      "Save the whales, feed the hungry, free the mallocs" -- author unknown
    8. Re:Yes by The+Moof · · Score: 4, Insightful

      It also doesn't help stealth plug-in installations. Not to mention Firefox has no method to remove installed plug-ins, only disable them. Mozilla's official method is to hunt down the file on your system and delete it.

      Needless to say, Mozilla's Plug-in handling leaves a lot to be desired.

    9. Re:Yes by QuoteMstr · · Score: 5, Insightful

      Encrypt the list of enabled plugins with a user password

      "Encryption" is the wrong word here. What we're talking about is digital signing. The way it would work is that upon installation, the browser would generate a public-private keypair, encrypt the private key with a password of the user's choice, and save the resulting public key and encrypted private key to persistent storage.

      At all times, the browser would store the list of enabled plugins and sign it with the encrypted private key. Nobody can generate a valid signature for a list of enabled plugins without the password, and the browser will not use a plugin list unless it comes with a valid signature.

      All this is fine as far as it goes, but it'll only work until our malicious plugin installer patches the browser binary and makes it skip the key check; the malware could also replace both the public and the private key with replacements of its choosing. Either way, the user may or may not eventually notice that something is wrong, but if he does, it probably won't be a while, and he probably won't be able to track the malfunction back to the evil installer.

      Malware vendors can also wait for the user to type his password when installing a different plugin, then use that password to generate a valid signature for a plugin list that includes anything desired.

      The moral is that applications still need to be sandboxed. They're not protected from each other. Without OS-level protection, applications can do horrible things (often without needing elevated privileges at all). Half-measures aren't the answer.

    10. Re:Yes by QuoteMstr · · Score: 5, Insightful

      My interpretation was in the spirit of intellectual charity, not arrogance; i.e., I gave you the benefit of the doubt, employing the only interpretation that makes any sense.

      Encryption without authentication is worthless. Either you're using symmetric encryption and you make the user enter the password every time the browser wants to read the plugin list (or worse, store the key on disk), or you're using asymmetric encryption and creating a message that can be decrypted by a given public key is simple.

      Encryption *and* authentication is pointless in this case because the browser needs to be able to decrypt plugin information at all times using only information in persistent storage. Encryption does not provide any security properties in this context.

      So we're left with authentication itself being the task at hand, which I assumed is what you meant. But instead of having an adult conversation about the issue, you have a temper tantrum. I'm through.

  2. Solution: Warning box by GodWasAnAlien · · Score: 5, Insightful

    Warning: A third party plugin, PluginNameHere, has been installed without user consent:

    DELETE KEEP

    1. Re:Solution: Warning box by thePowerOfGrayskull · · Score: 3, Informative
      You could if you tracked which ones were installed through the browser, vs which ones simply showed up in the plugins directory and were never 'approved' by the user. It doesn't seem difficult.

      While you couldn't offer to delete them (because priv acct might be required) you *could* only enable them after explicit user approval.

  3. Don't stop them from adding, auto remove... by gurps_npc · · Score: 4, Insightful

    Not that difficult to code in a startup screen "X addons installed since last restart. Should I remove?"

    --
    excitingthingstodo.blogspot.com
  4. people don't seem to mind by Anonymous Coward · · Score: 5, Interesting

    One thing I've slowly come to realize is that most people do not mind a big company or other entity controlling their computers. They're quite happy to run javascript trackers, download web bugs, run any executable without knowing whether it's safe, and so on.

    Many of us here have an aversion to these things. If we see a plugin installed without our permission, we'll figure out how to remove it. But most people do not place any value in having control over their own hardware, so they see no value in doing that.

    The end result of this is going to be a highly controlled internet, because the number of people who care about its freedom and openness is very tiny compared to the number who don't. The market forces will decide, and those are clearly on the side of the "you may control my computer in any way you want, Mr Multinational Corporation".

    PS - my CAPTCHA for this message was "disallow".

    1. Re:people don't seem to mind by spacefiddle · · Score: 5, Insightful

      I would alter "do not mind" to "have no clue and don't understand the potential implications of." The end result will be a highly controlled everything, because people are neither taught nor encouraged to think about things that don't relate to their immediate button-pushing responsibilities, coupled with a fair amount of casual despair about having any control over their own lives.

      Most enduser types I've talked to about such things tend to give me lines like "Ah, none of this stuff affects me," "Whaddyagonna do, they'll do what they want anyway" and "Pfff, they wouldn't do anything really bad."

      --
      That which does not kill us makes us... st
    2. Re:people don't seem to mind by erroneus · · Score: 3, Interesting

      There is much truth in what you speak here. But it gets worse.

      Turns out that this is all done because Apple, Microsoft and Google (and more) have all done studies to determine the preferences of most users. The goal is to make things easier. It doesn't matter if easier makes them more vulnerable, easier is preferred by the general public. (Now if only the TSA and government would get this message! We don't care to be "safer" if it's inconvenient!)

      If they have to be bothered to install or even be prompted to install things, this will add to the level of frustration a user will experience.

      Does anyone remember the period of time in which you could hear the words "computer illiterate" spoken with a certain level of pride? "Oh, I'm computer illiterate..." Seriously? It's true and there is still a small number of people out there who wear their ignorance as a badge of honor. We have a HUGE world of user psychology to overcome before we can get to a place where people are aware and cautious.

      For the moment, "ignorance is an excuse" for the problems they experience. If they actually take control of their own machines and something bad happens, it becomes THEIR OWN fault which is a responsibility they do not want to accept. It is far easier for them to curse and blame the faceless others out there rather than blame themselves for their own lack of interest.

      TL;DR? Users want to blame anyone but themselves when they have problems. If they learn anything, it becomes a burden of responsibility they simply do not want.

    3. Re:people don't seem to mind by Anonymous Coward · · Score: 3, Insightful

      The CAPTCHAs are themed to the article. Slashdot has been doing this for a long time now. People like you keep posting their CAPTCHAs as if it is some humorous and unlikely coincidence that the word has a contextual applicability to the article topic.

      This is on purpose. The system is explicitly designed to do this. Stop acting surprised.

  5. Misread title by Anonymous Coward · · Score: 4, Funny

    When I read the title I understood: "Apple, Microsoft, Google Attacked by Evil Penguins ". I should not have tried to read it again, it completely destroyed the original effect.

  6. Microsoft, Apple and Google by bradgoodman · · Score: 4, Funny

    See no evil, Hear no evil, Speak no Evil

  7. And by ISoldat53 · · Score: 4, Insightful

    Make it easier to remove them.

  8. Google but not Adobe? by Enderandrew · · Score: 3, Informative

    I have Google Chrome and Google Earth installed. I don't have any Google plugins installed in Firefox. So I'm not sure what he is talking about, unless something changed with Google Earth recently.

    Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.

    Microsoft is the worst offender here, where they use Windows Update to push a Firefox .NET Assistant extension, don't ask your permission, and don't allow you to remove it.

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
    1. Re:Google but not Adobe? by tokul · · Score: 3, Informative

      Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.

      http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
      http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
      Try to avoid installing Adobe download manager harder.

  9. Re:So because Mozilla's security model is flawed by Lundse · · Score: 5, Insightful

    Yes. It is the other's fault.

    The human body is very easy to puncture with a knife, this does not make slashing open your neighbour OK.
    Cars can drive beyond the speed limit, houses can be broken into, people can be swindled, telephones called by telemarketers, etc. etc.

    None of this makes it OK to do any of these things, and just because Firefox is built around a certain design principle (that it should be easy to modify) does not make it OK for others to modify it against the user's wishes.

    --
    IAIFARSIJDPOOTV - I Am In Fact A Reality Star; I Just Don't Play One On TV
  10. Doomed to failure. by davev2.0 · · Score: 3, Insightful

    This solution requires Mozilla to fix things on their end rather than complaining about big companies doing something Mozilla didn't bother to prevent.

  11. Java has quirks. by Futurepower(R) · · Score: 3, Insightful

    Java has ALWAYS been a badly managed language. Sometimes programs (not web sites) will only run correctly with an old version of Java.

    Those who supply Java programs often have to deliver an entire Java run-time package to make sure their programs will run.

    The quirky management of Java was extremely strong public relations for Sun. Notice that Sun no longer exists.

    1. Re:Java has quirks. by bberens · · Score: 3, Insightful

      I recall the day when Sun released a new patch for Java. Everyone auto-updated and all of a sudden the transparency of labels in our app was broken all over the place. Luckily for us there were only a hand full of people using our app on a Windows desktop OS (most are CE). So rather than going back and redoing the layout for all of our screens we just handed people a functioning JRE. That was an annoying day when a bug was introduced into our app by the platform vendor.

      --
      Check out my lame java blog at www.javachopshop.com