Silent add-on Install for Firefox from Microsoft

Discussion in 'other security issues & news' started by bigkatt74, Oct 17, 2009.

Thread Status:
Not open for further replies.
  1. alternety

    alternety Registered Member

    Joined:
    Nov 18, 2008
    Posts:
    37
    Being an infrequent poster, let me restate my uninformed comments.

    noone-particular: Firefox has got to have, at the very least, a usable or implementable mechanism to compare what is loaded between one initialization and another. If there was no mechanisms such as this, how did they manage to block a couple of the recent MS apps when they were installed. Likewise, a look every so often has to be possible. It is a program (both FF and MS). Program code can always be altered. I simply cannot accept the statement that it can't be done. And FF was obviously written to allow this without complaint.

    It is not just MS using the approach. Java and Adobe also do it. Anyone apparently could. I see a number of things from MS (Presentation, Genuine Advantage !WTF, Silverlight, and media player). I have no idea why I would want most of those. Also a CAD program I have installed, a couple of things from java, and a couple from Adobe.

    Eice: I am not a FF fanboy. I simply use it for improved features and "security". My problem with MS is not irrational. They are very arrogant and believe themselves as not responsible to the computer user. They show this in many ways. Examples are not fixing known exploits in a timely fashion and hiding things about their updates from the user.

    While the OS is licensed not owned (although there have been some recent interesting court rulings regarding this particular rational), they do not own the computer or any of the physical components, nor do they have some magic higher level license prerogative or permission to alter as the choose, other software licensed or owned by the owner of the PC. This is reality. Nor may the be allowed to alter the performance of a PC to satisfy their wishes.

    We both concur that this must be stopped. Mozilla can fix FF. The issue with MS is, as you said, a much wider problem.
     
  2. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    That file has nothing to do with the silently installed .NET plugins this thread is about, though.
     
  3. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,668
    Location:
    Philippines
    If my opinion that MS it to blame for this not Mozilla. With Firefox 3.5.3, can't vouch for earlier versions but I decided to I test what it happens when installing .NET Framework 3.5.

    In a VM I have Windows XP SP3 running. This install is basically a clean install with updates and a couple of Windows progams I like. None of the optional updates are installed, this includes .NET Framework.

    What I did was download and install Fx 3.5.3. The went in to WU and selected the .NET 3.5 SP1 update, downloaded and installed it. Once that was finished. I ran Fx and it presented an Add-ons window, that clearly shows the Add-on was detected. and that the blocklisted extension is disabled. There is no way for Fx to stop an install of an Add-on when it is not running, but it does detect on start up.

    [​IMG]

    All of that said, the above images states "1 new add-on has been installed"; that is not a true statement, in fact two add-ons were installed. The above is an extension, the other is a plugin as shown below. Since the plugin in no longer on the blocklist, it is installed, without any notification.

    [​IMG]

    Mozilla needs to come up with a way to notify for all new Add-ons, at the moment apparently notification only takes place with extensions. I notice this same behavior using Fx in Slackware. Notification for extensions, no notification for plugins.
     
  4. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Yes, I too certainly think Firefox would do well to inform users when new plugins and extensions have been installed. But that I find to be a separate issue from this case of MS installing their stuff as a Firefox plugin. Of course, MS isn't the only one who does this: when you install Adobe Flash or Reader, it will install plugins without asking for whatever browser it can get its hands on.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    It does. Every time the browser is started and a new one is found, you get the alert. What else do you want? Compare to that to any other browser and see how friendlier this is than anything else by three orders of magnitude.

    Here's an example:
    http://www.dedoimedo.com/images/computers_new_2/mozilla-security-dotnet.png

    Besides, you need to explicitly approved non-whitelisted installs of add-ons, so I don't see what the problem is here.

    Mrk
     
  6. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    That looks like a nice feature. As far as informing the user about installed plugins, I certainly wouldn't want much more than a warning prompt like that.

    But, some complaints seem to indicate, though, that some users who got these .NET plugins installed never saw any alerts from Firefox about them. I don't know what to think about that. Perhaps they did get alert but somehow missed it or forgot it, or perhaps they didn't get an alert for some unknown reason. Beats me, as they say.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    99% of computer users don't see much or care what they do and then they complain their systems are this or that. No one forces anyone to install the .NET thingie. It's click to install, the typical PBKAC thingie.
    Mrk
     
  8. alternety

    alternety Registered Member

    Joined:
    Nov 18, 2008
    Posts:
    37
    If I am understanding what was said correctly, FF does not announce the plugin was installed. You have to go look. Who looks?

    A bigger (or smaller depending your perspective) issue is not knowing what the addons or plugins actually do. Do they need to be there or are they just "nice"? Or are they a bad performance choice like the java starter?

    Again, this is from the perspective of someone who is not a FF hobbyist. Just wants to browse. Think your aged mother, or my brother (who someday may set himself on fire with his PC given his level of understanding).
     
  9. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Even IF it weren't Mozilla's fault, it certainly is their problem. And pushing the blame onto the user doesn't solve the problem.
     
  10. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.

    But it is a Microsoft DRM plugin.:thumbd:
    And that makes it relevant to the topic.
     

    Attached Files:

  11. wat0114

    wat0114 Guest

    I agree fully. This is not about the end user installing, willy nilly, some questionable software from a warez site; it's about them installing a Microsoft update! How can the general end user be blamed for installing it, especially when it's recommended?? Try scanning your machine with the highly trusted and highly recommended Secunia Personal Software Inspector, and if your .NET is out of date, it will alert you to the fact and recommend installing the latest version!
     
  12. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    Well then people shouldn't bother with complicated stuff like dedoimedo.com, stick with their Windows and do as Microsoft tells them, shouldn't they, Mark?
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    I fail to understand the last point or its relevance to the subject at hand ... But if I get it right, people should what they feel best is for them, including going to site X or Y. You cannot blame software for decisions you make. If people do not trust .NET stuff, they should not install it. Very simple. The big issue is here that people have trust in software companies and it's shaken, which makes a lot of people angry, not the actual software changes, since most people really do not understand most of it ...

    And on a side note, me not Mark.

    Mrk
     
  14. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    You... and about 43 MILLION other people.

    http://mediacoder.sourceforge.net/

    Lovely. WTF does a transcoder app need net access each time it runs?
    It shouldn't, but it does... by design.

    This app is an example. Certainly there are other apps which are "guilty" of installing the vulnerable WPF component(s)... but, given the size of its installed userbase, MediaCoder is a HUGE example.

    The author's install deposits a private/extra copy of (vulnerable version of) WPF to a subdirectory of its install directory. A MS-pushed O/S patch won't find/update this private copy, and FF disabling its copy of the WPF addon hasn't rendered MediaCoder inoperable.

    Free as in beer... or free, as in, 43 million vulnerable installs (each of which launches a DawtNet WEBSERVER upon startup, by the way) silently awaiting their next "automatic upYOURSdate" instructionso_O

    Naw, I'm just paranoid. It's not like the dev bundles the "free" app with grayware (OpenCandy) or offers to upsell users to a paid codec (hacked version of the OSS ffmpeg library)... but yeah, it's like that. He has done both.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.