Sneaky Microsoft plug-in puts Firefox users at risk

[svnO.o]

I got the same message about the WPF addon in Firefox.

[Numpad]

:| This is seriously strange....

i clicked on this thread and started to read with interest then this popped up!!

What great timing is that!!! :D

[ichi]

It's not a secret Firefox installation. The plug-in is installed as part of the .NET Framework and Firefox picks it up automatically. If anything, we should complain to Mozilla for the browser not asking if the "found" plugin should be added. Their methodology could easily activate a hidden malware plugin the same way.

The installer could bypass any checking done by firefox anyway, there's really not much point in implementing such thing.

[Randolph]

Fail.

lol

[ilev]

That's what I'm sayin'. I bet Mozilla wouldn't have liked it if Microsoft had uninstalled and blacklisted Firefox due to the crypto spoofing flaw.

You are forgetting one thing. Windows OS is not your even after you've paid for it. You just bought the right to use it, like a lease.It is Microsoft's which controls the OS completely and has the right to wipe the OS, stop it from running, install what ever Microsoft want.... and there is nothing you can do about it apart from formating and moving to free OS, like Linux.....

[franzon]

"This was obviously pushed through just to make some anti-microsoftie's pud hard.

This vulnerability is completely fixed, as much as anyone can know for now in the latest updates. see http://blogs.technet.com/srd/archive/2009/...2/ms09-054.aspx

Yes, there may still be a "potential vulnerability" but that is true for every single plugin/addin and firefox itself.

Thanks for disabling something that we were already protected from that we use in line of business applications. :rolleyes:

I guess our decision to move to firefox company wide was a mistake and we'll have to push out a script to set everyone back to IE as the default browser before Monday if this isn't recalled ASAP."

https://bugzilla.mozilla.org/show_bug.cgi?id=522777#c65

Edited October 17, 2009 by franzon

[episode]

You are forgetting one thing. Windows OS is not your even after you've paid for it. You just bought the right to use it, like a lease.It is Microsoft's which controls the OS completely and has the right to wipe the OS, stop it from running, install what ever Microsoft want.... and there is nothing you can do about it apart from formating and moving to free OS, like Linux.....

None of this is accurate.

Yes, you are only licensing the software. However, you have the right to use your license as purchased, and they can't just 'stop it from running'.

[Eric Veteran]

"This was obviously pushed through just to make some anti-microsoftie's pud hard.

This vulnerability is completely fixed, as much as anyone can know for now in the latest updates. see http://blogs.technet.com/srd/archive/2009/...2/ms09-054.aspx

Yes, there may still be a "potential vulnerability" but that is true for every single plugin/addin and firefox itself.

Thanks for disabling something that we were already protected from that we use in line of business applications. :rolleyes:

I guess our decision to move to firefox company wide was a mistake and we'll have to push out a script to set everyone back to IE as the default browser before Monday if this isn't recalled ASAP."

https://bugzilla.mozilla.org/show_bug.cgi?id=522777#c65

They're really catching the crap for it now... :p

[arrrgh]

Yeah, that one guy on the internets is totally owning Mozilla!

Considering Microsoft agrees with the blacklist, I doubt any reasonable person has a problem with this.

I spoke on the phone with the responsible director at Microsoft on Friday, and

she agreed that the blocklist was the right approach. We can evaluate changes

to the blocklist in the future, and updates take effect quite quickly, but

right now both Microsoft and Mozilla are in agreement that this is the best way

to protect our mutual users.

https://bugzilla.mozilla.org/show_bug.cgi?id=522777#c56

[Subject Delta]

Gotta love how the FF devs have gotten on their high horse about this, and gone off after Microsoft with their usual Inane banter.

Although I agree that Microsoft should make the installation Optional, it has also highlighted the need for Mozilla to have a rethink of the security within their browser, and other browser vendors as well, the fact that unsigned plugins can install themselves and be activated no questions asked is worrying

[Gary2MBz]

It disabled it for me automatically, and it needs you to restart Firefox.

[Ash_09]

i know this may sound stupid , but is this anything to do with firefox throwing a random error box up at me an hour or so ago saying a couple of add-ons may cause conflicts ? i followed the link from the pop up and even tho it was the firefox google page it said invalid security certificate , but going to the same page from my normal firefox window worked without issue .

[Growled Member]

It disabled it for me automatically, and it needs you to restart Firefox.

Here too. As far as I know I don't need it anyway.

[Azusa]

so was it this add on that was causing the memory leaks?

[Eric Veteran]

so was it this add on that was causing the memory leaks?

No. The Framework Asssistant doesn't do anything except add the MIME type for .NET ClickOnce applications to Firefox so Windows can open them. I'm assuming the WPF one allows WPF applications to run on Firefox in much the same way.

[Salty Wagyu]

Stop whining, its actually a good thing Mozilla was able to block this application without any user intervention, especially those who do not read up on current security exploits.

[Eric Veteran]

Stop whining, its actually a good thing Mozilla was able to block this application without any user intervention, especially those who do not read up on current security exploits.

As I said before, it's understandable there was a security issue, but I doubt Mozilla would have appreciated Microsoft uninstalling and blocking Firefox due to its security issues. You don't just remove another company's products from a user's computer without providing explicit information why and an opt-out.

What irritates me is that it didn't have an option to leave them anyway and it didn't have a link to the patch KB article so people could just make sure they were updated rather than banning two addons that could potentially cost corporate users tens of thousands of dollars in support Monday morning.

[Ci7]

As I said before, it's understandable there was a security issue, but I doubt Mozilla would have appreciated Microsoft uninstalling and blocking Firefox due to its security issues. You don't just remove another company's products from a user's computer without providing explicit information why and an opt-out.

What irritates me is that it didn't have an option to leave them anyway and it didn't have a link to the patch KB article so people could just make sure they were updated rather than banning two addons that could potentially cost corporate users tens of thousands of dollars in support Monday morning.

+1

it really F***ing annoy me ,for one side action

if they try to pi$$ me off again , then Bye bye FireFox . Back to IE!

[Kittamaru]

wait, so how do I know if I have this? I dont' see anything strange in my addons or extensions lists o0'

[Ci7]

one last thing , how can i disable the **** that Firefox call protection, i went the addon back and on !!!!

just for heck of it

[Lord Ba'al]

Its Microsofts cunning plan to increase the bumber of security holes in rival browsers to make IE look better.

Yes. They can't win the proper way, so they're resorting to dirty tricks - as usual :pinch:

[arrrgh]

One side? They asked Microsoft and they themselves recommended blacklisting the plugin. I don't know where you guys keep pulling this crap.

[Ci7]

One side? They asked Microsoft and they themselves recommended blacklisting the plugin. I don't know where you guys keep pulling this crap.

cause Mozilla didn't ask for my consent to disable the plugin duh!

[arrrgh]

cause Mozilla didn't ask for my consent to disable the plugin duh!

ah, my bad. I thought you meant one sided in the sense that Mozilla disabled something that belongs to Microsoft behind their back.

"Soft blocks" (where in cases like this Firefox would pop up a warning dialog but wouldn't disable the extension/plugin) have actually been already checked in but the server side functionality hasn't been enabled yet so it couldn't be used in this case. Hopefully this incident gets them wrap up the server side support quickly.

Related bugs:

https://bugzilla.mozilla.org/show_bug.cgi?id=455906

https://bugzilla.mozilla.org/show_bug.cgi?id=462433

[+Warwagon MVC]

+1

if they try to pi$$ me off again , then Bye bye FireFox . Back to IE!

:laugh:

Oh yes, go to go back to a more unsecure browser just because mozilla blocks an extension. Boo Hoo.

on the same note, Microsoft ****es me off for automatically installing this extension. But I'm not going to boycott the .net framework or windows because of it.

cause Mozilla didn't ask for my consent to disable the plugin duh!

I don't remember Microsoft Asking for consent to install the plugin in the first place.