Odd isn't it, how Microsoft kicked up a fuss when Google announced the Chrome plugin for Internet Explorer on the grounds that it could make the browser more insecure. Indeed, it went as far as to suggest that it doubled the potential surface area for malware and scripted attacks. Yet, amazingly, Microsoft sees no such problem with installing a plugin into the Firefox browser. What's more it is installed without asking the permission of the user and, he says with more than a hint of irony, it left Firefox vulnerable to a drive-by exploit.

This is nothing new, as those with a memory for such underhand shenanigans will recall, as Microsoft started 'silently' installing a .NET Framework Assistant extension for Firefox users earlier in the year. The sting at the time was that it could not be uninstalled, and when an uninstall option was provided (after much media attention) it managed to break some other Firefox extension during the uninstall process.

So imagine the surprise when numerous Firefox users were presented with an 'Add-ons may be causing problems' popup when they had not added any new extensions. That popup quickly explained what was going on (see screenshot) determining that the Microsoft .NET Framework Assistant 1.1 may be "unstable or insecure". Given the option to restart Firefox so that the add-on could be disabled most punters would, I suspect, jump at the chance.

People have a right to be angry both at Microsoft for plugging something into a non-Microsoft browser client which could impact upon the security of that client, and doing so without their knowledge or prior consent I might add, but also with Firefox for allowing this silent installation in the first place.

But why the fuss now, when this plugin was pushed out some months back? Well it all boils down to the recent big Patch Tuesday roll out from Microsoft. On Tuesday Microsoft warned that unless Firefox users had installed the appropriate Internet Explorer patch then they would be vulnerable to an exploit enabled by a .Net Framework Assistant extension bug. Microsoft stated that installing Tuesday's MS09-054 patch protected all users from the exploit, no matter the attack vector, including Firefox users.

Mozilla responded, quite correctly, by telling Microsoft to Firefox off. It automatically turned on a system to block the extension for all Firefox users. Mike Shaver, Vice President of Engineering with Mozilla, explains "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately."

The thing is, if you silently or stealthily install software which impacts upon the security of the user, without that users knowledge or prior consent, isn't that called malware?

Attachments firefox-says-no.jpg 14.08 KB

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

8 Years
Discussion Span
Last Post by fossrules

So that's what it was, I received the same message after the update this week and was surprised to see an add on I hadn't installed myself.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.