Silent add-on Install for Firefox from Microsoft

Discussion in 'other security issues & news' started by bigkatt74, Oct 17, 2009.

Thread Status:
Not open for further replies.
  1. bigkatt74

    bigkatt74 Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    11
    Location:
    Illinois
    This is a nice article. I had this add-on installed and didn't even know it. Firefox can be exploited with a drive by download with this Microsoft add-on that is silently installed in Firefox. I also had two Microsoft DRM Plug-ins I didn't know about. Inside firefox, click tools (up at the top), then click add-ons, also check the plug-ins tab. Here is one article. There are many more surfacing.

    http://www.osnews.com/story/22358/Silent_Install_Firefox_Plugin_Backfires_on_Microsoft


    ---BigKat---
     
    Last edited: Oct 17, 2009
  2. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    It does indeed!
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    I don't have the WPF thingie ... any idea how it got there, on your machines?
    Mrk
     
  4. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    If your don't have ,NET Framework installed or have not updated beyond 3.0 it will not be installed. In my case no .NET Framework installed on my Windows XP VM running on Slackware64 13.0. At one time I did have it and after updating to 3.5 noticed that new extension in Fx. No more .NET now as I have nothing installed that needs it.
     
  5. bigkatt74

    bigkatt74 Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    11
    Location:
    Illinois
    I have no idea. I also think "chrisretusn" is right and that its automatically installed with the latest version of the .Net Framework or an update/patch to an older version. I have no evidence of this yet. I might need some help from other forum members on this one. Hopefully another article will surface soon with the answer.

    I am just about through with MS completely {insert several curse words} over this finding. Fedora and/or OpenSuse installations are coming to all my machines very soon. Are they trying to turn FF into IE by making it vulnerable to drive by installations with a sort of "active X" add-on to a "non active X browser"? This is about as bad as when I passed Windows Genuine Advantage with IE under WINE. I laughed when Linux passed WGA. I am not laughing anymore.

    ---BigKat---
     
    Last edited: Oct 17, 2009
  6. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    *cough*

    Let's just say that when it comes to being vulnerable to drive-by installations, Firefox needs no help from anyone.
     
  7. bigkatt74

    bigkatt74 Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    11
    Location:
    Illinois
    Good call. I should have said "more vulnerable" (LOL). Its hard to post right now without me flaming Microsoft. Can't seem to think straight when this sort of thing happens.

    ---BigKat---
     
  8. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    If you wish to remove this plugin, add the following to a text document then save as type 'All Files' and name it something like RemoveWPF_Plugin.reg

    Code:
    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
    "{20a82645-c095-46ed-80e3-08825760534b}"=-
    ...or you can simply disable it from the Add-ons>Plugins tab.
     
  9. bigkatt74

    bigkatt74 Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    11
    Location:
    Illinois
    Thank you. I wanted this cut out.
     
  10. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    At least you recognize the urge for what it is. Plenty of other people would've gladly continued to flame on without bothering to engage their brains.

    At any rate, though, I personally fail to see this as a big brouhaha on Microsoft's part. There have been plenty of plugins with security vulnerabilities in the past, from other companies like Adobe and Sun. Firefox itself, in particular, comes with a handful of critical flaws every few months and allows silent installation of plugins, and I don't understand why Microsoft invariably cut all the flak while Mozilla gets off scot-free.
     
  11. bigkatt74

    bigkatt74 Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    11
    Location:
    Illinois
    I used google to search for these plug-in objects. You will get many hits. Looks like others play this silent plug-in installation game too. No Uninstall, just a disable button. I will remove these later, I just wanted to show some of you what else gets silently installed.
     

    Attached Files:

    Last edited: Oct 17, 2009
  12. razz

    razz Registered Member

    Joined:
    Jun 18, 2009
    Posts:
    7
    Does anyone know what Microsoft figures that the two "DRM" plugins are needed for?
     
  13. Soujirou

    Soujirou Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    62
    I was dealing with this exact issue yesterday. Firefox warned me that Microsoft.NET Framework Assisstant (MFA) and WPF were insecure and needed to be uninstalled. Funny thing is, I uninstalled MFA the first time it came out rather easily, but this second time I had to follow Microsoft's article here but was unable to delete the DotNetAssisstantExtension folder even as an admin (using Win 7 32-bit). I ended up turning off Microsoft.NET Framework in Windows Features and that just deleted the 3.5 folder entirely. It was a big PITA to figure out though.

    I wonder when this junk was installed though since I've been running Firefox sandboxed for only a few weeks. I also have Comodo D+ running so I either gave Firefox too many rights or did not understand one of the pop-ups.

    EDIT: Weird thing, I also had two Microsoft DRM plugins but after going to about:config and about:plugins to see where they are located, they were not listed in about:plugins and were no longer listed in my plugins window.
     
    Last edited: Oct 17, 2009
  14. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,919
    Location:
    U.S.A.
    FYI. This topic is not new. It was first discussed here: Microsoft Updates Firefox? (Feb 2009) and here: Microsoft invades firefox (Jun 09).

    It seems that the recent .NET fixes during Patch Tuesday has made this issue reappear. Review those 2 threads for removal instructions, should you wish to do so.
     
  15. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    i don't have .net framework installed.
    i download and run an opera beta version like 5 dayas ago...uninstalled after 1 day..
    and bow i see a have a DRM folder in all users.
    and network service folders in documents and settings.
    don't know if this is relate to the newest opera beta release?
     
  16. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    http://shaver.off.net/diary/2009/10...ant-blocked-to-disarm-security-vulnerability/

    http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx
     
  17. Ade 1

    Ade 1 Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    471
    Location:
    In The Bath
    Just before reading this thread, a message came up from Firefox saying that the following add-ons cause instability and/or security issues and it listed Windows Presentation Foundation and .NET assistant. Underneath it said that Firefox had automatically blocked them from running and required a restart to finish.

    Never seen that before and was kind of a strange coincidence that I got that message literally minutes before I saw this thread. Also, been running Firefox since as far back as I can remember so strange to only get that message now!
     
  18. Dr payne

    Dr payne Guest

    Same thing here. Firefox is history here.
     
  19. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    Microsoft should not be installing this to Firefox on the blind as it is doing. That said, Firefox should not allow any extension, plug-in to be installed with out getting your approval first. Since it appears that Fx is notifying you of this (Ade 1's post and your agreement with it), why dump firefox?
     
  20. Basic

    Basic Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    102
    +1 here.

    This thread answered my confusion. It is unfortunate that it has come to this. So am I going to have to check daily just to make sure no unauthorized plug-ins have been installed? Serious bummer!

    I would have thought that Firefox would have alerted to the fact that a plug-in was being installed. I should have had a choice in the matter.

    Firefox has been my preferred browser for years so I can't say I will stop using it. My faith in my choice of browser has been shaken though. Guess I will have to start researching and testing other browsers now.

    The only thing I want installed on my PC is what I install on it!

    No software vendor be they Microsoft, Firefox, or whoever should have the right to take that choice away. It is very underhanded!
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Why history, because your browser actually blocked a potentially vulnerable component, which was installed without consent in the first place?

    Kind of contrary to logic ...

    Mrk
     
  22. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    I use Opera browser and I have it too !!

    C:\Program Files\Opera\program\plugins\npwmsdrm.dll (microsoft @DRM)

    So will try to remove it.


    Gordon
     
    Last edited: Oct 18, 2009
  23. bigkatt74

    bigkatt74 Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    11
    Location:
    Illinois
    I have went through the threads the G-MOD posted above and I haven't found them yet.

    C:\Program Files\Mozilla Firefox\plugins has only 3 .dlls in its folder. They are not in any folder.

    The .dlls outside in C:\Program Files\Mozilla Firefox cover java, flash, ect. These DRM's are not listed here or the other places listed either. I have set Xp to show all "hidden files and folders", "extensions for known file types", and to show "protected operating system files". These DRM's must be new, renamed, or someplace else. WPF add-on is gone, these other DRM's are buried in the registry or some part of another program besides the .Net Framework.

    I am still looking and searching. For now, I just have the plug-ins disabled. I am starting to have Hijack This and rootkit nightmares from searching for things in the past (LOL). I am just going to use backup images until they are gone.

    ---BigKat---

    OFF TOPIC: Sorry to start a thread and give up, but I have an emergency on my hand right now involving swine flu. I am a Molecular Biologist with degrees in Microbiology and Biology. I have to help with a human virus now.
     
    Last edited: Oct 18, 2009
  24. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Ya, been through this shyte previously.

    Comes with the 3.5 .Net updates obviously.
    If .Net framework is uninstalled then do these go too?

    When MS did this before, raised a firestorm of resentment.

    What do these plugins actually do ??..from the labelling, some form of DRM control ...going to block 'illegal' uses of content ??
    Some explanation from MS anywhere.

    Did NOT see any of these new plugins listed anywhere in any of the recent big updates from MS: is that legal ??
    If not illegal, ( no doubt somewhere in the MS EULA :mad: ) then certainly discourteous, unasked for, and to top it off, a pita to remove.

    Watch and wait for the level of awareness and irritation to grow.
     
  25. Dr payne

    Dr payne Guest

    Firefox did not notify me. I had all that unchecked in options. That being said, Firefox is in the trash. It is becoming the new IE.

    ghodgson- I don't have that folder in my Opera directory, because I don't have "plug ins checked"

    I feel that any software that does a "silent add-on" is considered malware.
    I know all you FF lovers will try to defend this activity.
     
    Last edited by a moderator: Oct 18, 2009
Loading...
Thread Status:
Not open for further replies.