A well-respected Mozilla man has attacked Apple, Google and Microsoft for installing plug-ins without first asking for a web surfer’s permission. Open web advocate Asa Dotzler, who co-founded the Spread Firefox project for the open source browser outfit in 2004, slammed the three tech titans for making sneaky installs of plug- …
...should try using Opera?
Mozilla also guilty of this...
Every 10 minutes Firefox is trying to take over my defaults, despite me saying no at install time.
The clue is in the checkbox
When Firefox starts it asks you if you want to make it the default browser. If you never want to be asked again, just check the "don't ask me again" message and click No. Easy.
How many questions do you ask?
I don't know enough about the items installed by Google and MS, but I understand the role of the iTunes installation. It simply means that clicking a link to an item for sale in the iTunes Store can open iTunes (so the purchased item is automatically installed in your iTunes library etc). Is this unreasonable behaviour? Would the user expect to have to manually open items in iTunes, or manually manage purchased items?
The complaint is that the installer should simply ask first. I understand that - for unexplained reasons - this is important to the author, but does this extend to everyone else? Personally, I hate installers that ask reams of questions. It's bad enough that you're faced with pages of terms & conditions.
Upon installing an application, is it reasonable to think that your average user wants the entire operating system to be aware of it, but that it should be hidden from your browser? I could understand if it potentially harmed the browser or somehow removed functionality, but what should we be afraid of in this instance?
It's not hard to do
Welcome to iPrunes!
This will install iPrunes and these selected features. You can run this again to add/remove these features at a later date, or simply uninstall them from the related applciation
[*] iPrunes (required)
[ ] Windows Explorer/Nautilus/Finder integration (allows media to be opened in iPrunes)
[ ] Firefox plug-in (allows media to be opened in iPrunes)
[ ] Internet Exloder add-on (allows media to be opened in iPrunes)
A question for every single DLL? No. For the atomic add-ons that affect other applications, yes. And, of course, those applications should verify the addition with the user before letting them run.
@Ralph 5 re applications invading other applications
I think you are talking to the wrong audience here - most people to this site actually like to be in control of the monstrosity on/under their desk (well, as much as is possible these days). You are speaking as a "user" as opposed to sysadmin, geek, nerd, power-user, gamer...
Quick check - "Users are Losers". How many know that the phrase was actually used as a catch-phrase in an American anti-drugs campaign, rather than their daily experience?
"Consider for a moment any beauty in the name Ralph." - Frank Zappa.
Itunes is bad enough with windows as it is, the amount of additional crap it installs with no indication.
No I do not want bonjour on my machine!
Nearly every other installer in existence, has a customise button that gives you a list of the components and some tickboxes. you don't want it installed, it doesn't install! Not so for itunes, it installs everything, without even telling you what it is installing, leaving you to puzzle it out and remove it all manually.
Although, surely there must be some internal way of flagging a plugin not installed manually, so that the first time it is loaded, it pops up a message saying this has been installed do you want to allow, disable or remove it.
@How many questions do you ask?
"Personally, I hate installers that ask reams of questions"
And that's why we have an internet infested with malware.
Let me get this straight
THE MOZILLA MAN bashes gogleapplemicrosoft because THE MOZILLA BROWZER allows the stealth install thingie?
Maybe that's what all those organic software fumes do when they get to your brain.
@blainestereo - another "user" I guess
<sigh>When installing an app under Windows, almost all apps request admin privileges. When Admin says do something, a poor little well-behaved application will obey. The Mozilla browser (or Opera, or Chrome, or whatever other software you feel like mentioning) does not get any say in how it gets updated or abused BECAUSE AN ADMIN TOLD IT TO INSTALL THIS PIECE OF CRAP INTO IT (shouty added to try to over-shout original shouty-man above).
So basically I think what you are suggesting is that all open-source software should ignore operating system security measures and settings, and implement their own controls independantly? Please go away and think awhile on how stupid your suggestion is, and rea;ise that the problem is with the application authors who install their stuff over other applications without users' consent.
You haven't got a slightest clue about how the admin privileges work, have you?
Let me enlighten you just a teensy bit.
"Run as Administrator" or whatever doesn't translate to "Suppress all notifications and warnings application might want to throw at you".
Sounds crazy? I know, right?
I'm afraid that all you enlightened me to was your inability to understand my point. When an application runs as administrator, it can do whatever it wants. If it does not *want* to show the user any information or warning, then it won't. Which is exactly the point of concern here - an application running as administrator (almost certainly - but as I have not installed iTunes, I cannot say for certain) took actions which the user did not want without any notification. And that other programs are pretty much defenceless unless they are programmed in a very paranoid fashion. (Which is generally bad for usability.)
Umm, shouldn't FireFox just plain not load 'side-loaded' plugins at all ?
Installing software (including plugins) is just
- Putting files and folders somewhere
- Changing config/registry entries
These are installers running with administrator privileges. Firefox does not have to be running to install them. How exactly do you propose Firefox deny "side-loading" plugins? Whatever hoops you set up can be side-stepped - Firefox being open source it's not exactly difficult for vendors to see what you're doing.
Is he complaining
1) not being asked if the app can include plugins?
2) not being able to selectively install the pugins?
I read his piece and i wasn't sure I understood.
for 1) i presume the defence is the terms and conditions you agreed to when installing the app
2) is more a case of not offering choices during the install.
Not sure myself
I kind of read it as 'I've installed various programmes and they have extras that link to another programme. I'm annoyed as I've interpreted it as an intrusion on Firefox".
The plug-ins came via the other progs not from Mozilla so he's narked.
Did he just go for 'bog-standard installation' or 'expert'?
He's not complaining about MS Office linking itself to everything Windows - though you don't get an option.
Last time I installed Firefox, some junk McAfee security website vetting nonsense appeared by magic, without asking me and without announcing itself. First I saw was when Firefox started declaring which sites it thought were suitable for me to visit.
On the other hand, FF should NOT be activating these plugins if it finds they haven't been installed by the user. What, 20 lines of code to implement this?
How easy would it be for some malware author to use this mechanism to slip a bank-account sniffer into the browser? The percentage of users who wouldn't notice this - or know what to do about it - would probably make it worthwhile.
Surely if FF has a plugin present that wasn't there earlier/last time it was running, it should be flagging up waning messages?
It does do that with addons, not with plug-ins AFAIK.
How do you propose that FF should remember what wasn't there last time? It's not hard, I know, but as soon as you decide on a method, an Evil installer just has to write whatever files or registry settings are necessary to give FF false memories.
And they would. (That's the essence of the Stop Being Evil complaint.)
' “... why did Apple think it was OK to add the iTunes Application Detector plug-in to my Firefox web browser without asking me?” '
He should ask...
“... why did Firefox allow Apple to add the iTunes Application Detector plug-in to my Firefox web browser without asking me?” '
If FF is not protecting the user from random plug-ins, then the fault lies with FF and Mozilla.
“... why did Firefox allow Apple to add the iTunes Application Detector plug-in to my Firefox web browser without asking me?”
Umm, how would Firefox, which may not even running at the time do that? Do you understand how these things work?
itunes installer (running with admin privs) plops a plugin into the FF plugins directory. How exactly is Firefox going to stop that from happening?
The best that FF could hope to achieve is to keep a list of previously installed plugins and warn the user if a new one just appears as if by magic. The plugin will already be there of course, but I suppose the poor befuddled user would get some sort of warning, even if it is after the fact. Then there is the problem that working around this "protection" by rogue installers would be trivially easy by simply adding the new plugin to that list as well.
To foil that FF would then have to encrypt the "list" into a binary file and I can imagine no end of problems that would cause when things go a bit awry. "What do you mean I can't edit the broken part out of the file?"
All in all, I recommend people just stay away from the entire Windows ecosystem. It is fatally polluted with these sorts of borderline malicious corporate produced crapware. It seems that almost every installer I ever run is laden with toolbars, or wants to change your default search, or wants to slip in a nagware version of some crap anti virus (Adobe and Mcafee I'm looking at you).
And most of them, once installed, leave heaps of kruft behind even after you have uninstalled the bastards. Try uninstalling any one of the crappy apps and then do a registry search for its related product keywords. Behold the hundreds of orphaned registry entries that were left behind by the so-called "uninstaller".
In Windows World, 100% vigilance is always required.
I for one am sick of it. I will stick with Linux and open source. Those guys don't try and trick, sneak or cajole their crap onto unsuspecting users. You want it you install it. There is no need to worry about additional crap being hoisted onto your system by stealth. No need to remember to always do an "advanced install" to make sure all the "install extraneous crapware" tick boxes are all unchecked.
Computing with Linux is like computing in the good old days, before the computer industry was overtaking by greed. Windows is a hostile environment with a pretty interface.
Ditch it now and stop being afraid.
FF does not need to be running - it simply has to know which plugins have been explicitly authorised byt the user and which have not. On next start it could say "Plug-in 'iPrunes' has been added by an external piece of software. What do you wish to do?
[ ] Enable
[*] Keep disabled
[ ] Remove
If you did not install this, then it is recommended that you remove the plug-in"
"In Windows World, 100% vigilance is always required."
It's the same on Linux, no OS is immune from an idiot operator with root access. That and apathetic users who think they are secure because they are on "Teh Linuks". Sorry dude, a poorly set-up Linux install can get owned as well.
"Computing with Linux is like computing in the good old days, before the computer industry was overtaking by greed. Windows is a hostile environment with a pretty interface."
This story is nothing to do with Linux and everything to do with bad design by Mozilla (and Apple). An installer on Linux could do the exact same thing just now.
I'd love to ditch Windows!
However - I (and probably everyone else in the Real World who uses Windows) doesn't do so out of choice - we use it because we have no other option, due to apps that are only available under Windows, or have no suitable equivalents under other operating systems.
Buck Stops with Firefox
As a few of the commenters have already pointed out, it is ultimately Firefox's fault in allowing newly installed plugins to be loaded without first informing the user. It should be no different to how Firefox handles updates to existing plugins - i.e., allow the user to enable/disable/remove them before continuing. Plugins installed via Firefox itself would have tacit permission to be loaded, obviously.
Whilst I agree
that a software install should not make any changes to existing software without first requesting permission to do so, Firefox should not allow the install of any plugin through a third party installer.
As Fraser stated, a simple pop up warning that a third party has attempted to install a plugin, with a yes/no option to allow the install or not would suffice.
It should be common knowledge that the likes of Google/MS/Apple et al work on an opt-in as default basis regardless of whether or not the user is aware of what is being installed or what they may be opting in to.
In this instance they are all equally to blame.
The correct behaviuor
The correct behaviour should be to ask the user. Offending programs should ask the user "do you want to install plugin?". Firefox should then ask the users "Do you want me to accept this newly-installed plugin?"
The hard part is that Firefox would then need to remember the decision of the user. And that then the plug-in installing program should simply set the "ok to use" flag in FF configuration by itself, rendering the FF "plugin lock" usless. Unless FF uses some form of complex encryption to store its data. And here we go again, adding complexity to programs because other people do not behave properly. And if an "anti-plugin" defence is required in a browser, I can safely say that such plug-ins are in fact malware, otherwise a defence would not be necessary.
You've not thought this through.
I think I'll try my hand at explaining the problem with the "Firefox should warn the user" theory:
For Firefox to know that a new plugin has been installed it needs a list of the old plugins to compare with the ones found on startup. This list of plugins would have to reside on the PC which iTunes (for example) is being installed on. Therefore iTunes can write to the "installed plugins list" file, or registry key, since it is being installed as admin. This means that Firefox needs to keep a record of the last time it ran and the last time its "installed plugins list" was updated so that it can compare the two to see if it has been altered by another program -- the dates have to be stored somewhere. This means that the "last date ran" and "last plugin update" dates can be written to by the iTunes installer...
Someone mentioned encryption above -- even then you would need to either make it liable to cause false alerts or make it trivial to work around.
You just hilighted...
...a second issue, and this is a Windows failure. Why does a user application ("iTunes" in this case) need admin rights to install? If the install is for "all users" I can see that, but then it should be done by an actual admin who know WTF they are doing.
The "Bonjour" service? Unless that is going to offer all media that any user of that PC has loaded, then is does not need to run as admin - it's an agent of the current user, nothing more.
Re: thinking it through
"Someone mentioned encryption above -- even then you would need to either make it liable to cause false alerts or make it trivial to work around."
The main problem here is that it would be the instance of FF on the machine that did the encryption, which means that the encryption keys are on the machine (or hard-coded in the source) and some Evil installer can read (and use) them just as easily as FF can. Moving the keys off the machine to some Mozilla server doesn't change anything either, because the Evil installer would simply query the server in exactly the same way as FF.
The bottom line is that anyone who /really/ wants to give FF false memories can do so, and once they've encapsulated the method in a function and posted it on the internet, everyone else can easily do likewise.
The Mozilla man was right. The problem is programmers who believe they have greater rights to the machine than the system administrators. Specifically, if the admin allows you to install application X, then there is no implied permission to modify application Y.
Of course, what Windows really needs is some kind of installer service. Instead of running "setup.exe" from some unreliable third party, the administrator would feed a *data file* to a service implemented by MS (who are, like it or not, already trusted since they wrote the OS) which reviews the requested installation, flags up anything out of the ordinary (such as writing within folders or registry keys that already exist and therefore presumably already belong to another application) and gives the sys-admin the final say. Instead, we have MSI. :(
Disable new plugins by default
Firefox could maintain a list of plugins which were the last time it started and a list which are there now. Any discrepancy can be shown to the user for approval / denial. Same could happen for extensions too. The only exemption from this extra step would be for plugins / extensions installed from the browser itself.
How do you propose to do that? Surely, any installer can access the list and alter it. Is this so hard to understand or what? I see a lot of bimbos trying to make this case...
Yes an installer could alter the list
Apple, Google, Microsoft, Adobe or any public company with a reputation to protect would be flayed alive if they purposefully hacked a plugins whitelist to install their own . Chances are that if it happened that Mozilla would even remotely disable the plugin just as they've done in the past.
The whitelist needs only employ moderate safeguards such as a checksum on DLLs, or signing to discourage tampering and that would be sufficient.
Of course a malicious app could inculcate itself into a browser in numerous ways, but that is a different problem altogether.
Re: Yes an installer could alter the list
"Apple, Google, Microsoft, Adobe or any public company with a reputation to protect would be flayed alive if they purposefully hacked a plugins whitelist to install their own ."
Er, the evidence is that they already hack lists of plug-ins and the only man to have tried to flay them alive is the Mozilla chap who is being given a hard time by supposed IT professionals on this forum.
"Of course a malicious app could inculcate itself into a browser in numerous ways, but that is a different problem altogether."
Not in my view. In my view, this is exactly the situation we face. These setup programs make unauthorised alterations to a system and I wouldn't criticise an AV vendor for adding their signatures to a blacklist.
Are they both wrong and does this amount to Computer Misuse?
To me it looks like Google/Microsoft/Apple are wrong in sending 'stealth plugins' - if this is indeed what they are doing *and* it looks like Moz Firefox is wrong to accept/install them without querying it!
However, the interesting question then is if, say, Microsoft do download a stealth update to my computer via this method then are they in breach of the computer Misuse Act (1990) - afterall it means that they modified the contents of my computer without my express permission and while I was using a third-party application, ie. not covered by an M$ EULA.
It would be an interesting one to see argued out in court...
Ideally two things would happen:
1. the website, service or whatever *should* on detection of the need to install a plug-in direct the unwary user to a page that says something along the lines "To use service 'foo' we need to install plug-in 'bar' - click 'ok' to proceed"
2. Moz Firefox should alert and pop-up a message along the lines "Wesbite 'foo' is attempting to install plug-in 'bar' - click 'ok' if you trust this site and want to install this plug-in"
I give up - and I thought people on this site were technical!
OK, to all the morons who think that Firefox (or any other application on your pc for that matter) is at fault for allowing another application to install a plug-in to itself, consider the following:
* This is NOT a drive-by download of a plug-in - it is installed by a software installer.
* Software installers get elevated privileges - for those of you running as users day-to-day, when you try to run one of these installers you get a notice requesting that you give it effectively admin rights (for those running as admin routinely, please go virus-scan your computer now).
* Once an installer gets admin privileges IT CAN DO WHATEVER IT LIKES TO YOUR SYSTEM AND ANY OTHER PROGRAM ON IT. It can wipe the hard-drive completely clean if it feels like. It can change all your clipart to Goatse. It can search your hard drive for anything that looks like a credit card number and mail it to an address in Lagos. It can do whatever it is programmed to do, with very little stopping it at the Windows OS level
* Now, for a piece of software that has just started up, how does it know that a plug-in has been installed sneakily by another app acting as admin, rather than the user choosing to install it? Really, how? Short of having to solve captchas for each add-in (and you can imagine the howls of complaints from users about the user-unfriendliness of that!), how can an application know whether a plug-in has been installed by user, or another application WITH FULL ADMIN RIGHTS installing the plug-in? (Remember, admin can do any action that a user can.)
So please remember - this is not a trivial problem that an open-source team should be able to knock out an answer in 30 lines of code. It is a pretty hefty security problem - and should an application be trying to secure itself from the operating system it is running on?
"Now, for a piece of software that has just started up, how does it know that a plug-in has been installed sneakily by another app acting as admin, rather than the user choosing to install it?"
If the user wishes, they can lock their current plugins with a password. As you stated, this won't prevent admin-level installers adding new plugins. However, if the list of plugins is digitally signed using a key based upon the user's password, then the program can detect changes: upon launch, the signature is re-checked (or hash re-calculated) and if there is a difference, a warning appears (the old list can be determined by the subset of plugins which produce a valid signature/hash).
Since the user's password is not stored on the machine, there is no way for any program (even an admin-level installer) from providing a valid signature/hash for the updated plugin list.
"...Now, for a piece of software that has just started up, how does it know that a plug-in has been installed sneakily by another app acting as admin, rather than the user choosing to install it? Really, how?..."
Presumably there is a directory where the plugins live? In which case, really simply, it could just look to see if any files have been added since last time it was run.
If you want a bit more security round it, the program could store a list of cryptographic hashes of the plugins which have been legitimately installed and that way detect tampering with existing plugins or the list of previously oked plugins.
The problem is that FF doesn't seem to be even trying here.
Which is why I mentioned about user unfriendliness. Yet another password to remember and what for? It doesn't protect anything particularly vital, just an application's configuration against an "overly helpful" other applciation's installer.
Firefox is open-source, so any cryptographic algorithms that it used to hash allowed plugins could simply be copied into the plugin installer. Besides, it's not a problem specific to Firefox. Chrome and Opera use the exact same NPAPI plugins as Firefox, even going as far as looking specifically in "C:\Program Files\Firefox\plugins" for plugins that improperly install themselves.
That would work, you are correct. How many people will this piss off? Why should FF guard itself from other programs? How is this not malware-like behavior?
Who's at fault here?
Relying on the software install to ask nicely before installing plugins is asking for trouble. After all, anything that genuinely has an ulterior motive just ain't going to ask! All you do here is piss off users installing their apps while handing the purvetrators of eviltudiness an easy route in.
The correct way is, of course, to issue a nice: "Application / site / whatever xxx has asked to run plugin yyy, do you want to allow this plugin to run?" message on first invocation.
Now where have I seen that..........?
I've still got the vestigial "disabled" and un-uninstallable remains of the side-loaded dotNet Framework plugin nonsense that MS came out with a while back.
@Circadian: regarding detection - it's certainly not impossible in theory. Even if Firefox isn't running at the time of the installation taking place, it should at least be able give notification that things have changed - a simple hash could accomplish that. Obviously in practise this could be defeated by another program running with elevated privileges. But... sneaky installs are one thing; defeating controls aimed at stopping sneaky installs is quite another. Would vendors want to be caught doing that?
Alternatively, for those plugins that don't provide an uninstall option, Firefox should have a "forcibly remove plugin" facility. The Firefox environment is arguably separate from the OS environment to a certain extent and the user should have the final say on any changes to it if they so wish.
But yeah - bottom line - all the vendors have to do is ask. If the plugin provides functionality, most people will allow it anyway. For a plugin that gives no apparent added value but mysteriously appears unbidden in my plugin list I can only assume it's up to no good, and all this hand-wringing about "too many questions" somehow bamboozling users is just that.
A final note: The FEBE plugin is handy for undoing this kind of skullduggery, although you have to remember to run a backup prior to running any installers.
stfu and modernize your browser
Still no sandboxing? Check. Still slow and bloated? Check. Still having almost as many zero days as IE? Check. Still getting your butt handed to you by WebKit in every way except having a bit more mindshare from 3rd party developers. Check. So nice to see Firefox folks working so hard on improving their browser (was nice back in 2006 or so but today not so much).
No sandboxing? Plugins are sandboxed as of version 3.6.4 on Windows and as of the 4.0 betas on other platforms. Slow and bloated? Only if you load it full of extensions that don't behave well. Full of zero-days? Well, sure on occasion, but they happen with all software. I guess those carpet bomb downloads in Safari and Chrome several versions back don't count? They're not perfect either, and as the user share of WebKit grows, more vulnerabilities will be found, just as they have been in Gecko as it gained a significant market share.
PS: To other users, I realize I neglected discussing Opera/Presto, but I'm simply not familiar with it. I've tried it before and have tried to like it, even using it as my default browser for a few months, but something about it just puts me off. Also, I'd like to point out that I'm typing this post from Chromium, which I do absolutely love, but I use Firefox as well on other systems and respect it.
Thank you and well done. My reply to asdf would have been much less measured.
Perhaps Dotzler may be satisfied if everything could be administrated as a Firefox Extension? Because those certainly don't do anything bad for the experience...
Read all the above with interest.
The only conclusion to draw from the above chaff, is that this issue is Windows OS specific. Therefore the only safe decision to make to avoid all of this non consequential plugin crap, is to switch to a Linux OS variant, which will instantly solve the whole mess, and save the world at the same time.
Or if you really are so concerned about this don't use FF, whichever is easiest. Difficult for some, I know.