Sneaky Microsoft plug-in puts Firefox users at risk

[Eice]

:laugh:

Oh yes, go to go back to a more unsecure browser just because mozilla blocks an extension. Boo Hoo.

If your definition of a "more unsecure browser" is one that DOESN'T keep springing a handful of critical security vulnerabilities every few months... hey, to each his own.

[+Warwagon MVC]

If your definition of a "more unsecure browser" is one that DOESN'T keep springing a handful of critical security vulnerabilities every few months... hey, to each his own.

Or the definition could be one that takes a month to fix a handful of security vulnerabilities rather than a few days.

Edited October 18, 2009 by warwagon

[Eice]

Or the definition could be one that takes a month to fix a handful of security vulnerabilities rather than a few days.

If you think that's less palatable than a product that sells a fake image of everything being watertight and hunky-dory until the next update reveals just how many holes had actually been existing during all those months... again, to each his own.

[arrrgh]

If you think that's less palatable than a product that sells a fake image of everything being watertight and hunky-dory until the next update reveals just how many holes had actually been existing during all those months... again, to each his own.

I know this is a wasted effort but what the hell.

Mozilla is hands down the most open browser vendor when it comes to security vulnerabilities. If they wanted to sell a fake image of "everything being watertight and hunky-dory" then their security bugs would remain hidden and update change logs would say "fixed multiple issues". Whatever browser you prefer is going to have much more secretive vulnerability publishing policy than Mozilla.

[Xerxes]

Firefox automatically detected it and disabled it....that explains why!

[+Warwagon MVC]

A part of me kind of likes this method of doing things. Lets take the average user for example. Wouldn't it be great if Microsoft would just disable windows if the user hasn't done his or her updates. when trying to log in everything would be disabled the, desktop would be gone all they would see is "windows update". Then all these morons that still have xp sp1 or sp2 and vista with no service pack or sp1 will get there ass updated. I hear it all the time. When I ask them if they do their updates they say "Well I see the alert but I just ignore it.

[Eice]

I know this is a wasted effort but what the hell.

Mozilla is hands down the most open browser vendor when it comes to security vulnerabilities. If they wanted to sell a fake image of "everything being watertight and hunky-dory" then their security bugs would remain hidden and update change logs would say "fixed multiple issues". Whatever browser you prefer is going to have much more secretive vulnerability publishing policy than Mozilla.

It's a wasted effort simply because the facts aren't on your side.

Openness is not security. You can be as open as you want and still have a ****-poor security track record, as Mozilla shows. And if you actually buy the spiel that just because bugs are declassified means the product is secure (I truly and sincerely hope you don't), you're also a shining example of how Mozilla continues to successfully foist its "we're secure!" hype onto the Internet community at large.

If you don't want your efforts to be wasted, may I make the suggestion of presenting some logically sound arguments instead next time.

Wouldn't it be great if Microsoft would just disable windows if the user hasn't done his or her updates. when trying to log in everything would be disabled the, desktop would be gone all they would see is "windows update".

:blink: Come on. Are you blardy serious. Even Linux programmers who scoff at everything regarding usability would be seriously ****ed up to even consider something like that.

You make about as much sense as the quote in your sig.

[toadeater]

This was discussed some time ago, and someone jumped infuriated on the suggestion that it could introduce a new extra attack vector.

Well, there you go.

Not to mention how MS attacked Google for that Chrome frame thing. What's worse, a user willingly installing Chrome, or MS silently installing "plugins" into other companies' software? Not just a silent install, but also one without an uninstaller! There's absolutely no excuse for doing something like that.

Is there an official uninstaller for it yet?

[arrrgh]

It's a wasted effort simply because the facts aren't on your side.

Openness is not security. You can be as open as you want and still have a ****-poor security track record, as Mozilla shows. And if you actually buy the spiel that just because bugs are declassified means the product is secure (I truly and sincerely hope you don't), you're also a shining example of how Mozilla continues to successfully foist its "we're secure!" hype onto the Internet community at large.

If you don't want your efforts to be wasted, may I make the suggestion of presenting some logically sound arguments instead next time.

Openness helps security, more eyes looking for security issues results in more secure application.

But that's beside the point since I said no such thing in my post, you claimed that Mozilla tries to sell themselves as more secure than they actually are and are hiding security problems. I simply pointed out that they obviously don't do anything like that, all their vulnerabilities are clearly available for public inspection so I don't see how even you can claim that they are doing something dishonest in this aspect.

[ilev]

None of this is accurate.

Yes, you are only licensing the software. However, you have the right to use your license as purchased, and they can't just 'stop it from running'.

Yes they can, and they DO, like shutting down PC's when they think the OS is pirated even if it is not.

[Eice]

Openness helps security, more eyes looking for security issues results in more secure application.

That's how it's supposed to be on paper. Reality, on the other hand, has shown us that Firefox simply keeps on springing leaks like no tomorrow.

But that's beside the point since I said no such thing in my post, you claimed that Mozilla tries to sell themselves as more secure than they actually are and are hiding security problems. I simply pointed out that they obviously don't do anything like that, all their vulnerabilities are clearly available for public inspection so I don't see how even you can claim that they are doing something dishonest in this aspect.

Except that the thing is that you don't have to be (entirely) dishonest to paint a dishonest picture, especially when the masses of fanboys are willing to swallow whatever propaganda Mozilla tosses out at them.

Mozilla tries to sell Firefox as a more secure product than it really is, not by hiding security problems, but by shifting the attention elsewhere and telling people that's what they should be looking at. Multiple critical security vulnerabilities that keep popping up nonstop every few months? It's all cool, we'll just play whack-a-mole and fix them as fast as we can. Nothing to worry about, we're definitely the most securest browser ever!

And it's really sad when the fanboys buy this, hook, line, and sinker.

I don't know what's going wrong at Mozilla. But I think it may be worthwhile for them to take a step back and re-examine the fundamental way they do things, instead of continuing to leak security problems like crazy while stringing the gullible masses along with lame excuses like "we're open-source!" and "let's blame M$!".

[arrrgh]

That's how it's supposed to be on paper. Reality, on the other hand, has shown us that Firefox simply keeps on springing leaks like no tomorrow.

But... that's exactly what I said, more eyes find more security issues. That's why you get frequent updates on Firefox, Mozilla contributors and security researchers find problems and Mozilla fixes them. I doubt you can find a security professional who thinks this is somehow bad.

Edit: I should add that I haven't seen Mozilla focus on security for a long time (since IE 6 days when Microsoft left critical vulnerabilities unpatched for months, http://www.washingtonpost.com/wp-srv/techn...x20070104.html). Truth is that all current browsers are very secure as long as you keep them updated. Browser plugins are much more dangerous than any browser itself.

Edited October 18, 2009 by macel

[toadeater]

I demand that MS issue an uninstaller for this malicious plugin I DID NOT WANT INSTALLED.

[joker999]

After i read this thread.

is that fine? I havent touch. :huh:

[Ci7]

I demand that MS issue an uninstaller for this malicious plugin I DID NOT WANT INSTALLED.

typical MS basher

you can clearly uninstall , within two clicks

also to add to the point , we clearly "authorized" installation of .NET ....so

[MikeChipshop Member]

Fair enough they (mozilla) took action to disable a security threat (be it an already patched vulnerability) but i would like the choice to be mine... A pop up with information and links and the option to either turn it off or keep it, would be what i would like to have seen.

[Eice]

But... that's exactly what I said, more eyes find more security issues. That's why you get frequent updates on Firefox, Mozilla contributors and security researchers find problems and Mozilla fixes them. I doubt you can find a security professional who thinks this is somehow bad.

That's because, by itself, it's not a bad thing. Except that you're falling for Mozilla's misdirection trick yet again. Have you ever bothered asking the question of why are there so many holes to be found and fixed in the first place? THAT'S the question Mozilla hopes that you won't think of.

Edit: I should add that I haven't seen Mozilla focus on security for a long time (since IE 6 days when Microsoft left critical vulnerabilities unpatched for months, http://www.washingtonpost.com/wp-srv/techn...x20070104.html).

You know, when Firefox has to be compared to a decade-old product before it can look good... doesn't it strike you that that may be an indication that there's a very big problem somewhere?...

[Guest]

I think the extension being disabled automatically is a good thing for the "normal" end user that doesn't really know/care about what is installed.

[arrrgh]

That's because, by itself, it's not a bad thing. Except that you're falling for Mozilla's misdirection trick yet again. Have you ever bothered asking the question of why are there so many holes to be found and fixed in the first place? THAT'S the question Mozilla hopes that you won't think of.

Except, again, you just acknowledged yourself that more eyes on the code leads to more discovered bugs. This is the reason why there are more security updates for Firefox. It's mentioned several times on Mozilla's Firefox page, they are definitely not hiding it.

You know, when Firefox has to be compared to a decade-old product before it can look good... doesn't it strike you that that may be an indication that there's a very big problem somewhere?...

Now you are just getting desperate. Firefox was compared to IE6 at that time because it was Firefox's main competition. IE6 still has good 15% market share, these users are the main target of all "alternative" browsers since they, for whatever reason, have decided not to update to IE7/8.

[Eice]

Except, again, you just acknowledged yourself that more eyes on the code leads to more discovered bugs. This is the reason why there are more security updates for Firefox. It's mentioned several times on Mozilla's Firefox page, they are definitely not hiding it.

The reason why there are more security updates for Firefox, as I have already mentioned, is that there are a LOT of bugs to be found. Three times more than the next most vulnerable browser in 2008, in fact. Yes, having a bunch of engineers scrambling to fix a ship that pops leaks constantly is better than not fixing the leaks at all. But is that ship better compared to others that DON'T leak? Not by a long shot.

Now you are just getting desperate. Firefox was compared to IE6 at that time because it was Firefox's main competition. IE6 still has good 15% market share, these users are the main target of all "alternative" browsers since they, for whatever reason, have decided not to update to IE7/8.

I'm desperate? Coming from a guy who's comparing Firefox to a product released all the way back in 2001, and trying to claim what a crowning glory it is for Firefox to win that matchup, that's actually quite funny.

I don't know about you, but personally I don't think that reliving whatever past glories Mozilla might've had has any bearing on the present situation. There are plenty of modern web browsers that Firefox is actually competing against in the here and now, and it's not that hard at all to make a more relevant comparison if you want to.

[BoredBozirini]

And I suppose IE7/8 is leak free, right?

LOOOOL

[tunafish]

Oh this is going to be fun, i dont wanna go in the office monday to phone calls saying my firefox .net plugin wont work etc etc.

Well looks like back to IE in the office, good job mozilla really good job. NOT!

Next time how about you do some form of flipping check to make sure it's patched or a dam hey yer lets disable this option. As i know FULL WELL my dam office is upgraded with all the latest windows updates thanks to our WSUS server.

So please dont assume we need to be wrapped in cotton wool, as ya know some IT Guys are kind of very good with network security and sometimes know whats best for their network and ops.

Also at the end of the day it not you that has to have a meeting with a manager and higher up people explaing why we are having browser downtime and that its all due to you deciding to blacklist a plugin.

We figured hey yer lets trial firefox, well i now know what the first thing will be said to me in the meeting and im gonna agree with them.

[M_Lyons10]

I'm glad they patched it, but I don't see the issue in releasing a plugin like this. It allows you to view .Net components in your browser...

Microsoft isn't the only company releasing add-ins with their software either. Symantec has done it I know off the top of my head, and I'm sure others have as well...

[Ci7]

Oh this is going to be fun, i dont wanna go in the office monday to phone calls saying my firefox .net plugin wont work etc etc.

Well looks like back to IE in the office, good job mozilla really good job. NOT!

Next time how about you do some form of flipping check to make sure it's patched or a dam hey yer lets disable this option. As i know FULL WELL my dam office is upgraded with all the latest windows updates thanks to our WSUS server.

So please dont assume we need to be wrapped in cotton wool, as ya know some IT Guys are kind of very good with network security and sometimes know whats best for their network and ops.

Also at the end of the day it not you that has to have a meeting with a manager and higher up people explaing why we are having browser downtime and that its all due to you deciding to blacklist a plugin.

We figured hey yer lets trial firefox, well i now know what the first thing will be said to me in the meeting and im gonna agree with them.

+1000

[LUTZIFER]

I don't get why it says "Sneaky" for the plug-in mentioned.

Ther's tons of plug-ins that get added into Firefox without the users knowedge.

Like Apple, and Adobe, etc. etc.

I've known all along what plug-ins I've had, becuz I look in the Add-ons window quite often, which I'd imagin the average Mozilla user does, seeing is that most probably add extensions and themes, so they'd see the plug-ins listed.

I don't see the big fuss anyways. Only thing that I wonder, is what will not having the .Net plug-in affect.

Also, as far as I know, it was the users choice to install .Net in Windows in the first place, which would add a plug-in to not only FF, but IE too, which people should know anyways.