1,105,169 Community Members

Mozilla says Microsoft browser malware can Firefox off

Member Avatar
(happygeek)
Reputation Points: 1,411 [?]
Q&As Helped to Solve: 451 [?]
Skill Endorsements: 166 [?]
 
1
 

Odd isn't it, how Microsoft kicked up a fuss when Google announced the Chrome plugin for Internet Explorer on the grounds that it could make the browser more insecure. Indeed, it went as far as to suggest that it doubled the potential surface area for malware and scripted attacks. Yet, amazingly, Microsoft sees no such problem with installing a plugin into the Firefox browser. What's more it is installed without asking the permission of the user and, he says with more than a hint of irony, it left Firefox vulnerable to a drive-by exploit.

This is nothing new, as those with a memory for such underhand shenanigans will recall, as Microsoft started 'silently' installing a .NET Framework Assistant extension for Firefox users earlier in the year. The sting at the time was that it could not be uninstalled, and when an uninstall option was provided (after much media attention) it managed to break some other Firefox extension during the uninstall process.

So imagine the surprise when numerous Firefox users were presented with an 'Add-ons may be causing problems' popup when they had not added any new extensions. That popup quickly explained what was going on (see screenshot) determining that the Microsoft .NET Framework Assistant 1.1 may be "unstable or insecure". Given the option to restart Firefox so that the add-on could be disabled most punters would, I suspect, jump at the chance.

People have a right to be angry both at Microsoft for plugging something into a non-Microsoft browser client which could impact upon the security of that client, and doing so without their knowledge or prior consent I might add, but also with Firefox for allowing this silent installation in the first place.

But why the fuss now, when this plugin was pushed out some months back? Well it all boils down to the recent big Patch Tuesday roll out from Microsoft. On Tuesday Microsoft warned that unless Firefox users had installed the appropriate Internet Explorer patch then they would be vulnerable to an exploit enabled by a .Net Framework Assistant extension bug. Microsoft stated that installing Tuesday's MS09-054 patch protected all users from the exploit, no matter the attack vector, including Firefox users.

Mozilla responded, quite correctly, by telling Microsoft to Firefox off. It automatically turned on a system to block the extension for all Firefox users. Mike Shaver, Vice President of Engineering with Mozilla, explains "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately."

The thing is, if you silently or stealthily install software which impacts upon the security of the user, without that users knowledge or prior consent, isn't that called malware?

Attachments firefox-says-no.jpg 14.08KB
Member Avatar
Davey Winder

I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .

Member Avatar
retrohelix
Newbie Poster
1 post since Oct 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

So that's what it was, I received the same message after the update this week and was surprised to see an add on I hadn't installed myself.

Member Avatar
happygeek
veganarchist
9,513 posts since Mar 2006
Reputation Points: 1,411 [?]
Q&As Helped to Solve: 451 [?]
Skill Endorsements: 166 [?]
Administrator
Featured
 
0
 

You most certainly are not alone in being surprised, my friend.

Member Avatar
EddieC
Posting Whiz in Training
298 posts since Apr 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 4 [?]
Staff Writer
 
0
 

Trust not Microsoft, ye who yearn to be free (of defects).

Member Avatar
Adamsappleone
Posting Whiz
394 posts since May 2008
Reputation Points: 2 [?]
Q&As Helped to Solve: 42 [?]
Skill Endorsements: 0 [?]
 
0
 

Interesting reading happygeek,

I happened to run across this the other day;

Add-ons Blocklist
This page lists blocklisted add-ons that should no longer be used with Mozilla products.

https://www.mozilla.com/en-US/blocklist/

And, this is a "Fix" "Remove the Microsoft .NET Framework Assistant (ClickOnce) Firefox Extension"

http://www.annoyances.org/exec/show/article08-600

Member Avatar
fossrules
Newbie Poster
1 post since Oct 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I agree with EddieC!!!!

You
Post:
Start New Discussion
View similar articles that have also been tagged: