A trojan attacks Firefox masquerading as Adobe Flash Player update

[Eice]

Did it install an extension without permission? Check.

Wrong. You gave permission when you chose to install .NET.

Did it introduce a vulnerability? Check.

Proof, please. Provide technical details of the vulnerability from a reputable source instead of quoting the number of paranoid claims out there.

Did it not provide an uninstaller? Check.

This is Firefox's own fault. It is Firefox itself that prevents the user from uninstall extensions that are installed at machine level. Microsoft has nothing to do with it, nor would they need to - since the problem is with Firefox - even if this behavior was intentional.

[Ricardo Gil]

Extra, extra! Trojan masquerades itself as something else. What next, Nigerians don't actually have money to give you?

[fix-this!]

Seeing as you have to accept it, wait for 5 seconds and then accept to install it AGAIN..

I'll be right back. I'll create a trojan that erases your entire hard drive after you you press "Yes I'm an idiot, I actually pressed run twice on this application, first to download it and then to execute it and now I'm screwed."

:rofl:

Nothing last forever, even FireFox... Google Chrome got high chances to be best browser also...

you fail

BS, only IE gets viruses

people still use IE? :blink:

[ichi]

Wrong. You gave permission when you chose to install .NET.

To install a firefox extension? I don't think so.

Proof, please. Provide technical details of the vulnerability from a reputable source instead of quoting the number of paranoid claims out there.

It silently adds ClickOnce support on firefox: suddenly web sites can install software on your PC through your browser.

It's not just that you can now get untrusted software installed straight from the web, but also that it's an unexpected feature that got in there without warning.

This is Firefox's own fault. It is Firefox itself that prevents the user from uninstall extensions that are installed at machine level. Microsoft has nothing to do with it, nor would they need to - since the problem is with Firefox - even if this behavior was intentional.

It's not MS's fault to not provide a method to remove something they installed on your machine?

It's not up to Mozilla to go deleting stuff on other program's folders, so it obviously doesn't allow users to mess with the system. It was a screw up that MS acknowledged and fixed latter. Kind of (it still silently installs an unrequested feature, but at least now you can remove it without messing with the registry).

[Eice]

To install a firefox extension? I don't think so.

Then blame your own ignorance. Installing a program means you give it explicit permission to make whatever modifications it needs to your system so that it can function as intended. Do you honestly expect a program to prompt you for every file and registry value it writes to your system?

It silently adds ClickOnce support on firefox: suddenly web sites can install software on your PC through your browser.

It's not just that you can now get untrusted software installed straight from the web, but also that it's an unexpected feature that got in there without warning.

Details, please! Not just over-recycled paranoid hype!

It's not MS's fault to not provide a method to remove something they installed on your machine?

It's not up to Mozilla to go deleting stuff on other program's folders, so it obviously doesn't allow users to mess with the system. It was a screw up that MS acknowledged and fixed latter. Kind of (it still silently installs an unrequested feature, but at least now you can remove it without messing with the registry).

It's not stuff on "other program's" folders. It's a special folder that Firefox reads, and automatically loads extensions from at startup if any are found. Why Firefox would refuse to allow users, even ones with administrator-level access, to manage extensions from that folder is beyond me, especially when those extensions are automatically installed!

[Udedenkz]

This seems like an addon so the user is informed that it is present - next step is to use brain and problem is solved.

Then blame your own ignorance. Installing a program means you give it explicit permission to make whatever modifications it needs to your system so that it can function as intended. Do you honestly expect a program to prompt you for every file and registry value it writes to your system?

Obviously you haven't installed anything - many installers come with Ask! or Google Toolbar which you can say "NO" to or installers like Winamp give you a fair amount of control over the components you desire and those you don't.

[Eice]

Obviously you haven't installed anything - many installers come with Ask! or Google Toolbar which you can say "NO" to or installers like Winamp give you a fair amount of control over the components you desire and those you don't.

That's a nice attempt, but the difference between a program trying to install its own components and a program trying to install ANOTHER program should be obvious.

[Eric Veteran]

The .NET plugin provided an uninstallable extension.

Did it install an extension without permission? Check.

Did it introduce a vulnerability? Check.

Did it not provide an uninstaller? Check.

I wouldn't qualify it as malware as that would imply an intention to do harm that I'd hope this didn't, but it still shares those three qualities though.

No it didn't. The Mozilla .NET plugin is part of the Framework. You can remove it by uninstalling the framework. And how is it related to this malware?

[Eric Veteran]

To install a firefox extension? I don't think so.

It silently adds ClickOnce support on firefox: suddenly web sites can install software on your PC through your browser.

It's not just that you can now get untrusted software installed straight from the web, but also that it's an unexpected feature that got in there without warning.

It's not MS's fault to not provide a method to remove something they installed on your machine?

It's not up to Mozilla to go deleting stuff on other program's folders, so it obviously doesn't allow users to mess with the system. It was a screw up that MS acknowledged and fixed latter. Kind of (it still silently installs an unrequested feature, but at least now you can remove it without messing with the registry).

ClickOnce applications have virtually no access to your computer. They are per-user, and can't even access the registry. The .NET Firefox plugin actually does nothing except define the MIME type so Windows can open the app through Firefox. As a side note, you can't uninstall any Firefox plugins through the browser including Flash, only addons are managed via the browser.

[Ci7]

No it didn't. The Mozilla .NET plugin is part of the Framework. You can remove it by uninstalling the framework. And how is it related to this malware?

it come with .NET 3.5 which come with Windows 7

i don't think you can uninstall since it is bundled

edit:

nevermind i can do so with feature removal through Windows install/uninstall

[abecedarian paradoxious]

This whole thread would've made a lot more sense if alphabet soup came with a spell checker.

[Eric Veteran]

it come with .NET 3.5 which come with Windows 7

i don't think you can uninstall since it is bundled

edit:

nevermind i can do so with feature removal through Windows install/uninstall

It can be removed with the instructions in the KB article: http://support.microsoft.com/kb/963707

[Growled Member]

Thanks for the update. I will be watching for this one.

[ichi]

Then blame your own ignorance. Installing a program means you give it explicit permission to make whatever modifications it needs to your system so that it can function as intended. Do you honestly expect a program to prompt you for every file and registry value it writes to your system?

I expect it to notify the user if it's going to modify anything that affects third party software, more so when that was not the expected purpose of the software I'm installing.

That is, though, if I was installing the software myself and not getting it installed automatically in the background.

It's not stuff on "other program's" folders. It's a special folder that Firefox reads

Oh yes, very special: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

No it didn't. The Mozilla .NET plugin is part of the Framework. You can remove it by uninstalling the framework. And how is it related to this malware?

Sure, but you might need the framework (the reason you installed it to begin with) but not want the plugin nor the extension.

It's an unrequested feature that affects a third party product, and you don't even get asked or at least notified about it.

But don't let user consent (or lack of it) get in the way of growing your installed base.

ClickOnce applications have virtually no access to your computer. They are per-user, and can't even access the registry. The .NET Firefox plugin actually does nothing except define the MIME type so Windows can open the app through Firefox. As a side note, you can't uninstall any Firefox plugins through the browser including Flash, only addons are managed via the browser.

So web sites can effectively run software on your computer thanks to that.

The issue about uninstallation is not the plugin, it's the extension.

[ilovetech]

so if it does affect linux distro as well (i think it will) then its more worrisome as now you would need anti-spyware for linux too thanks to firefox.

[Eice]

I expect it to notify the user if it's going to modify anything that affects third party software, more so when that was not the expected purpose of the software I'm installing.

That is, though, if I was installing the software myself and not getting it installed automatically in the background.

I really don't get why you're so unwilling to accept the fact that it's a matter of your own ignorance. Like Java, the .NET Framework is a VM runtime environment to run bytecode. Like Java, the .NET Framework installs a browser plugin so that that Firefox knows how to handle such bytecode embedded in webpages, which is presumably what you installed the .NET Framework for in the first place.

In short, the .NET Framework does nothing to Firefox that Java hasn't been doing for years, without any complaints from the user. Is it really that hard to just admit that you're human and were wrong, or do you really find Microsoft such a convenient scapegoat to hide your own ignorance?

Oh yes, very special: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

Whoops, my fault. Firefox reads a registry key, not a folder.

But this changes nothing. The mere fact that a file exists doesn't necessarily means it's installed - and it won't be, as long as Firefox doesn't automatically load anything found in HKLM\Software\Mozilla\Firefox\Extensions. If Firefox won't delete the plugin file itself because it's located in the Microsoft .NET folder, that's fair enough - but to not even let users uninstall it? How the hell is that Microsoft's fault?

So web sites can effectively run software on your computer thanks to that.

Of course they can. That's the point of even installing .NET!

I think you're confusing this and a "security vulnerability", though. As I've asked twice before: proof, please, not over-recycled paranoid anti-MS hype. Let's do it a third time, shall we? So again: proof of your claims that ClickOnce introduces a security vulnerability, please.

[ichi]

I really don't get why you're so unwilling to accept the fact that it's a matter of your own ignorance. Like Java, the .NET Framework is a VM runtime environment to run bytecode. Like Java, the .NET Framework installs a browser plugin so that that Firefox knows how to handle such bytecode embedded in webpages, which is presumably what you installed the .NET Framework for in the first place.

AFAIK Java doesn't install a firefox extension, nor does it modify the user agent string.

The reasons to install .NET might vary, and it could be as simple as installing a service pack for visual studio. Going from there to asume I want my browser (or all my browsers, for that matter) to support ClickOnce is one hell of a guess.

Is it so hard to accept that the installer should ask whether you want to add ClickOnce support to firefox or not? You can see already lots of MS installers showing plenty of options about what's going to be installed and what not, so why not asking here?

The answer is quite obvious, but you can keep rambling about "ms-hatred" if that makes you happy ;)

Of course they can. That's the point of even installing .NET!

The very fact that there are so many guides on the web explaining how to remove it doesn't seem to point to that conclusion.

I think you're confusing this and a "security vulnerability", though. As I've asked twice before: proof, please, not over-recycled paranoid anti-MS hype. Let's do it a third time, shall we? So again: proof of your claims that ClickOnce introduces a security vulnerability, please.

Getting the ability to run software from a web site without the user knowledge of such new feature being added is in itself a security vulnerability (an extra, unnecessary attack vector, if you prefer), more so when the user can be prompted to allow permission elevation... social engineering ahoy.

Even more: by default it doesn't ask the user whether he wants to run the application or not (at least it didn't, not sure if that has been fixed).

[Eice]

AFAIK Java doesn't install a firefox extension, nor does it modify the user agent string.

No, Java doesn't install an extension, but it does install a system-wide NSAPI plugin for *gasp* ALL non-IE browsers, system-wide, that cannot be easily removed, AND doesn't cause Firefox to alert the user after installation. For some reason unknown to me people seem to be much more tolerant of this.

As for modifying the user agent string, your arguments are getting so absurd I don't even know where to begin. Does ClickOnce transform your UA into an Internet Explorer one? Does it even make you seem like you're using another browser? No, it merely appends the version of .NET installed on your machine so websites can easily find out that information and serve you the correct code, but I guess even that is too evil for some people to stomach.

What's next? "OH NOES, .NET ADDED AN ENTRY TO MY START MENU!!!"?

The reasons to install .NET might vary, and it could be as simple as installing a service pack for visual studio. Going from there to asume I want my browser (or all my browsers, for that matter) to support ClickOnce is one hell of a guess.

It's no different from what programs like Java, Skype, Adobe etc. have been doing for years. But I guess it's outrageous and despicable only when it's Microsoft...

Is it so hard to accept that the installer should ask whether you want to add ClickOnce support to firefox or not?

It would be nice, I'll agree with you on that. But "should"? No, I don't see anything wrong about a program that, given permission by the user to install, installs its own components that it needs to function without prompting the user about every single thing that goes on behind the scenes. Yes, it'd be nice for Microsoft to go that extra mile. I don't, however, see the logic in criticizing them for not doing so.

On the other hand, the question should be: is it so hard to accept that Firefox poses enormous security threats to the user by not allowing them to manage Firefox extensions even when they have administrator-level access?

Getting the ability to run software from a web site without the user knowledge of such new feature being added is in itself a security vulnerability (an extra, unnecessary attack vector, if you prefer), more so when the user can be prompted to allow permission elevation... social engineering ahoy.

Going by your definition, Java is a security flaw, Flash is a security flaw, Acrobat reader is a security flaw. Hell, Firefox is a security flaw, since it has a cross-platform extensions system exploitable by malware, as this post shows... social engineering ahoy.

[ichi]

No, Java doesn't install an extension, but it does install a system-wide NSAPI plugin for *gasp* ALL non-IE browsers, system-wide, that cannot be easily removed, AND doesn't cause Firefox to alert the user after installation. For some reason unknown to me people seem to be much more tolerant of this.

So two wrongs make a right... awesome reasoning there.

As for modifying the user agent string, your arguments are getting so absurd I don't even know where to begin. Does ClickOnce transform your UA into an Internet Explorer one? Does it even make you seem like you're using another browser? No, it merely appends the version of .NET installed on your machine so websites can easily find out that information and serve you the correct code, but I guess even that is too evil for some people to stomach.

As long as you didn't intend to support clickonce yes, it's annoying not only getting that but also going around announcing you do.

It's no different from what programs like Java, Skype, Adobe etc. have been doing for years. But I guess it's outrageous and despicable only when it's Microsoft...

First: I didn't brought up this issue nor did I compare with other programs, I'm just commenting on it.

Second: oh poor MS... cry me a river.

I don't, however, see the logic in criticizing them for not doing so.

Interestingly enough MS themselves did, and fixed that.

Going by your definition, Java is a security flaw, Flash is a security flaw, Acrobat reader is a security flaw. Hell, Firefox is a security flaw, since it has a cross-platform extensions system exploitable by malware, as this post shows... social engineering ahoy.

And they all are attack vectors, aren't they?

There difference is whether you knowingly install something or you get it silently installed in the background.

[Eice]

So two wrongs make a right... awesome reasoning there.

There are no wrongs. As far as I'm concerned, Java is perfectly justified in doing that. Unlike some people who ignore Sun and Adobe's "wrongs" for years and raise a ruckus only when Microsoft does it, I like to believe that I have a consistent stand.

As long as you didn't intend to support clickonce yes, it's annoying not only getting that but also going around announcing you do.

"Support" ClickOnce?

Your logic is getting more and more incomprehensible. Personally, I don't understand the rationale behind opting to install a program, yet feel so strongly against one of its vital components that is needed for it to function properly, so much that you're not even willing to have a string so that websites can identify the version of the program you're using.

ClickOnce is the .NET Framework. If you really hate it so much, uninstall it. Nobody's holding a gun to your head. I don't get the point of keeping it installed and whining about the UA.

Second: oh poor MS... cry me a river.

It's amusing how normally intelligent people are susceptible to such ridiculous, idiotic hype thanks to their blind hatred for Microsoft, yet complain as though they're being bullied when they get called out for it.

And they all are attack vectors, aren't they?

There difference is whether you knowingly install something or you get it silently installed in the background.

So the moral of the story is that if you don't want any attack vectors, don't install any software on your machine?

I'm still waiting for your proof that ClickOnce introduces a vulnerability btw. Present evidence that it allows unauthorized malicious code to run silently, please.

[ichi]

There are no wrongs. As far as I'm concerned, Java is perfectly justified in doing that. Unlike some people who ignore Sun and Adobe's "wrongs" for years and raise a ruckus only when Microsoft does it, I like to believe that I have a consistent stand.

I can't remember the last time I installed JRE, so I can't tell how it goes about it's plugins.

I just found amusing that you had to jump to Java to justify .NET, apparently implying that I have double standards... an ill-concealed ad hominem, maybe?

Your logic is getting more and more incomprehensible. Personally, I don't understand the rationale behind opting to install a program, yet feel so strongly against one of its vital components that is needed for it to function properly, so much that you're not even willing to have a string so that websites can identify the version of the program you're using.

ClickOnce is the .NET Framework. If you really hate it so much, uninstall it. Nobody's holding a gun to your head. I don't get the point of keeping it installed and whining about the UA.

.NET Framework is also a dependency for other programs that certainly don't require ff to support ClickOnce.

It's amusing how normally intelligent people are susceptible to such ridiculous, idiotic hype thanks to their blind hatred for Microsoft, yet complain as though they're being bullied when they get called out for it.

What's interesting is how some people jump in defense of their beloved object of adoration, and dismiss any dissenting opinion with the "MS-hate" argument.

So the moral of the story is that if you don't want any attack vectors, don't install any software on your machine?

As long as you don't need it, certainly.

I'm still waiting for your proof that ClickOnce introduces a vulnerability btw. Present evidence that it allows unauthorized malicious code to run silently, please.

I guess you'll pass on commenting the "run software without user prompt" and "being able to elevate permissions" on a piece of software that, as far as the user knows, shouldn't be able to do that.

[Eice]

I just found amusing that you had to jump to Java to justify .NET, apparently implying that I have double standards... an ill-concealed ad hominem, maybe?

"Had to"?

It's a perfectly valid argument that you, unfortunately, seem to be unable to refute. The fact is that other programs have been silently installing plugins into Firefox for a long, long time, but apparently it's only unethical when Microsoft does it. Perhaps you would have a different name for what other people usually call double-standards, I wouldn't know.

.NET Framework is also a dependency for other programs that certainly don't require ff to support ClickOnce.

It's also a dependency for embedded applets in web pages that DO require ff to support ClickOnce.

Going by your logic, Java is also a dependency for other programs, compiled into Java bytecode, that don't require Firefox to support Java. But of course, it's evil only when Microsoft does it...

What's interesting is how some people jump in defense of their beloved object of adoration, and dismiss any dissenting opinion with the "MS-hate" argument.

I'm just allergic to bulls***, and hence try to combat it wherever I see it. It's usually present in copious amounts whenever Microsoft and Mozilla are involved, as you've so demonstrated. Never mind that other runtime environment programs have been doing this for years without so much as a squeak of protest, never mind that this whole fiasco started because Firefox does not allow users to remove extensions it automatically loads and installs without asking the user, it's all Microsoft's fault.

The level of fanboyism in this thread is simply sickening.

As long as you don't need it, certainly.

So what's the problem? If you don't need it, remove or disable it.

I guess you'll pass on commenting the "run software without user prompt" and "being able to elevate permissions" on a piece of software that, as far as the user knows, shouldn't be able to do that.

Because your comments are just that - comments. Not proof. Provide evidence to back up your claims, please.

[ichi]

apparently it's only unethical when Microsoft does it. Perhaps you would have a different name for what other people usually call double-standards, I wouldn't know.

Quote me saying that. Easier yet: quote me even implying it in any way ;)

But of course, it's evil only when Microsoft does it...

See above.

never mind that this whole fiasco started because Firefox does not allow users to remove extensions it automatically loads and installs without asking the user, it's all Microsoft's fault.

Already explained why.

MS admitted the issue and fixed it, but apparently your level of "MS does no wrong" goes beyond MS's own.

If you don't need it, remove or disable it.

That was exactly the problem :rofl:

Because your comments are just that - comments. Not proof. Provide evidence to back up your claims, please.

So you are saying that the extension didn't, by default, allow to execute programs without confirmation?

Well, if it hasn't been fixed already (as I said before) just install it and check yourself the default settings, there's no better proof than that.

[Eice]

Quote me saying that. Easier yet: quote me even implying it in any way ;)

Why not just make your stand clear. Do you intend to say that programs like Java and Flash are malware because they install irremovable plugins into Firefox that allows Firefox to run code from websites?

MS admitted the issue and fixed it, but apparently your level of "MS does no wrong" goes beyond MS's own.

You just jacked up the fanboyism to a whole new level. Just because Microsoft changes the default behavior, automatically means they are in the wrong? Because Mozilla adamantly insists up till now that users shouldn't be allowed to uninstall extensions, means Mozilla is right?

I'm sorry, but what kind of bulls*** is this?

That was exactly the problem :rofl:

Exactly. Firefox's flawed handling of its extensions system is a risk for its users. This time it was only a benign plugin for Microsoft, but as this thread has demonstrated, malware extensions are well on their way.

So you are saying that the extension didn't, by default, allow to execute programs without confirmation?

So you are saying you actually have no idea whether the claims you were pulling out of your rear end were even correct at all?

As I've said, it's amusing how normally intelligent people are susceptible to such ridiculous, idiotic hype thanks to their blind hatred for Microsoft.

[supernova_00]

The problem with the Microsoft plugin was that they specifically set the flag for users to not be able to uninstall it through Firefox's UI. Firefox allows this for system admins to install extensions that they don't want users to be able to uninstall. Microsoft had no business doing this without permission since this wasn't a corporate IT department installed the plugin.