Browser

Microsoft may be Firefox's worst vulnerability

In a surprise move this year, Microsoft has decided to quietly install what amounts to a massive security vulnerability in Firefox without informing the user. Find out what Microsoft has to say about it, and how you can undo the damage.

Microsoft pushed out its .NET Framework 3.5 Service Pack 1 update this February. The "List of changes and fixes" article about this update says:

The .NET Framework 3.5 SP1 is a full cumulative update that contains many new features. These new features build incrementally upon the .NET Framework 2.0, the .NET Framework 3.0, and the .NET Framework 3.5. It also includes cumulative servicing updates to the dependent .NET Framework 2.0 and .NET Framework 3.0 subcomponents. This update should be applied as an important update for the .NET Framework 2.0 and later versions, and it is recommended for all other supported operating systems.

The article then goes on to list a dizzying array of changes delivered by the update.

According to Annoyances.org, however, it does something that isn't listed there -- it installs the Microsoft .NET Framework Assistant extension for Firefox, silently, without informing the user. If you had Firefox on your computer when this update was installed, you may be subject to some dire consequences. In Remove the Microsoft .NET Framework Assistant (ClickOnce) Firefox Extension, Annoyances.org says:

This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC. Since this design flaw is one of the reasons you may've originally choosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.

Yes, that's right -- the long-time, well known security hole present in Internet Explorer that consists of essentially letting Websites install dangerous, untrusted code on your computer willy-nilly has now been shoehorned into your MS Windows install of Firefox without your knowledge or permission.

Worse yet, Microsoft isn't satisfied with just giving you vulnerabilities without your permission or even you knowledge. It has also gone out of its way to ensure that you'll have a difficult time removing the vulnerability from your system if you should happen to become aware of it. The Uninstall button for this extension in Firefox has been deactivated. In Uninstalling the Clickonce Support for Firefox, Microsoft employee Brad Abrams says:

We added this support at the machine level in order to enable the feature for all users on the machine. Seems reasonable right? Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the "Uninstall" button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.

Brad Abrams explains that an update has been produced, in response to a lot of negative reaction from people who realized that MS was monkeying around with their Firefox installs without permission or notification, that turns the extension into a "per-user component". Of course, he thoroughly downplays the negative reaction, saying:

Clearly this is a bit frustrating for some users that wanted an easy way to uninstall the Clickonce Support for Firefox.

Reading some of the Slashdot commentary, I'd say it was far worse than "a bit frustrating" for some user. It was downright enraging for some, and I don't blame them.

He claims turning the .NET Framework Assistant into a per-user component makes uninstalling it "a LOT cleaner". In some respects, this is true. The process for a full uninstall that was necessary to get it out of your hair as a standard system user can be pretty scary for someone who isn't a bona-fide expert computer user. Even most so-called Power Users should be vary leery of following those instructions. Those of us who have actually gotten to the point where we edited registry keys for a living (yes, I had a job a few years back that included that unenviable task, and I got quite good at doing so quickly and safely), on the other hand, should find it pretty simple.

On the other hand, making it a per-user component means that when one user uninstalls it, another can still have it. If you're uninstalling it for security reasons, this should set off a warning klaxon in your head, complete with flashing red lights. If you're the only person who ever uses your computer, this might mitigate the problem somewhat, but anyone who manages to remotely exploit your system as another unprivileged user account may then be able to make use of the security hole represented by the .NET Framework Assistant to increase his or her hold on the system (among other nightmare scenarios that may spring to mind).

I guess you have to admire the sheer chutzpah of someone like Brad Abrams trying to put a bright, happy face on this situation. It takes real courage to stand out front telling users about this major hose-job and try to find a way to spin it so the users won't turn into a lynch mob. At least he has the decency to tell us how to do the work necessary to remove the unwanted Firefox extension. Go read his Weblog post (linked above) now, and make the necessary changes, if you're using Firefox on MS Windows.

I recommend you do the registry hacking necessary to carve this thing out of the guts of your system, get rid of Firefox entirely and use one of the other third-party Web browsers that isn't known for screwing its users, or just get rid of MS Windows entirely, at this point. Do you remember when I listed 5 characteristics of security policy I can trust? Yeah. Anything that Microsoft can modify from afar like this doesn't even begin to satisfy my criteria, and this incident is an excellent example of that.

It looks like the biggest security vulnerability in Mozilla Firefox this year is Microsoft.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

322 comments
deepsand
deepsand

How about Chrome and Opera? How is it that FF was unable to avoid what others did?

deepsand
deepsand

This incident seemingly provided a welcomed opportunity to yet once more engage in bad-mouthing King MS, all of which was swell until someone had the audacity to point out that Prince FF was parading around butt naked, at which point the Jester got his knickers in a knot.

Neon Samurai
Neon Samurai

At the risk of getting dragged in the middle of this shtfan exchange.. my understanding was that the .net update included a plugin for FF; hence, the .net entry in the Firefox plugin list. Wouldn't the update have to include a Safari or Opera plugin to afflict those browsers in a similar way? If FF is including IE components, why don't I require those IE components for FF installed on other platforms?

Deadly Ernest
Deadly Ernest

of Software because he screwed Prince FF when the price went about in the court dress Stalin insisted he wear. The Stalin of Software goes around ignoring the laws and raping and pillaging other software as he wishes because he has a huge public relations budget and a huge army of mind controlled soldiers who help him force his views on the general peasants.

deepsand
deepsand

FF doesn't use IE "components," but rather uses some of the same OS mechanisms used by IE. MS intended that IE should incorporate a certain feature of the .NET update; and, FF, by using a certain IE-centric mechanism, also incorporated it. Other browsers, by not using said mechanisms, went unaffected.

deepsand
deepsand

The constant & persistent MS bashing zealots have become a tedious lot, serving no purpose other than to create a great din that distracts all from the issues that are amenable to being controlled by us. It's time for them to move on.

apotheon
apotheon

You add nothing to discussion.

apotheon
apotheon

Try portable Firefox on a USB storage device. There are configurations that don't do anything with the OS but basically run on the thing. The relevance, by the way, is the fact that you make broad, sweeping generalizations that are obviously false. I chose a far-afield example to show how ludicrous your statements actually are.

Neon Samurai
Neon Samurai

Deepsand, you asked why FF was effected by the .NET update where Chrome, Safari and Opera where not. This implied that FF was somehow lesser than the others. You then state that you've never implied that FF was lesser than any other browser. original fork of this particular thread: " Why was Safari not so afflicted? How about Chrome and Opera? How is it that FF was unable to avoid what others did? " And more recently: " Never said that FF was more or less vulnerable than others. That's just your inference, one that suits your purpose of the moment. " It may simply be an error on the readers part but those two points contrasted are a little confusing. I'm backing out of this one though; it's all kinds of messy that I don't need to be more a part of.

deepsand
deepsand

None, since the issue at hand deals with Windows platforms, where FF [b]does[/b] use the Registry. This serves as yet one more example of your many attempts at misdirection.

apotheon
apotheon

Are you even paying attention to what you say (let alone what others say)?

apotheon
apotheon

I'm using Firefox on FreeBSD right now, which has no registry. . . . but keep making a bunch of pointless hand-wavy remarks, if that's what makes you happy.

apotheon
apotheon

I'm frankly stunned that you lied outright like that in your title.

deepsand
deepsand

That's just your inference, one that suits your purpose of the moment.

deepsand
deepsand

But, in practice, that's not what happens.

deepsand
deepsand

Doesn't change the fact that FF uses the Registry Hive in a manner that left itself open to such.

apotheon
apotheon

The add-on provided with the .NET 3.5 update is what uses shared components -- not the Firefox browser itself. This is a danger of having an extension system, and not of the core application itself. Since both Opera and Chrome have extension systems (though Chrome's is only in Alpha right now, I think), the suggestion that this is somehow uniquely a Firefox problem is spurious at best.

apotheon
apotheon

FF relies on and implicitly trusts the Registry Hive. This is not the case. It is entirely possible to run Firefox -- even the MS Windows port of it -- without relying on or trusting the Registry at all.

apotheon
apotheon

That's incorrect. It's not just that the .NET 3.5 update "affected" Firefox and IE but not Opera and Chrome. It's that the .NET 3.5 update included browser components specifically designed for Firefox and IE, but didn't include anything like that specifically designed for Opera and Chrome.

Neon Samurai
Neon Samurai

Can't disagree there, someone will always have complaints over what MS does. I believe they have earned that disadvantage through past and ongoing behavior. If they wanted to provide a plugin, they should have done it the right way through the FF repository. Even if it was with best intentions, slipping it in through an MS update and the OS back door was not a bright move. They also stuck with the "on by default" aproach so anyone who didn't want it had to remove it rather than those who did want it loading it in through the plugin manager. In this case, like UAC, it was a poor choice for implementation. On the other hand, they also got some press for it without marketing budget spending. It's only bad press if your not mentioned.

deepsand
deepsand

And, there is no requirement that an application use such in a manner that is transparent to all. Such are required only for [i]shared[/i] components; and, there is no requirement that an application participate in any sharing of its own components. Sharing has its advantages; but, at a price, as seen here. In this particular matter, the odd thing is that MS was responding to a perceived market demand; and, absent the error, would have been lauded for responding to the FF users requests. Damned if you do; damned if you don't.

Neon Samurai
Neon Samurai

I'm not sure why it would behave so differently on Windows when there is no registry to depend on under any of the other platforms. So ms writes a plugin entry to the registry and FF picks it up with the next startup then? I don't see a reason the OS couldn't do the same with .ini files being that everything is writable to the kernel. I hadn't dug into it that deeply. I figured with the FF directory and sqlite database in the user's directory, it would have been more separated. So the implicit trust of the registry is FF's failure? It's a bit like finding out one's head of security is the mole. Worth looking into further though.

Neon Samurai
Neon Samurai

honest curiosity. Is it that FF is using the .net framework or what mechanism would cause the two separate chunks of code to bleed together through the FF plugin list?

deepsand
deepsand

Otherwise, reap what you sow.

deepsand
deepsand

You've already got the fallacy part down pat.

apotheon
apotheon

Say something substantive. These vague, unfocused insults you're slinging don't mean anything in relation to the discussion at hand.

apotheon
apotheon

I wish I had learned to use the word "zealot" in an ad hominem fallacy to decisively win arguments, like you have.

deepsand
deepsand

That's quite a warren you've got.

deepsand
deepsand

You appear to know less than you think you do.

apotheon
apotheon

Okay, so basically what you're saying, deepsand, is that you have no effing clue what you're talking about. This is not a matter of Firefox using IE "features", or whatever the hell you're babbling about along those lines. The same kind of problem could easily have affected Opera, because both Opera and Firefox use an extension system -- and the problem is that Microsoft developers specifically targeted the Firefox extension system and didn't bother to target the much less market dominance threatening Opera browser. Of course, I don't know a whole lot about the Opera extension system, but my understanding is that the Opera extension system can handle adding actual functionality to the browser (and isn't limited to changing things like color schemes, or something equally lame). Assuming that's the case, Opera isn't immune as you seem to think; it just wasn't targeted by MS the way Firefox was.

apotheon
apotheon

You're the one doing all the hand-waving about not using the OS facilities to support application development. Maybe you should try saying something substantive for a change so we don't have to try to fill in the blanks for you -- and, thus, maybe you'll avoid sounding like you're advocating for Mozilla writing malware or OSes.

apotheon
apotheon

1. It's not yours, either. 2. At least I'm not a TR employee. I'm a contributor. Anyway, my opinion is part of what TR pays me to provide. 3. In some respects, you're right, though. I should hold myself to a higher standard of restraint and politeness than I have in response to your trolling. Simply holding myself to a higher standard than you is not good enough, since some people may regard me as a representative of TR (rightly or wrongly). Should the fine folks at TR take note of this, I apologize for my momentary lapse.

deepsand
deepsand

Rather, it is the case that Mozilla chose to use certain IE-centric features, rather than having FF stand on its own. Safari, on the other hand, did not follow suit; and, consequently, was not impacted by the .NET bug.

Deadly Ernest
Deadly Ernest

but when I asked the people at MS Aust what's needed to be able to; they told me about the need to stay within their set out guidelines and to only use the list of commands they provide to interact with the OS and the hardware. They said failure to comply would mean the application would not work properly with Windows. As I said, on this I believe the MS people as they know more about how their OS works than you or I do. As to interaction with the hardware: Try reading this wiki article and note the quote below the link. http://en.wikipedia.org/wiki/Operating_system quote An operating system (commonly abbreviated to either OS or O/S) is an interface between hardware and user; an OS is responsible for the management and coordination of activities and the sharing of the resources of the computer. The operating system acts as a host for computing applications that are run on the machine. As a host, one of the purposes of an operating system is to handle the details of the operation of the hardware. This relieves application programs from having to manage these details and makes it easier to write applications. end quote The application should NOT be having any direct interaction with the CPU or any other hardware at all. Not if it and the OS have been designed even halfway right. Now, unless you're prepared to publicly declare the MS staff and techs know nothing about how to work with their OS, I suggest you rethink your comments on this. edit a couple of typos

deepsand
deepsand

Given past emotional outbursts, though, not surprising.

deepsand
deepsand

Or, are you really just that clueless?

deepsand
deepsand

TR is not your personal bully pulpit for purposes of preaching your own vision of Heaven & Hell.

deepsand
deepsand

"... so they not only don't have to, but can't, use MS Windows ..." Did this come from the Red Queen?

apotheon
apotheon

. . . and none of your whining here pertains to anything I've said. Move along. Find someone else to troll.

apotheon
apotheon

Shut up, deepsand, and let the adults speak for a moment.

apotheon
apotheon

Apparently, deepsand expects Mozilla developers to write Firefox as a stand-alone OS/browser. I guess they could call it FireOS from now on. Perhaps he's actually saying that it should do its own memory management by talking directly to the CPU and other hardware, complete with its own device drivers for video and so on. I don't know what he expects the OS to do during this time. Maybe he expects the Mozilla people to just say that you can't use it with MS Windows or any other extant OSes, and has to be installed on the machine in lieu of a general purpose operating system. On the other hand, maybe he really does expect application developers to try to talk directly to the CPU, bypassing the OS for stuff like memory management. Of course, if that's his aim, I think he should expect MS Windows to catastrophically crash every time he tries to start up Firefox. There's a word for an application that does that, in terms of its relationship to an OS like MS Windows: "incompatible".

apotheon
apotheon

You're only at the whim of the OS to the extent that you choose to use its own code rather than provide your own. I guess you're right. Application developers could always just say "Y'know, people shouldn't use that OS. We'll just build a hybrid OS/browser so they not only don't have to, but can't, use MS Windows (or Debian GNU/Linux, or FreeBSD, or Apple MacOS X, or whatever) at all." That's certainly possible. It's kind of insane, but it's possible. I guess, if that's the point you were trying to make, you've done it.

Deadly Ernest
Deadly Ernest

they say you have to write your application to operate within the parameters and instructions sets you get from them or your application will not run properly under Windows. If you want to deal directly with the CPU and other hardware you need to incorporate your own OS in the application and run it without Windows.

deepsand
deepsand

Willful ignorance, that is.

deepsand
deepsand

I'm just sick and tired of listening to people bitch about how things that they've no control over, while failing to attend to those things that they can, at least to some extent, control. Likewise for hearing that the universal solution to all that ails us is to simply pretend that MS doesn't exist. MS [b]does[/b] exist; their products [b]are[/b] widely [b]used[/b], and [b]will continue to be [b]used[/b], with or without the advice and consent of detractors. Deal with it.

deepsand
deepsand

The OS does not specify "instruction code;" that is determined by the CPU's microcode. You're only at the whim of the OS to the extent that you choose to use its own code rather than provide your own. Mozilla chose to use much of the OS facilities used by IE. The Prince chose to use the King's tailor, on the King's tab, rather than pay his own.

apotheon
apotheon

The "willful ignorance" comment wasn't really directed at you, santeewelding. As for the pre-edit comment about saying what you mean -- many of your comments allow for multiple interpretations. It gets old trying to mind-read to figure out which you mean when you use very passive-aggressive sounding phrasing.

apotheon
apotheon

My intolerance for willful ignorance is the more intractable condition.

santeewelding
santeewelding

Which is it of your two conditions that is pharmaceutically intractable?

apotheon
apotheon

Apparently, you're actually so invested in believing in the greatness of the Microsoft business model that you're willing to ignore the realities of software development, and assume that anyone who disagrees with you must be some kind of malicious bully picking on poor widdle Microsoft. That's funny, considering the ill-gotten stranglehold Microsoft has on the market. I'm amazed at people who simply will not recognize the anticompetitive, unethical conduct of Microsoft. How does someone get so invested in believing Microsoft is such a great company that he or she can't see what's right in front of his or her nose?

Deadly Ernest
Deadly Ernest

of MS Windows you have to build it to interact with the OS within the guidelines set out by MS. Sure you can write any damn thing within the application, but it MUST act within the parameters and instruction code set out by MS if you want it to talk with the OS and interact with anything else. thus MS get decide how you input and output information, you only get to decide how you manipulate it once you have it. In your analogy of the clothes, the king decides what style and type of clothes the prince wears while the prince gets to choose the trim colour.

Editor's Picks