Browser

Microsoft makes Firefox vulnerable: Mozilla responds

A months-old Microsoft security faux pas rears its ugly head, and Firefox users pay the price.

Earlier this year, Microsoft came up with a way to surreptitiously add a feature to Firefox -- and, at the same time, a new way for Firefox to be vulnerable to malicious security crackers. In Microsoft may be Firefox's worst vulnerability, I pointed out that:

Microsoft has decided to quietly install what amounts to a massive security vulnerability in Firefox without informing the user.

A number of articles sprang up, including my own, explaining how Microsoft's .NET extension for Firefox could be removed, and in some cases warning users to refuse to let the .NET update install itself at all. After taking enough heat from users and security experts, Microsoft even released another MS Windows update that made it easier to disable the .NET extension for Firefox.

Unfortunately, a number of subsequent updates have played havoc with the ease of maintaining a system clear of that particular Firefox extension. Microsoft, as always, thinks it knows better than users. In several cases, people have reported removing or disabling the extension only to have it reappear or reactivate itself later, when it wasn't expected.

On Tuesday this month, Microsoft released a security bulletin that addresses this problem. The company has admitted to a critical vulnerability introduced to Firefox because of the .NET extension it originally claimed was nothing but a perfectly safe improvement in Firefox functionality. According to ComputerWorld's Sneaky Microsoft plug-in puts Firefox users at risk:

"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."

The Mozilla Foundation, which manages the open source Firefox browser development project, has taken steps to protect its users. Some Firefox users may be treated to a warning dialog similar to this screenshot, bearing ominous messages like:

Firefox has determined that the following add-ons are known to cause stability or security problems

The listed add-ons include the Microsoft .NET Framework Assistant and Windows Presentation Foundation. In case the point was not driven home well enough, the point is reinforced below the list of offending add-ons:

These add-ons have a high risk of causing stability or security problems and have been blocked

Mozilla offers more information at its Add-ons Blocklist page.

Hopefully, Microsoft's evil extensions to third party applications will not be a problem any longer. Hopefully Microsoft will have learned a lesson from the bad press it has gotten as a result of this fiasco. I will not, however, hold my breath.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

57 comments
Ocie3
Ocie3

Should we remove .NET and not allow Windows Update or Microsoft Update to install it?? There is only one program that is installed on my computer which requires .NET ver. 2 and it is not an essential program. If Microsoft is going to use .NET as a wedge for installing insecure software and anti-competitive software on my computer, then I don't want it. Edit: I removed the Firefox .NET extension last Spring, shortly after it was installed, after I learned that it introduced Microsoft's "Click Once" technology that allows websites to install software in the background without the user's prior knowledge and consent. I knew that the Windows Presentation Foundation plug-in was installed, but could not recall whether I chose to install it. After Patch Tuesay last week Firefox 3.5.3 displayed the notice that Mr. Perrin describes. The plug-in is currently disabled. If experience serves, a disabled plug-in is removed when Firefox is next updated.

harrylal
harrylal

It appears that they knowingly installed the vulnerability and I tend to believe it was with malicious intent against a competitor. I don't believe it was an accident or unintentional. They have used other despicable tactics like this in the past and were prosecuted, and I think they should be prosecuted now. They should be punished!

hueta
hueta

Microsoft has released every OS since 3.0 with tens of thousands of bugs. Their apparent way of debugging is to read angry emails and letters. The main reason other OS's became popular with the IT community is because of this behavior. The chief reason other OS's are less of a security problem is because less people utilize them and so they are less likely to be a hacker target. MS is not going to change their behaviors in these matters. They have too much invested in protecting their adshare and content. They apparently view lawsuits as just a cost of doing business. How sad.

mirmuit
mirmuit

The last couple of weeks I did encounter this problem through FF produced some illogical crashes. Soon I discovered that this evil, sneaky WPF plugin was the evil-doer and disabled it through the FF add-on window/list. Man-o-man...wish for Microsoft Gobang forever, out of my digital life!!!!...FOREVER.

melekali
melekali

...control the updates that are loaded in Windows. It's good to see that Mozilla has stepped up and protected its users.

LesleyDewar
LesleyDewar

Just installed it yesterday; saw the message and clicked the OK button. I assumed the offending extension was blocked. Hope so. Had to get rid of IE8 because Telstra is only up to IE6 and I could not read their webmail.

james
james

They are a destructive bunch. Are they doing the same shenanigans to openoffice.org. perhaps their strategy is if you cant compete Kill.

mauited2004
mauited2004

When I went online several days ago, there was a Firefox warning about this Microsoft add on and so, trusting that Firefox knows their software better than I, I proceeded to block and uninstall this add on. The funny thing is, I never installed this add on in the first place. Thank you for this alert and thank Firefox for taking care of the people that trust in them!

Gis Bun
Gis Bun

Making a big deal out of nothing. Anytime [whether Microsoft, Apple, RedHat, etc.] make a change that is usually for the better, things "breaks". A recent security update "broke" Microsoft OCS recently. Maybe it's bad programming [in this case] in Mozilla?

ajkillgore
ajkillgore

So I use UBUNTU and there is no .NET issue. My Vista crashed and I have been on UBUNTU since and am not really regretting it. Not having to deal with the dreaded MS curse anymore.

jhogan123
jhogan123

Best answer - use IE8. It is at least as secure as Mozilla and is also free. I think MS is (finally?) doing what it needs to in order to keep it's software safe and I think the Mozilla people should do the same. It's hard to blame MS for trying to make their own products more usefull and secure. I don't think they should not issue a security fix for their own product in a timely manner because it may affect someone elses software badly. I do think they should make the problem known publically so that proper measures can be taken by all concerned - but browsers are like any other piece of software that needs to be updated by the manufacturer to keep up with OS changes.

Deadly Ernest
Deadly Ernest

did they pay out in fines, and then recover by increased fees for Windows versions, for including the application Internet Explorer in Win 95 - then had to make changes to allow people to not have it as the default in later versions, after years in court fighting it. Now they've added a swag more applications into the OS, so how long before the anti-virus people, the firewall people, and a few others, take them to court for unfair practices by increases the retail price of the Windows to cover the cost of putting their own versions in the package. And you think MS won't try this .Net trick again - yeah, right. Good answer, don't have .NET on your system at all. Better answer, don't have auto updates. Best answer, don't use Windows.

NickNielsen
NickNielsen

I was quite surprised, and very pleased, to see the "this plug-in has been disabled" message the first time I opened FF after the updates. Both the .Net Assistant and the Presentation Foundation are displaying "Disabled for your protection. Known to cause security or stability issues." Like you, I do not expect MS to learn from this incident and will not be surprised to see another such caused by another stealth installation of an "essential" MS service.

alan
alan

It is unmovable, like faeces on a blanket. Last year a .NET security patch could NOT install. M.S. Tech Support had me un-install so I could re-install First I removed .NET 3.0. Then I tried and repeatedly failed to remove .NET 2.0 There was some error that Catalog information was missing so XP did not know the order in which components were installed so it refused to uninstall them. .NET 2 is NOT installed, it is incorporated and I cannot be shot of it. Since then XP has gone up from SP2 to SP3 and the missing Security Patch is now incorporated - or is that another M.$. lie ? Alan

JCitizen
JCitizen

I've hidden updates and even shut update down completely and some of my clients get IE 8 anyway whether they wan't it of not. It tries to install, every time I manually update whether I've unhidden it or not. Many older computers just can't run with it installed. However my old DELL won't run [u]without[/u] .NET 1.1 latest update. I just can't win for losing.

bpsull
bpsull

I don't see anyway in which this could have been unintentional. Someone programmed a couple of plugins/add-ons for Firefox which deliberately introduce 'features' which even MS admits are major security problems. Then they shove those two add-ons into a Windows update that silently installs them as a privileged user (without including that 'feature' into the update description). For all of that to take place accidentally there would have to be some combination of mass selective amnesia and a collapse in communication to rival the Tower of Babel.

dgbell
dgbell

I agree. This is malicious and knowingly puts people in harms way. In this current environment of cybercrime and ID thief, where is the DOJ in policing this criminal activity?

apotheon
apotheon

The chief reason other OS's are less of a security problem is because less people utilize them and so they are less likely to be a hacker target. Incorrect. In fact, that's probably the least important reason for a difference in practical security. I said more about that in response to another comment of yours.

hueta
hueta

Microsoft has released every operating system they have programmed with tens of thousands of bugs. Their apparent favorite debugging technique is to read angry letters. This blatant disregard for FireFox users is just one more straw. The main reason however that other OS's are less of a security risk is that they do not have the MS market share to make them popular targets. They also are used by more sophisticated people that are computer oriented. FireFox became popular out of frustration with IE, and their market share is constantly under attack by MS in their advertising and apparently their programming.

JCitizen
JCitizen

I've been waiting for that to happen first actually. Probably already has!

apotheon
apotheon

Read some other articles about the same thing, if you like. Do something to educate yourself. Microsoft didn't make something "better" and accidentally break something: it changed a third-party application and tried to hide that fact from users. It's manipulating users and trying to take control of everything in their computing environments. That's malicious and wrong.

lestertrad
lestertrad

and the sad thing, as in the case of the majority of Americans, is that they don't even know how profoundly they've been brainwashed: "What? The USA *doesn't* support free and fair elections everywhere in the world?" 1) "There's gotta be a simple explanation..." 2) "Communist propaganda!"

Tony Hopkinson
Tony Hopkinson

MS wrote the .net stuff. MS wrote the add on MS wrote the update that put the addon in, silently, off their own bat, withouty consulting anyone. Youc could perhaps blame Mozilla for allowing a fully authorised user created by MS, to do anything on teh system being able to execute one of their functions I suppose. Normally that would indicate a bit of bias, but you appear to have that covered any way.....

apotheon
apotheon

Best answer - use IE8. It is at least as secure as Mozilla and is also free. Actually, IE8 is still closely integrated into the OS (thus providing more opportunity for IE8 security vulnerabilities to affect the rest of the OS), still closed source (thus not subject to as much community help dealing with security issues), still maintained by Microsoft (thus prone to getting vulnerabilities ignored and covered up for long periods of time rather than fixed, as well as prone to having its configuration changed without users' knowledge when there are Windows updates), and still plagued by a bunch of "features" that are worse than a poke in the eye with a sharp stick. I think MS is (finally?) doing what it needs to in order to keep it's software safe and I think the Mozilla people should do the same. Really? What makes you think that? I'd like to see your evidence of such a turn-around to the extent that Mozilla is supposedly lagging behind. It's hard to blame MS for trying to make their own products more usefull and secure. It would be difficult to blame MS for that. I don't see that happening here, though. What I see is Microsoft trying to make others' products more "useful", saddling them with unnecessary features that greatly reduce security -- and that everybody but them immediately noted would be a huge security issue. I also see that Microsoft did this stuff in a secretive, underhanded way that seemed intentionally designed to circumvent the wishes of users, and to bypass the security protections of the third-party software in question. I don't think they should not issue a security fix for their own product in a timely manner because it may affect someone elses software badly. I agree. That's not what happened here, though. Nobody's complaining about the security fix. People are complaining that: 1. Microsoft forced an unnecessary feature addition on third party software in an underhanded, surreptitious manner early this year. 2. That unnecessary feature was actually highly prone to security vulnerabilities in general, and only Microsoft seemed intent on pretending that wasn't the case. This tendency toward vulnerability in such features is, in fact, one of the major reasons so many people prefer browsers other than IE in the first place -- so of course Microsoft decided to try to undermine that advantage of a competing browser. 3. The fears of increased vulnerability for the third-party software were proven to be quite reasonable worries when the recent security bulletin was released. The only thing Microsoft did right here was to issue the security bulletin and patch. Even when it offered an update in June that allowed the add-ons for Firefox to be "disabled", Microsoft did it wrong, because the disabling was only usable on a per-user basis, and still didn't solve the problem of making users hack the Registry to actually uninstall the thing -- and subsequent MS Windows updates tried to reinstall it anyway.

techrepublic
techrepublic

Ok, so, your assertion is, since Microsoft is tampering with the security of Mozilla/Firefox, using IE8 is a better security choice? Wow. Just ...Wow.

bpsull
bpsull

If you read the article, and the preceding articles on this topic you would know that this is in no way "trying to make their own products more useful and secure" OR "a security fix for their own product" This is inserting a security vulnerability into another company's product without admitting to this behavior. They surreptitiously inserted multiple add-ons and plug-ins into Firefox as part of a Windows/.NET framework update. In no way is inserting an irremovable third party plug-in into a competitor's product necessary to the security or safety of your product. It's like if Ford had a serious problem with their cars and their 'fix' for the problem was to slap some paint on all of the affected Fords, and then sneak around breaking the same part on all of their competitors vehicles.

JCitizen
JCitizen

that Microsoft is pissed at the percentage of users migrating to FireFox in droves after the abysmal performance on Internet Explorer issues in the last three months. One news item after another indicates a general stampede to FireFox, me included. I still use IE 8 for high def sites; but most of the serious work gets done on FF - period!

melekali
melekali

Don't use Windows. What would you have us use, the monumentally insecure mac?

Gis Bun
Gis Bun

You're equating court issues with bad programming from Microsoft or Mozilla? Get real.

grax
grax

Ahmen! The good news, as reported, is that this plug-in is blocked on every system I've checked. They all use Firefox of course.

jck
jck

If MS knew about it causing a vulnerability in FF, released it anyways, and didn't inform Mozilla about it before hand having previous knowledge it would compromise their product's security...isn't that illegal? I hope someone takes Microsoft to task for this.

RandyLyon
RandyLyon

I received the message saying the add-on was disabled. But curiously, the add-on does not show up as disabled in the list of add-ons. In fact it doesn't appear at all in the list.

Snak
Snak

... from this incident. I think they'll learn to be so sneaky inserting their malware into perfectly functioning applications that no-one will find out until any computer not running 100% MS costware will just shutdown and die. Stop looking for monsters under beds. They're out in the open, operating from offices in Seattle, apparently.

JCitizen
JCitizen

I had the same problem sourced to Symantec. After disabling the Norton driver in device manager(even after using Norton's uninstaller), I still ended up using Macecrafts excellent registry tool to cleanup the mess! Never went back to 2.0 again!

Ocie3
Ocie3

Hopefully, I will have time during next week or the week after to make a completely clean "nuke and re-install it all from fresh" of Windows XP and the applications that I use. I won't re-install .NET if I can prevent it.

JCitizen
JCitizen

by the mass migration of people to FireFox. Looks like they decided for "get even time", if you ask me! The percentage of people changing browsers in just the last three months(including me), pretty much shows how we all feel. It may accelerate now! HA!

apotheon
apotheon

The main reason however that other OS's are less of a security risk is that they do not have the MS market share to make them popular targets. A lack of popularity is not the main reason other OSes are more secure. There's a minimal threshold beyond which it becomes worthwhile to attack a given OS or application, assuming it's easy enough to compromise the security of the OS or application. Firefox and Chrome, MacOS X and Linux -- they're all popular enough to have crossed that threshold.

alan
alan

He is a company director so it is his duty to believe in any old lies given by the people he buys from, and he may have to justify to share-holders why his company pays exorbitant licence fees to Microsoft. He probably has an I.T department which protects him from harsh reality by re-imaging his system every night. Alan

Deadly Ernest
Deadly Ernest

or you could use Linux, or you could, shock, horror, write your own.

apotheon
apotheon

1. There are more than two options in the world. 2. As bad as the Mac is, MS Windows is at least as bad.

Tony Hopkinson
Tony Hopkinson

But if it's other security failings are an issue, go for VMS. :p They aren't though are they. If security was an overriding issue you wouldn't touch windows. Being sillier is not a good way to show someone is silly....

Deadly Ernest
Deadly Ernest

to cause troubles for others. The inclusion of Internet Explorer was intentional, to reduce the number of Netscape navigator users by pushing IE on people. The MS code to stuff up FF was done intentionally, that sort of thing could not have happened by accident, just too much to have happen.

apotheon
apotheon

He was talking about Microsoft's tendency to learn lessons from bad experiences. He's saying that, since Microsoft didn't learn its lesson about unethical business practices from various court cases and fees, it has established for itself a track record that suggests it won't learn anything from the bad press that arose as a result of unethical behavior in regard to surreptitiously slipping vulnerability enabling extensions into Firefox. I thought the relevance was perfectly obvious.

Bishop74
Bishop74

I got the autoblock message as shown. At least some companies update their software in a timely fashion. I would gladly not use Windows... if that was truely an option. However, until that day comes, I'll have to use multiple OSes.

Ocie3
Ocie3

finance a class-action lawsuit against Microsoft for committing fraud?? We would have to prove actual damages, I believe. (No, I Am Not A Lawyer.)

apotheon
apotheon

The specific vulnerability for which Microsoft recently released its security bulletin probably wasn't a known vulnerability, itself. On the other hand, I simply cannot believe that there weren't people at Microsoft intelligent enough to understand that there was a huge potential vulnerability being introduced there.

NickNielsen
NickNielsen

The .Net assistant will appear in the extensions list. The Presentation manager will appear in the plug-ins list. They are two separate tabs at the top of the add-ons window.

Deadly Ernest
Deadly Ernest

or even write your own, plenty of options. Hell, you could go back to DOS too.

jck
jck

I figure you wait to see if Mozilla can prove anything. Then if they do, take that court decision and any huge law firm would take it and run with it. I wonder what a security compromise is worth? $10? $100? $10,000? It gets into 6 figures, I'll sign up for it. I've used Firefox for years, and avoid IE.

jck
jck

That's why I hope that if that's the case, someone will bleed an internal email out showing it. The fact is, Microsoft tests things internally versus other makers. That's how they get performance data, as well to make sure their products render similarly to others using the same base standard. I'm with you. I think someone/some people knew, and decided to try to throw the wrench in the gears at Mozilla then look around innocently like nothing was intentional.

Editor's Picks