digg

Facebook Connect Join Digg About

Sneaky Microsoft Plug-in Puts Firefox Users At Risk

computerworld.com An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves that browser open to attack, Microsoft's security engineers acknowledged earlier this week.

Who dugg this? Made popular Oct 16, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

253 Comments

show profanity settings
expand all
  • rmxz, on 10/16/2009, -15/+195This is part of their core strategy.

    Remember when Microsoft sabotaged Caldera's Dr DOS[1]?

    "Microsoft Senior Vice President Brad Silverberg later sent another memo, stating: "What the [user] is supposed to do is feel uncomfortable, and when he has bugs, suspect that the problem is DR-DOS and then go out to buy MS-DOS.[2]

    Or when they broke Hotmail for Linux users[3]?

    [1] http://news.bbc.co.uk/2/hi/business/600488.stm, http://www.maxframe.com/DR/Info/fullstory/ca_sues_ ...
    [2] http://news.cnet.com/2100-1001-225129.html
    [3] http://digg.com/linux_unix/Microsoft_breaks_Hotmai ...
  • readme, on 10/16/2009, -6/+170Microsoft's not happy enough keeping their bugs isolated to IE and decided to litter Firefox's front lawn as well.
  • danielwsmithee, on 10/16/2009, -5/+162Didn't Microsoft just get up in arms about the new Chrome plugin for IE, and it exposed the users to additional risk? In other words it is OK for Microsoft to do something like this, but no-one else.
  • ParadiscaCorbas, on 10/16/2009, -31/+160If they'd do this, they'd do it to Danger to help get rid of Cloud computing.

    Microsoft is underhanded.

    I begin to see why my Linux friend is so opposed.
  • muteSirens, on 10/16/2009, -12/+126I was all worried up until...
    "The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7"

    then I went to Add-ons and uninstalled it.
  • yacks, on 10/16/2009, -1/+107There is a big difference.. the end-user had to install the Chrome plugin for IE.... Microsoft installed the Microsoft plugin for Firefox forcefully without the end-user's permission.

    So The Chrome plug-in user had a choice to take the risk..... The Microsoft one, they were forced..
  • greensky, on 10/16/2009, -9/+92I already disabled that plugin in Firefox. I think Firefox is going to need a way to find/help users remove this type of Trojan.
  • tenbosch, on 10/16/2009, -8/+76You fargin sneaky bastages!
  • StopBanninMePlz, on 10/16/2009, -8/+72Actually it's probably all of the beastiality videos you're watching.

    Keep ***** that chicken.
  • digitalpencil, on 10/16/2009, -2/+54not much help for the multitudes of unknowing users still on Vista/XP though..
  • LostSoul83, on 10/16/2009, -4/+53A wile ago, I found this DRM plugin for Firefox on my EEEPC. I have no idea how this crap got in my firefox, and I surely did NOT authorize it.
  • tmaxxpunisher, on 10/16/2009, -24/+72Of course they did. Its about all they can to do level the playing field vs Firefox since its 1000X better than IE
  • Mujokan, on 10/16/2009, -3/+50Later on: "Microsoft reacted to criticism about the method it used to install the Firefox add-on by issuing another update in early May that made it possible to uninstall or disable the .NET Framework Assistant. It did not, however, apologize to Firefox users for slipping the add-on into their browsers without their explicit permission -- as is the case for other Firefox add-ons, or extensions."

    But I use Chrome mostly, and I would never have know this Add-on was there if not for the article.
  • Floyder, on 10/16/2009, -27/+72............................................________
    ....................................,.-‘”...................``~.,
    .............................,.-”...................................“-.,
    .........................,/...............................................”:,
    .....................,?......................................................\,
    .................../...........................................................,}
    ................./......................................................,:`^`..}
    .............../...................................................,:”........./
    ..............?.....__.........................................:`.........../
    ............./__.(.....“~-,_..............................,:`........../
    .........../(_....”~,_........“~,_....................,:`........_/
    ..........{.._$;_......”=,_.......“-,_.......,.-~-,},.~”;/....}
    ...........((.....*~_.......”=-._......“;,,./`..../”............../
    ...,,,___.\`~,......“~.,....................`.....}............../
    ............(....`=-,,.......`........................(......;_,,-”
    ............/.`~,......`-...............................\....../\
    .............\`~.*-,.....................................|,./.....\,__
    ,,_..........}.>-._\...................................|..............`=~-,
    .....`=~-,_\_......`\,.................................\
    ...................`=~-,,.\,...............................\
    ................................`:,,...........................`\..............__
    .....................................`=-,...................,%`>--==``
    ........................................_\..........._,-%.......`\
    ...................................,<`.._|_,-&``................`\
  • rmxz, on 10/16/2009, -2/+45And another nice quote from the CNET article linked above:

    "If you're going to kill someone there isn't much reason to get all worked up about it and angry," Allchin [a Microsoft VP] wrote in an email discussing how Microsoft should compete against Novell. "Any discussions beforehand are a waste of time. We need to smile at Novell while we pull the trigger."
  • RonADiSH, on 10/16/2009, -7/+45I doubt it
  • swizzcheez, on 10/16/2009, -2/+38If something like this happened to a car company there be a recall and a massive lawsuit.

    When it happens to Microsoft there's a press release and an even larger virus scan market with which to bilk customers.
  • rmxz, on 10/16/2009, -0/+34Radan: Indeed they did.

    I imagine there's an entire division of MBA's at Microsoft who's job it is to calculate the risk-reward ratio of various illegal and immoral tactics; computing the harm the damage will do to competitors vs. the cost of a lawsuit settlement payment.

    If they do these things intentionally - is that illegal? Or just required by a corporation trying to maximize profits?
  • secrity, on 10/16/2009, -3/+36I think that a more important question is how can an MS update modify a competing application to create security holes? This is not a Firefox add-on that was selected by the user.
  • Radan, on 10/16/2009, -1/+34Mmmm, I also remember when they specifically started blocking @mac.com addresses from using MSN because of some "technical difficulties" making it impossible to use that specific domain, and then asking their users to upgrade their accounts to @hotmail.com or @msn.com addresses.
  • netneutrality, on 10/16/2009, -4/+36What Microsoft did was audacious from the beginning, even before this hole turned up. Not only does the automatic .NET update silently modify a program that has nothing to do with it, it overrides the browser user-agent string to send standardly-logged details to every single website you visit of what version of the update you have installed. See this list for some examples: http://www.useragentstring.com/pages/Firefox/
  • RudeTurnip, on 10/16/2009, -16/+45Well, this probably explains the spyware/malware that's been popping up on the family PC.
  • objbuilder, on 10/16/2009, -20/+49Just stay far away from Silverlight and you'll be fine.
  • TexMexRex, on 10/16/2009, -10/+34After a lot of high fives and butt slapping, MS engineers set their sights on Chrome and Safari...
  • ProfessorLX, on 10/16/2009, -8/+32and also why you are a douche
  • DaviDTC, on 10/17/2009, -0/+22Just got this msg from firefox.
    http://img117.imageshack.us/img117/676/ffaddon.jpg
    What is weird is that when I first read this story I went to my add-ons to look for the .net and it wasn't on the list.
  • khyberkitsune, on 10/16/2009, -8/+30Every contact your lawyers and sue Microsoft for Unauthorized Access of a protected computer. Modifying software that does not belong to them is inexcusable in ANY CASE.
  • thubada, on 10/16/2009, -3/+24Read further. There was an update available that makes the .Net add-on removable. Thanks to Lucas123 for submitting this, though. I unknowingly had this add-on enabled. It has now uninstalled. I'm on XP.
  • soopafly, on 10/16/2009, -17/+38M$ writing insecure applications?!?!?!??! NO ***** WAY!!!?!?!? Head assplodes!!
  • Sloth999, on 10/16/2009, -4/+25Wow......shocker. Microsoft unfairly tinkering or crippling third party software. I'm at a loss for words, never thought they would do something like that. One more reason to find an alternative OS.
  • inactive, on 10/16/2009, -14/+34And your hacked Mac is a node in the spamming computers network.
  • nailPuppy, on 10/16/2009, -5/+25Why are you still spelling it Micro$oft? We don't do that anymore.
  • DamnMan, on 10/16/2009, -5/+25No one remembers that movie, Icehole.
  • MWeather, on 10/16/2009, -0/+19"What was the problem?"

    The problem is you're not representative of the general public. Most of them don't even know what a plugin is, let alone that this one is bad and should be removed.

    Do you not see a problem with millions of exploitable browsers? It doesn't just affect those who get infected.
  • Oddish, on 10/17/2009, -0/+18Yeah well.. good luck with that.
  • TheMAZZTer, on 10/16/2009, -3/+20To prevent this in the future, you can make the registry key that Firefox uses to find extensions that are outside of it's application folder non-writable.

    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions
    HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\extensions

    I haven't seen any that use the HKCU one, since of course why install it for the current user when you can force ALL users to use your extension?

    Anyways right click the key and click Permissions, then Add Everyone and Deny Full Control. You can come back later and remove this permission if you want to.

    Note that some installers will completely fail if they can't write to this key (the .NET framework installer will, and will not tell you what went wrong or even try to skip it! The only way you can figure it out is by examining the installer log files or tracing it's registry operations with Process Monitor or a similar tool)

    Of course you can delete entries you see in those keys too to easily uninstall the appropriate extensions, as an alternative solution, although it will do nothing to stop them from being re-added later by a Patch Tuesday patch (I think I've seen a couple that add it back).

    Without those keys, global extensions can still be installed to the Firefox folder or local extensions to the user profile folder AFAIK without the user knowing about it. And I think it's the global extensions that can't be uninstalled or disabled.

    IMO Mozilla should try to introduce some security (although it would be obfuscation, at best) to try to force extension devs to install the extension by launching Firefox to do it, which could then prompt the user to install the extension, allowing the user to refuse it. Of course some devs would respond by hacking the user's profile to bypass whatever security measures were implemented, and would increase the risk substantially of messing up a user's profile or extensions (and the user would not think to blame anyone but Mozilla). However right now Firefox DOES pop up the addons dialog when a new extension is installed so I guess that's better than nothing.
  • globexdesigns, on 10/17/2009, -1/+18Firefox just popped up a security warning asking me to disable them. :) Looks like Mozilla's on top of it.
  • JQP123, on 10/16/2009, -9/+26I think there is an important message here.

    How many other Firefox add-ons create security holes and you just aren't aware of them?
  • secrity, on 10/16/2009, -1/+18And the people who are installing the Chrome plugin for IE are doing it themselves; it is not a being done by a trojan.
  • jaytek13, on 10/16/2009, -1/+17@thubada, it may make the addon uninstallable, but that doesn't help for people who won't read this article and will probably never know about this until it's too late.
  • sigmaman2, on 10/16/2009, -3/+19@burbankmarc
    Yes, I know how malware works. It's easy to create, easy to install, and easy to gather data with. It's so easy that its on people's computers before they even realize they've installed it. It's easy to use it to screw with people. That's why people hate it.

    @StopBanninMePlz
    Linux is Free, Open Source Software (FOSS). Virtually all Linux software is free to download, use, modify, and pass on to others. Saying that I would have to pay for the same protection on Linux shows a fundamental misunderstanding of Linux, and FOSS on your part.

    And Linux is inherently secure enough that I don't have to install any further security measures. It doesn't "magically do it for me" any more than an umbrella "magically" keeps rain off my head. It was built, from its inception, to do that.
  • madeingermany, on 10/16/2009, -6/+21HaHa!
    http://digg.com/microsoft/Microsoft_Google_Chrome_ ...
  • Langford, on 10/16/2009, -3/+17I guess now we will need a Firefox plugin to protect us from unsolicited and/or malicious plugin installations.
  • Memnochxx, on 10/16/2009, -14/+28Ubuntu doesn't even detect my tv when attached by svideo. Seems like pretty basic behavior an os should have.
  • sigmaman2, on 10/16/2009, -11/+25If you are comfortable with your Russian and Nigerian friends watching TV with you, then I understand your position. More power to you.

    I on the other hand think that security and stability are basic behaviors that an OS should have. I shouldn't have to pay for an OS, then pay again to secure it, then pay again to keep all the crap off of it I don't want, then pay yet again when someone inevitably breaks in and wreaks havoc.

    The common complaint is that Linux is not easy to use, and doesn't work with everything. In this case, that's a strength. Otherwise, it would be just as easy to create malware on Linux, and that malware would work against everything...just like in Windows OSes.
  • geehossiphats, on 10/16/2009, -5/+19Except in the case where the end-user (you) clicked on "I Accept" when presented with their EULA. If you read the EULA and understood it, you probably would say, "Hell **** NO!!!". But you didn't. SUCKER!!!!!
  • jetsfandb, on 10/16/2009, -3/+17I saw that movie once. ONCE!
  • roebeet, on 10/16/2009, -1/+15Get Off My Lawn.
  • Speedy7, on 10/16/2009, -9/+22It's a pretty daft move IMO.
  • sigmaman2, on 10/16/2009, -9/+21That's why I formatted and installed Linux.
  • Fetching more discussions...
    Show 51 - 100 of 254 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...