back to article Firefox blocks and backtracks on 'insecure' MS add-ons

Mozilla disabled two Microsoft developed Firefox add-ons over the weekend after deciding the applications posed a security risk. It has since revised its safety assessment and set about removing the plugins from its blacklist. The Microsoft Framework 1.1 Assistant FireFox extension and Microsoft Windows Presentation Foundation …

COMMENTS

This topic is closed for new posts.
  1. TeeCee Gold badge
    Gates Horns

    Oopsie!

    "...it subsequently emerged that.........poses no threat to Firefox users....."

    Less fox and more "WWWOOOOOLLLLLLLLLFFFFFFFFF!!!!!!!!!!" then.

    What makes me laugh here is that the IE version needs patching for security and the FF version, er, doesn't. Looks like even MS take more care when writing for FF, even if they think they don't. I'd love to have seen the expressions on their faces when they got around to testing for the vuln in the FF offering and found it wasn't there.

  2. abigsmurf
    Gates Halo

    Doesn't look good for Mozilla

    I've never once seen that "your add on has been blocked" message and I've plenty of add ons which at some point or other had vulnerabilities but an MS add on has a vulnerability that was patched quickly but still resulted in a scary blacklist notice that non-techies won't understand for pretty much every user? Not only that, it's turned out it was a false alarm?

    If MS remotely blocked someone else's software in this manner, people would be screaming bloody murder.

  3. Anonymous Coward
    Anonymous Coward

    Can they block ALL of MS?

    Just askin'

  4. Anonymous Coward
    Gates Horns

    No threat?

    The Framework Assistant is a threat to any desktop administrator by its very existence AFAIC, since its raison d'etre appears to be to allow installing of the odious "Click'n'Run" apps (e.g. ... er ... Google Chrome). Users able to install their own apps? Yeah, love that.

    (PS - before you chip in, CNR wouldn't be permitted to install anything on the boxen I manage anyway, but the failed attempts can cause a fair amount of mess in themselves.)

  5. Anonymous Coward
    Gates Horns

    @Doesn't look good for Mozilla

    Hang on... so i got two MS add-ons installed without my explicit consent (without even being told about it).

    Then it seems that their IE approach to security was present in my forced add-ons. As it turns out FF is better coded so it was not so vulnerable, but took steps to block the suspicious apps anyway.

    Aside from wanting Mozilla to make it so MS cannot installed their cr*p in non-MS products, I think Mozilla were the only ones looking out for me, the user!!!

    So how on earth is this anything other than MS messing with OTHER PEOPLES software (FF) and then making a mess of it.

    If it is any consolation i take an equally dim view of Apple pushing Safari as some kind of update to iTunes.

  6. Captain Underpants

    You appear to be confused about who did something sneaky and stupid to begin with...

    @abigsmurf

    I'll be honest, I'd much prefer Mozilla react in this way to *any* software/OS developer who, in the process of patching their own product, forcibly installs (without giving the user and warning or choice in the matter) an unwanted/unnecessary "addon" to a product installed by the user.

    Maybe MS will learn something about how not to install plugins for other vendor's products as a result of this. I doubt it though...

  7. Anonymous Coward
    FAIL

    Invalid SSL certificate

    When the pop-up appears, there's a link on that page to see More Info. Clicking on that link leads to a page with an invalid SSL certificate, prompting firefox to complain bitterly.

    Joined up thinking, eh?

  8. This post has been deleted by its author

  9. Antony Riley
    Gates Horns

    What they should have done...

    Is blacklisted the plugins Microsoft installed via an operating system update from day zero.

    If Microsoft want to provide Firefox plugins, they are quite capable of managing to do it the same way everyone else has to.

  10. Anonymous Coward
    Anonymous Coward

    Re: Doesn't look good for Mozilla

    > If MS remotely blocked someone else's software in this manner, people would be screaming bloody murder.

    If you read the story you will discover that this was done with MS agreement.

    If MS disabled another vendors software WITH their agreement then there would be nothing to scream about. If they do it WITHOUT then there would be something to scream about.

  11. Richard Hewitt
    FAIL

    Great in theory...

    ... but rather ruined by the fact that the certificate was invalid on the page that was meant to explain the blocking.

  12. druck Silver badge
    WTF?

    WTF

    Why is Microsoft installing any plug-ins for the browser which I have chosen specifically because it is not written by Microsoft?

  13. abigsmurf

    @Captain Underpants & Jeremy

    Microsoft aren't the first people to secretly install add-ons to Firefox (and other browsers) but they are the first non-malware developers I've seen who have been blacklisted like this.

    Not to mention everyone is glossing over this simple fact: Firefox has a kill switch in it. Why is this not a big deal to anyone? You're almost certainly able to turn it off but buggered if I know how. I didn't even know firefox had the capability to remotely deactivate plugins.

  14. Ed Blackshaw Silver badge

    Does anyone know

    What these plugins are actually supposed to do? '.Net Assitant' sounds pretty vague, and I'm not sure how WPF is supposed to interact with FireFox in the first place?

    Also, as pointed out by several posters above, these addons are installed without the user's knowledge or consent. If this was from someone other than MS, wouldn't we all be yelling 'Trojan'?

    What worries me, is that there is a mechanism within FF to allow the installation of third party plugins without the user's interaction in the first place. The plugins that I have installed myself (The obligatory NoScript and AdBlock, and the handy Web of Trust), I have done through the 'Tools-> Add Ons' option in the menu.

  15. Ralph Jolly
    WTF?

    But why didn't FF warn me after the install?

    I agree with Mozilla's actions here but why didn't FireFox warn me that a plugin was installed without my specific consent? Surely installing things silently is how a lot of malware ends up on peoples machines, and therefore some mitigation can be had through warning users that the configuration has changed through non-action of the user.

  16. Anonymous Coward
    WTF?

    Blast Microsoft

    They should not be installing ANYTHING on my Firefox without my knowledge. Only MALWARE does that!!!!!

  17. Rod MacLean
    Alert

    RE: But why didn't FF warn me after the install?

    Ralph Jolly wrote: "But why didn't FF warn me after the install?"

    Because FF didn' t know that MS had put it there. In the same way that if I had unfettered access to your machine, you might not know what files I had put there unless you were tracking me. (It's no surprise that FF does NOT track MS installer programs lol)

    Even if they detected the plug in as being present and active, there is probably no way to determine if the user chose to install a particular plug in or if the beast of Redmond sneaked in under the fence and left one there.

  18. Charles 9

    @Ralph Jolly

    Uh, it normally does. When a new plugin is installed, by your hand or whatever, when you next open Firefox it opens up the Add-Ins window and points out that new addons have been installed. Turns out in my case, though, that the addins came at the same time as the blacklisting.

  19. Anonymous Coward
    Anonymous Coward

    Given what the MS Framework Assistant is designed to do

    I'd rather MS didn't try to add this at all, let alone add it silently and without my permission.

    If I did this to someone else's computer, I'd probably be breaking the law.

    DO NOT WANT.

  20. Anonymous Coward
    Troll

    Plugins = FAIL?

    The FF "Plugins FTW" fanbois would appear to have egg on their faces! Looks like Mozilla are experiencing the same thing as any large vendor whose software runs stuff from external vendors: their f**kups break your system.

    Ah, well - the plugin-lite function-heavy Opera soldiers on.....

    Troll, because sometimes it's just too easy..... (hmm, Paris would work here too!)

  21. Jeremy 2
    Stop

    I don't care what Mozilla and Microsoft say...

    ...those two plugins have long been disabled and remain so on my computer until such time as I understand what the hell MS think I'm supposed to need them for and what exactly they do.

    Microsoft isn't the only company to surreptitiously add stuff to Firefox. If you've installed Picassa or other Google stuff, you'll find Mountain View's dirty footprints all over your add-ons list as well.

    Oh, and Ralph Jolly, Firefox does tell you when a new add-on appears, be it by fair means or foul. A box pops up when you next launch the browser to inform you that add-on/extension X has been installed.

  22. Captain Underpants

    @ abigsmurf

    To be honest, I see this as a step in the right direction. The plug in wasn't installed via any channel I'd expect it to be, and was specifically set up at the time of being rolled out such that registry editing was needed to remove it. Those are not the actions of someone who wants to offer you the choice of expanding the functionality of a tool (made by someone else) that you use, and Mozilla's response in this regard is correct. It should have come far sooner, but then again I can't exactly demand an SLA since I'm not paying for the product or a support agreement - thus I will take what is offered, with thanks.

    In terms of the killswitching - and? It's a free-of-charge web browser. Nobody's making you use it, and I would imagine you're not paying for either the browser or the package. If you as an individual or an agent of a company are allowing yourself to be completely dependent on not only such a package but an add-on within the package whose nature or method of distribution is such that it may suddenly and with no notice be blacklisted such that you cannot work, then the first question to ask is not about Mozilla's strategy, but about your own business continuity provisions.

    If it were a product that predominantly works off-line and had a rich market of commercially developed and supported addons (along the lines of the Acrobat plugins for office, say) and this were the case, then I'd be angry. But a web-based product having a remote killswitch used, as far as we can tell, to prevent the continued presence of unauthorised add-ons? I don't really see the threat, tbh...

  23. TRoss

    @Ralph Jolly

    AFAICT, this was the .NET Framework 3.5 SP1 issued May 12, and I suspect it popped up as a Windows Update alert.

    If you're like me, you looked at the updates, checked El Reg to see if anyone was screaming about how it installed something unwanted like the Infinite Reboot Loop feature MS rolls out from time to time, and seeing no reason to be concerned you installed the update. Which required your consent.

  24. Anonymous Coward
    FAIL

    "not be installing ANYTHING on my Firefox without my knowledge."

    Indeed. I got these warnings this weekend.

    Last week I spotted some interesting looking content on a website the other day. For argument's sake, suppose it was Joe Zawinul videos on ClassicalTV.

    It wanted Silverlight. I didn't want Silverlight but it seemed non negotiable so I had little option. Silverlight didn't tell me what it was installing.

    Even after installing Silverlight it still didn't work in FF ("access denied") but behaved better in IE; sufficiently better to allow me to find that half the stuff claiming to be JZ wasn't actually the content as described.

    Meanwhile, these folks (Microsoft, ClassicalTV) expect people to *pay* for their "premium" service?

    Software I don't want, and content I do want not being delivered?

  25. Anonymous Coward
    Pirate

    This is why I love FireFox

    The people have a sense of what security is, unlike Microsoft. I expect their undertaking with darpa and lockheed to end in tears!

  26. Al Jones

    A little knowledge is a terrible thing....

    I just had a look at the list of plugins in my Firefox install.

    Adobe Acrobat - I was never asked for permission.

    Google Earth Plugin - I don't remember being asked for permission, but it's possible that I was.

    Google Update - definitely I wasn't asked, because I would have said no.

    Java Development Toolkit - definitely wasn't asked.

    Java Platform SE 6 - definitely wasn't asked.

    Novell iPrint plugin - definitely wasn't asked.

    I'm pretty sure that I don't need the Google plugins - especially the Updater, and I know that I don't need the Adobe plugin, but at least one of the java plugins makes sense - after all, the only reason that I installed Java at all was because I need it for some web based apps (thankfully a vanishingly small subset, maybe I should uninstall it completely and see if I can get away without using it now).

    So it's pretty obvious that Microsoft didn't do anything "devious or underhand" with their deployment of the .Net framework plugin - it's standard industry practice to configure the necessary plugins in the users browsers, so that the browser will work as a platform for whatever it is that the plugin supports. By consenting to the installation of the parent application, you consent to the installation of the necessary enabling plugins.

    The only thing that is clear from this whole fiasco is that Mozilla's blocking "feature" is fundamentally broken - it disabled the plugin on systems that had already been patched against the vulnerability. The difficulty of managing Firefox in a corporate environment is already a big problem - this sort of behaviour is not likely to win them many friends in that space.

  27. Andy Cadley
    Paris Hilton

    @druck

    Microsoft installed the plugins because *you* have decided to have the .NET Framework installed and some of the .NET Framework functionality was broken unless you had IE as your default browser. Since *you* didn't want IE as your default browser, Microsoft provided an alternative mechanism which fixes the broken behaviour: i.e. it included some Firefox plugins as part of .NET.

  28. Number6

    Consent

    Given that it was installed without my consent and was not trivial to remove, I'm glad that the Mozilla people turfed it out for me. I am very picky about what I allow to interfere with my browser, given that I use it for sensitive stuff like banking, and would prefer not to have stuff like that foisted upon me. The saving grace in this instance is that I don't think it was installed on my Linux machine, and I don't use Windows for on-line banking or buying stuff.

  29. Anonymous Coward
    Flame

    Firefox status went down a peg in my view

    If they wanted to do anything about MS Plug in - it should have been done when it came out

    If they find something is unstable - then they should give me the choice, not unilaterally impose it - otherwise I can only assume they want to be come the same as MS.

    And they need to give me the options to see things, even when they foobar their certificates

    to be honest I couldn't care about the plugin - but I need the option to override

  30. kevinaj

    auto-update off?

    What I'd like to know is why if I uncheck all of the automatic update checkboxes, can Mozilla still disable my extensions? Where is the checkbox to tell firefox not to communicate with ANYONE, Mozilla included?

    BTW: I also hate add-ons that I don't install, but that's a topic for another day.

  31. John Sanders
    FAIL

    Why the heck....

    Does mozilla allow plugins/extensions to be installed in a way that can not be removed from Firefox itself!

    Yes, the sneaky part I can understand if your eyes does not see it, there´s no questioning or complain...

    However I saw the plugins/extensions from MS after rebooting the box FF warned me, but the remove button is disabled! Why!????

  32. Anonymous Coward
    Flame

    Here's where Mozilla is in the wrong....

    I have been following this saga on the bug log (and I would suggest those who wish to comment on this topic should read that thread first). What follows is a combination of fact and my interpretation.

    Mozilla, after discovering a POTENTIAL problem, discussed possible fixes with Microsoft.

    After some discussion, MS said "yeah, if you can disable it, just disable it". Mozilla proceeded down that path.

    Lost in all this, until enough people started screaming, was the fact that a subset of Mozilla's user base was going to suffer serious impact as a result of this fix. That is, some businesses had built internal applications using some of this functionality, AND THOSE INTERNAL APPLICATIONS WERE FAILING!

    I sent an email in the midst of this fiasco to Mozilla pointing out that perhaps Microsoft had little reason to care about fallout from the fix on a competitor's product, and maybe Mozilla should.

    This fix, as originally conceived, was overkill. It broke functioning applications in the face of only a potential threat, without allowing individual businesses to decide what course THEY wanted to take.

    I can tell you, you are not going to convince corporations to switch from IE to FF if FF support takes the position it can kill functioning applications whenever it feels like it.

  33. Pablo
    Thumb Down

    1984?

    Sounds like Firefox itself is insecure if Mozilla was able to do that. I don't want anybody tampering with my software. That's all too much like what Amazon did.

  34. Reg Sim
    Grenade

    I spotted the block'ed and disabled notice...

    And I will not be reapplying them.

    I am annoyed that they were not disabled right at the begining by mozilla, because they did not give the user the opertunity to say 'oik off.

    I am not saying the plugins are good or bad, just that regardless of security issues, I would want them disabled by default.

    < hand grenade for companys that slap crap onto my PC with out me giving yah or naw.

  35. SilverWave
    Linux

    Blocklist MS - Move to a trusted OS

    nuke the [OS] from orbit. it's the only way to be sure.

  36. Steen Hive
    FAIL

    Plugins

    Listen folks. *Any* executable that you run on your machine that has write access to the relevant registry area ( that'll be most installers, then) can surreptitiously or otherwise install a npapi plugin in FF and pretty much do what it likes.

    Unfortunately one of our projects has to rely on this behavior to deliver a 3rd party game engine since Mozilla removed all ways of delivering an executable installer payload in a proper xpi plugin. Clunky as hell.

  37. Big-nosed Pengie
    Linux

    Simple answer

    Never let anything branded "Microsoft" near your PC.

  38. Anonymous Coward
    Anonymous Coward

    @Rod McLean

    ""Ralph Jolly wrote: "But why didn't FF warn me after the install?"

    Because FF didn' t know that MS had put it there."

    What?! Do you really believe that Firefox doesn't know what plugins it is running? How could that even be possible? When FF loads it has to load the pluggins etc. in order to load them it has to know they are there (well, duh!).

    What concerns me is that there isn't a simple mechanism built into Firefox to protect against this sort of behaviour. Had I designed it there would be a simple popup when FF loads saying "The following plugins have been installed since you last loaded Firefox. If you did not ask for these plugins click here to disable them." Since many users would consider this intrusive (because they are gits) there could be a simple "Don't warn me about this in future" checkbox.

    The very fact that any installer can add stuff onto Firefox gives the lie to Mozilla's claim that their browser is inherently secure.

  39. Anonymous Coward
    Anonymous Coward

    @Andy Cadley

    Quote: Microsoft installed the plugins because *you* have decided to have the .NET Framework

    Possibly, but many, many users of Vista "HAD" to install it simply to get SP2 offered in windows update as it simply refused to offer it until EVERY update important or not was installed.

    How's about that for crap behaviour?

  40. kain preacher

    Why Mozillia is wrong

    I need one of those plug ins for work. Mozzlia disabled it and now I cant re enable it

  41. apexwm
    Jobs Horns

    Microsoft should be embarrassed

    Microsoft should be embarrassed that somebody else had to come along and fix their work. What's even more disconcerting about the whole thing is that Microsoft never prompted to install their plugins for Firefox, they just installed via MS Update.

    Personally, I use Firefox on Linux, so I don't need to worry about all of this extra garbage being installed unless I want it. With Linux I have the freedom to install what I want, not what somebody else wants.

    http://members.apex-internet.com/sa/windowslinux

This topic is closed for new posts.

Other stories you might like