
Shady Microsoft Plugin Pokes "Critical" Hole In Firefox Security - tvon
http://gizmodo.com/5383413/shady-microsoft-plugin-pokes-critical-hole-in-firefox-security
======
briansmith
Adobe, Skype, and almost every client software developer automatically and
silently adds plugins to Firefox and other browsers. I recommend looking at
your list of Firefox add-ons now (especially the plugins tab) and see how many
of them were never specifically added to Firefox by you.

This is the kind of situation where the software vendor is damned if they do
and damned if they don't. Mozilla simultaneously complains when they aren't
getting the same treatment as IE, and when they do. People hate multi-page
installation wizards that ask them to check all kinds of boxes; people hate
when the software decides automatically what to do in order to avoid those
pages of checkboxes.

~~~
axod
Why don't firefox make it so that the only way a plugin can be installed is
with user confirmation? I'd never want a plugin automatically installed
without knowing about it (I've never had that happen, but may be different on
OSX).

~~~
swolchok
That's impossible under traditional system configurations. Windows Update can
always update whatever "user has confirmed" record Firefox stores, because it
has administrative access to the machine.

~~~
axod
Surely just make the [user confirmed plugin install] update something with a
secret hash token.

When firefox starts, it checks each plugin has been explicitly accepted by the
user. If not, it alerts them.

Sure, you could reverse engineer the signing token, and hack around it, but
that wouldn't get you many friends.

~~~
swolchok
Neither does including anti-Microsoft code in your product. (it doesn't
protect against shadier players because those don't care about having
friends.)

~~~
axod
That's not anti-ms. That's just good security. I'd like to know when something
is messing with my browser executable.

~~~
swolchok
Like I said, it's not effective. If malware wants to futz with your browser
executable, it's just going to patch the executable, not conveniently go
through the plugin interface around which you've designed some forgeable
security token.

------
tlrobinson
I seem to recall Microsoft criticizing Chrome Frame for making IE less secure
just a few weeks ago...

~~~
briansmith
I wonder if people who support this move would support Microsoft adding Chrome
Frame to IE's ActiveX blacklist under the same circumstances.

~~~
alexandros
If it made IE vulnerable to a drive-by owning, and was installed without the
express permission of IE's users? I find it hard to imagine an argument
against blacklisting it. So far all we have is conjecture though.

------
tialys
Great... I actually JUST got a popup from Firefox about this. This is why I
don't use my old windows laptop for anything important.

~~~
LogicHoleFlaw
Ack, I got this notice from Fx last night. Yikes!

~~~
paul9290
yeah me too and was confused and after reading this removed it off my Windows
Vista laptop. Damn MICROSOFT! Just kill IE already!

------
RevRal
The only reason I kept from switching to Opera was that I would have to re-
learn some keyboard shortcuts.

But you know what? I don't care anymore. Firefox has become too bloated
anyway, and this just seals the deal.

~~~
endtime
You can actually remap all the Opera keyboard shortcuts to match your
preferences - it's reasonably robust.

Tools -> Preferences -> Advanced -> Shortcuts

------
mtarnovan
From a legal point of view, how can they justify silently and without my
approval, modifying non-Microsoft software running on my computer ?

~~~
viraptor
They didn't modify FF. FF includes a way to use plugins. They just put a
plugin in a specified place. They didn't really change anything about other
programs.

~~~
mtarnovan
I'm not talking about tehnical aspects here. Firefox had no known security
holes before the update. They clearly modified it in some way. How they did it
is irrelevant. They should be liable, whether they modified FF direcly or
indirectly via plugins etc. What they did fits the definition of malware to
the letter: <http://en.wikipedia.org/wiki/Malware>

(Oh, and for the record, I'm not a anti-MS zealot, it's just kinda scary to
think about the power MS has, to push updates to HUNDERDS of millions of PC. I
think with that power should also come great responsability)

------
thras
The patch has been out for a week. You've already got it if you're running
Windows update. Firefox's reaction was all post-patch.

Lots of things install themselves in your browser to work. Acrobat, Java, etc.
(In fact, the add-in is mostly equivalent to Java.)

I don't have sympathy with people who are worried about running a few thousand
lines of Microsoft code on a platform that already contains hundreds of
millions of lines of it.

On the other hand, the lack of uninstall is just bad. Microsoft is reliable
about shooting itself in the foot, that's for sure.

~~~
TomOfTTB
There's a distinction though. Acrobat, Java, and others all asked to be let
into Firefox. They update silently after that but they initially asked
permission. If Microsoft made a .Net Assistant plug-in I can't imagine people
would be upset.

But using Windows update (which most expect to update "Windows" not your other
programs) is, imho, considered sneaking it in.

~~~
patio11
This is the geek's way of looking at the world, where we are God Lord and
Master of all bits on our computer.

The average user is _not_. They do not understand that the browser and the
operating system are separate. For that matter, they don't understand that the
browser is not the Internet or Google.

(If you've ever done technical support for a web application with non-
technical end users you end up answering many, many fun questions such as "I
signed up for your website at home -- can I also use it at school? My email
address there is different.")

Asking users to make complex install/update/etc decisions is _asking users to
fail_. They should be presented with sensible defaults and a minimum of fuss.
Windows Update is quite sensible: "This comes turned on. Turn it off only if
you understand what you're doing. As long as you keep it on, we'll keep you
mostly covered." Installing ActiveX, Java, Adobe PDF Reader, and Flash by
default is also very sensible, because otherwise many users will have "The
Internet is broken!" experiences.

