Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sneaky Microsoft Add-On Put Firefox Users At Risk

ScuttleMonkey posted about 5 years ago | from the bad-microsoft-no-donut dept.

Security 333

CWmike writes to mention that the "Windows Presentation Foundation" plugin that Microsoft slipped into Firefox last February apparently left the popular browser open to attack. This was among the many things recently addressed in the massive Tuesday patch. "What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual 'Disable' and 'Uninstall' buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org."

Sorry! There are no comments related to the filter you selected.

except Windows 7 (4, Funny)

nurb432 (527695) | about 5 years ago | (#29772471)

Best upgrade then ya lusers!.. Here is an online form to order your shiny new pc with Windows 7..

Re:except Windows 7 (3, Informative)

Penguinisto (415985) | about 5 years ago | (#29772781)

...depends - the Windows 7 beta and RC had that nasty little habit as well. The RTM is (so far) not doing it.

In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).

To be honest though, parking a crap add-on and then blaming Firefox for any security issues over it would sound par for the course as per Microsoft... just look at how they're blaming ORacle and Sun for the Sidekick data loss (in spite of the fact that it was lost because their management apparently forgot how to spell "backup").

Re:except Windows 7 (0)

Anonymous Coward | about 5 years ago | (#29772887)

In either case, wouldn't simply disabling the add-on also work? (this is what I did, and it left me alone after that).

FTFS:

What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7

Emphasis mine.

Re:except Windows 7 (1, Interesting)

Anonymous Coward | about 5 years ago | (#29773049)

What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out ...

As is the add-on "Ubuntu Firefox Modifications"; that you get - whether you want it or not - when installing Ubuntu.

Re:except Windows 7 (1)

SilverHatHacker (1381259) | about 5 years ago | (#29773069)

sudo aptitude remove ubufox?

Re:except Windows 7 (1)

netsharc (195805) | about 5 years ago | (#29773211)

Strangely this wasn't the case for me in XP, in both home and work PCs, with Firefox 3.5.3 and the latest .NET .. uninstall worked just fine. So what's the truth? This is also a fresh (re-)install of the whole system, and last Tuesday Windows Update did say there's an update for .NET 3.5, so maybe the latest update made it uninstall-able?

Sabotage? (5, Insightful)

Reyendo (1451201) | about 5 years ago | (#29772511)

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

Re:Sabotage? (3, Interesting)

Voulnet (1630793) | about 5 years ago | (#29772609)

On the other hand MS shouldn't want Windows machines to be anymore vulnerable.

Re:Sabotage? (4, Informative)

hairyfeet (841228) | about 5 years ago | (#29772791)

And it is actually quite simple to remove with regedit. For those that want to toss it just launch regedit and go to HKEY LOCAL MACHINE > Software> Mozilla > Firefox > Extensions. There you will find both it and the Java extension, just delete and voila! No more Dotnet or Java plugins.

Re:Sabotage? (1)

Naturalis Philosopho (1160697) | about 5 years ago | (#29772939)

Thanks for the laugh. I'm not sure that the guy who modded you "informative" really got that one though.

Re:Sabotage? (4, Informative)

noundi (1044080) | about 5 years ago | (#29772617)

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?

Re:Sabotage? (1)

Thinboy00 (1190815) | about 5 years ago | (#29772949)

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

It's not paranoid, and yes they do. Making the competitor look bad is the key to success in modern politics, why would it be different in business?

Because if it looks deliberate, the FTC gets mad at you. They never actually do anything, though.

Re:Sabotage? (3, Insightful)

e2d2 (115622) | about 5 years ago | (#29772623)

Yeah, that sounds like the most likely scenario. It's not just piss poor code, no no. It's definitely a nefarious plan concocted by the Illuminati and put into action by the secret lab they have at Microsoft. First step - fuck up Firefox. Second step - Destroy national borders.

Too many movies makes you think strange things. For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP. Real life: rotary phones, paperwork in triplicate, and a gigantic fucking bureaucracy that thinks pagers are still useful.

Re:Sabotage? (4, Interesting)

jamstar7 (694492) | about 5 years ago | (#29773025)

Too many movies makes you think strange things. For instance most people see the CIA as a bunch of bad asses with cell phone watches that project holograms of your dossier into thin air while sending you messages via ESP. Real life: rotary phones, paperwork in triplicate, and a gigantic fucking bureaucracy that thinks pagers are still useful.

Or the idea of NSA 'agents' running around shooting up everything in sight (because the CIA isn't the big Boogie Man anymore). Real life: Bunch of bureaucrats overseeing a bunch of pastyfaced nerds and cubicle rats busy doing signal intercepts and codebreaking. Though the bandwidth and internet access is great, I hear...

Re:Sabotage? (0, Troll)

Ethanol-fueled (1125189) | about 5 years ago | (#29772635)

RTFA, It's a Microsoft vulnerability running on top of (within?) Firefox. Like ActiveX v2.0 for FireFox.
Microsoft owns Windows and so they can make whatever the hell they want work with it as annoyingly and as unsafely as possible, in any way that they wish.

Re:Sabotage? (3, Interesting)

Thinboy00 (1190815) | about 5 years ago | (#29772969)

Given that Nintendo is legally required to warn you prior to updating your Wii that such updates break homebrew, I cannot possibly imagine that Microsoft is allowed to break your software without your consent.

Re:Sabotage? (2, Funny)

Ethanol-fueled (1125189) | about 5 years ago | (#29773115)

It's not broken if it still works, even if it is a gaping security hole. [goatse.fr]

Re:Sabotage? (2, Funny)

Captain Spam (66120) | about 5 years ago | (#29772641)

Not really, not when it's due to a plugin they themselves installed and have their name all over. I mean, you don't consider Flash vulnerabilities to be the fault of IE or Firefox, do you? If anything (and that's a big "if" in this case), it'll be a black eye for Microsoft.

Nah, if you're going the paranoid route, it'd have been a better idea if they made this plugin under the guise of a shell company or something, then when the vulnerabilities hit the fan, have the shell complain about how "hard" it is to make a secure plugin for the "obviously inferior" Firefox, then have Microsoft suddenly pipe up about how much more secure the .NET plugin is under IE. Bonus points if the shell claims to be open-source with their reimplementation of .NET so Microsoft can attempt to discredit open-source software, too!

But we're not THAT paranoid. Are we?

Re:Sabotage? (1)

Korin43 (881732) | about 5 years ago | (#29773105)

I consider flash vulnerabilities the fault of any browser that doesn't support the canvas, video and audio tags (requiring people to use flash).

Re:Sabotage? (5, Insightful)

FlyingBishop (1293238) | about 5 years ago | (#29772643)

This is a .NET vulnerability, on MS Windows. Firefox being the vehicle is entirely Microsoft's fault as the maintainer of the .NET plugin.

Re:Sabotage? (1, Insightful)

Anonymous Coward | about 5 years ago | (#29772721)

Even if it is regular incompetence, there will be people at Microsoft who will be delighted the add-on has the advantage of discrediting Firefox, and will be considering how best to use it. That's just the nature of any large corporation. Corporations don't blush. They maximize opportunity.

Whether initial malicious intent existed or not is pretty academic now, and likely unprovable in any case. What matters is the lever is inserted, and Microsoft will definitely be considering how much weight to put on it.

(And it doesn't mean you're not paranoid if they are out to get you.)

Re:Sabotage? (0)

Anonymous Coward | about 5 years ago | (#29773079)

That pretty much was what they aimed to achieve.
Dent the apparent security of your competitors.

Usual FUD attacks really.

Re:Sabotage? (5, Insightful)

shutdown -p now (807394) | about 5 years ago | (#29773181)

Maybe it's a little paranoid, but... Doesn't Microsoft potentially benefit from Firefox vulnerabilities? I mean, IE isn't doing so well right now, and this could discredit Firefox a little.

I'm the one who found and reported one of the vulnerabilities (CVE-2009-0090 [microsoft.com] ) in this batch that affects Firefox, and I strongly doubt that it was in any way intentional - the vulnerability itself is a fairly obscure corner case in .NET bytecode validator/verifier, and, so far as I can tell, it has been there for a very long time, seemingly before WPF was even released. All in all, it looks like a genuine bug.

A testament to its obscurity is the way I encountered it - I was designing an Algol-60 compiler targetting .NET, and was looking for an efficient way to pass Algol function-type function arguments (which are effectively vararg on the caller side) without having to lift outer locals used by captured functions to heap. Only after coming up with an efficient design and testing that it works, I realized the implications of what I had just done to the verifier.

I cannot comment on CVE-2009-2529 (the second Firefox-affecting vulnerability), but I don't see how it would be any different. Really, the idea of MS deliberately adding vulnerabilities to its products in hope of marginally affecting Firefox by them (remember that IE is hit much worse...) is pretty absurd - even if you disregard the notion of business reputation when it comes to MS, it poses a very high legal liability. No-one in a sane mind would even contemplate doing such a thing.

Disclaimer: I do work for Microsoft at present, though not on the affected products. I did not work for Microsoft when I discovered and reported that vulnerability.

remember the important part (1)

poetmatt (793785) | about 5 years ago | (#29772519)

the big deal here is they never uninstalled it off the people they shoved it on. They simply gave a way to uninstall it.

Thus, now it's harder for firefox to say it's safer while said plugin is installed.

Re:remember the important part (4, Insightful)

abigsmurf (919188) | about 5 years ago | (#29772613)

The only thing worse than installing without asking is uninstalling without asking.

Re:remember the important part (0, Redundant)

flynt (248848) | about 5 years ago | (#29772715)

..., and vice-versa.

Re:remember the important part (1)

poetmatt (793785) | about 5 years ago | (#29772801)

if the first happened, it doesn't hurt to do the second as opposed to leaving in said vulnerability.

Re:remember the important part (4, Funny)

jalefkowit (101585) | about 5 years ago | (#29773057)

That's what SHE said!

(sorry, couldn't resist)

Re:remember the important part (1)

Real1tyCzech (997498) | about 5 years ago | (#29773165)

...or allowing addons to be installed without asking? :)

Re:remember the important part (1)

asa (33102) | about 5 years ago | (#29773203)

If you allow someone (in this case Microsoft through Windows Update) to install software on your machine, you're hosed if they want to hose you. A bad actor could simply replace Firefox with an "updated" version that had their desired functionality. Once you let someone run code on your machine you're hosed in the case of bad actors. In the case of good actors, they shouldn't be adding unrelated software or modifying other software on your system without your permission.

Not true (5, Informative)

Voulnet (1630793) | about 5 years ago | (#29772549)

That's not true, I have Win XP SP2, Firefox 3.5.3; and I just disabled this plugin. It CAN be disabled.

Re:Not true (1)

jargon82 (996613) | about 5 years ago | (#29772605)

Agreed. I just brought it up in a firefox install on XP SP3. The disable and uninstall options are both available. Don't know if this is just poor reporting or if perhaps ANOTHER ms patch "fixed" the uninstall and disable options. Anyone know? Either way, it's retarded that they pushed it out in the first place.

Re:Not true (1)

noundi (1044080) | about 5 years ago | (#29772653)

Agreed. I just brought it up in a firefox install on XP SP3. The disable and uninstall options are both available. Don't know if this is just poor reporting or if perhaps ANOTHER ms patch "fixed" the uninstall and disable options. Anyone know?

Either way, it's retarded that they pushed it out in the first place.

The disable button has always been working for me on XP SP3, the uninstall however had not. I remember it wasn't working even months after it was installed on my work PC. Since then I've dumped a clone image and made sure to pick that update out so I wouldn't know the current status.

Re:Not true (4, Informative)

The Moof (859402) | about 5 years ago | (#29772711)

Originally, you couldn't uninstall the extension. Microsoft did eventually release a patch that activated the Uninstall button, it's been out for a while now. I even think Slashdot had a story about the patch that enabled the button. Still patiently waiting for Sun to give me the same option with "Super Cool Java Firefox Extension"...

(Going to the Advanced Settings in Java under the Control Panel to uninstall a Firefox extension is unacceptable. I also wish they'd clean up their plug-ins when they update.)

Re:Not true (2, Informative)

Martin Blank (154261) | about 5 years ago | (#29772963)

Original reporting from 09 Feb 09: Microsoft Update Slips In a Firefox Extension [slashdot.org]

Follow-up with removal instructions from 05 Jun 09: MS Issued a Fix For Its Unwanted FireFox Extension [slashdot.org]

The second article notes that the fix was actually issued in early May.

Re:Not true (4, Interesting)

Neon Spiral Injector (21234) | about 5 years ago | (#29772645)

That may not be entirely true. Have a look at this:
http://adblockplus.org/blog/the-return-of-net-framework-assistant [adblockplus.org]

WPF not Assistant (2, Informative)

NoYob (1630681) | about 5 years ago | (#29772817)

The Adblock guy is talking about the Assistant. Unless I'm misunderstanding the issue, the problem is with the WPF plugin. Windows Presentation Foundation [technet.com] - that's the vector.

Nevermind - I am confused (1)

NoYob (1630681) | about 5 years ago | (#29772941)

'nuff said.

Me too. (1)

NoYob (1630681) | about 5 years ago | (#29772839)

Mine disables fine. XP, FF 3.5.3

Almost (3, Insightful)

Kell Bengal (711123) | about 5 years ago | (#29772557)

I went through the process of removing the plug-in. While I was incensed that it was installed without so much as a by-your-leave, the removal method I used didn't require registry hacks or anything so high falutin.

That said, I should not have had to have gone to any such effort in the first place.

Re:Almost (0)

Anonymous Coward | about 5 years ago | (#29772583)

This is why you should read the release notes before you install software. This is also why introducing new functionality through Windows Update is a bad idea.

Re:Almost (0)

Anonymous Coward | about 5 years ago | (#29772625)

People want that functionality and cry when it's not in Firefox.

Regardless the plugin is very simple to disable by clicking the disable button in Addons. I can see how Linux users using Windows might be confused with it being in such an easy place to find.

Re:Almost (1)

Trigun (685027) | about 5 years ago | (#29772723)

What functionality I don't want is having to upgrade messenger, and finding that it switched a bunch of crap in my browser, like searching from the address bar, and having to go through the chrome settings to fix it.

I thought that I read the disclaimers, but apparently not well enough. But I'm sure that it never said "Replace the default search in Firefox with Bing!"

I know that it wasn't Ballmer stating to do this, but some marketing drone talked to some codemonkey about getting Bing out there, and the end result was that I had to remove what is essentially crap adware and corporate shenanigans from my browser.

Re:Almost (2, Insightful)

v1 (525388) | about 5 years ago | (#29772827)

This is why you should read the release notes before you install software.

And the 109 page EULA. Don't forget to read all of that too. Pay particular attention to the 215+ word long sentences with words so long they wrap the window and stump your dictionary.

Read everything

Re:Almost (1)

jamstar7 (694492) | about 5 years ago | (#29773073)

This is why you should read the release notes before you install software. This is also why introducing new functionality through Windows Update is a bad idea.

That's all very well and good for legitimate software. Haven't noticed much malware with release notes and opt-outs. And from what I've seen of the previous 'patch', it installed it as part of the .NET upgrade. 'Consent' was implied by activating the 'Allow Upgrades' button at the system level.

Had no idea... (1)

Jaysyn (203771) | about 5 years ago | (#29772565)

I had no idea about this plug-in. Thanks for the links to getting it fixed / removed.

Your official guide to the Jigaboo presidency (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29772581)

Congratulations on your purchase of a brand new nigger! If handled properly, your apeman will give years of valuable, if reluctant, service.

INSTALLING YOUR NIGGER.
You should install your nigger differently according to whether you have purchased the field or house model. Field niggers work best in a serial configuration, i.e. chained together. Chain your nigger to another nigger immediately after unpacking it, and don't even think about taking that chain off, ever. Many niggers start singing as soon as you put a chain on them. This habit can usually be thrashed out of them if nipped in the bud. House niggers work best as standalone units, but should be hobbled or hamstrung to prevent attempts at escape. At this stage, your nigger can also be given a name. Most owners use the same names over and over, since niggers become confused by too much data. Rufus, Rastus, Remus, Toby, Carslisle, Carlton, Hey-You!-Yes-you!, Yeller, Blackstar, and Sambo are all effective names for your new buck nigger. If your nigger is a ho, it should be called Latrelle, L'Tanya, or Jemima. Some owners call their nigger hoes Latrine for a joke. Pearl, Blossom, and Ivory are also righteous names for nigger hoes. These names go straight over your nigger's head, by the way.

CONFIGURING YOUR NIGGER
Owing to a design error, your nigger comes equipped with a tongue and vocal chords. Most niggers can master only a few basic human phrases with this apparatus - "muh dick" being the most popular. However, others make barking, yelping, yapping noises and appear to be in some pain, so you should probably call a vet and have him remove your nigger's tongue. Once de-tongued your nigger will be a lot happier - at least, you won't hear it complaining anywhere near as much. Niggers have nothing interesting to say, anyway. Many owners also castrate their niggers for health reasons (yours, mine, and that of women, not the nigger's). This is strongly recommended, and frankly, it's a mystery why this is not done on the boat

HOUSING YOUR NIGGER.
Your nigger can be accommodated in cages with stout iron bars. Make sure, however, that the bars are wide enough to push pieces of nigger food through. The rule of thumb is, four niggers per square yard of cage. So a fifteen foot by thirty foot nigger cage can accommodate two hundred niggers. You can site a nigger cage anywhere, even on soft ground. Don't worry about your nigger fashioning makeshift shovels out of odd pieces of wood and digging an escape tunnel under the bars of the cage. Niggers never invented the shovel before and they're not about to now. In any case, your nigger is certainly too lazy to attempt escape. As long as the free food holds out, your nigger is living better than it did in Africa, so it will stay put. Buck niggers and hoe niggers can be safely accommodated in the same cage, as bucks never attempt sex with black hoes.

FEEDING YOUR NIGGER.
Your Nigger likes fried chicken, corn bread, and watermelon. You should therefore give it none of these things because its lazy ass almost certainly doesn't deserve it. Instead, feed it on porridge with salt, and creek water. Your nigger will supplement its diet with whatever it finds in the fields, other niggers, etc. Experienced nigger owners sometimes push watermelon slices through the bars of the nigger cage at the end of the day as a treat, but only if all niggers have worked well and nothing has been stolen that day. Mike of the Old Ranch Plantation reports that this last one is a killer, since all niggers steal something almost every single day of their lives. He reports he doesn't have to spend much on free watermelon for his niggers as a result. You should never allow your nigger meal breaks while at work, since if it stops work for more than ten minutes it will need to be retrained. You would be surprised how long it takes to teach a nigger to pick cotton. You really would. Coffee beans? Don't ask. You have no idea.

MAKING YOUR NIGGER WORK.
Niggers are very, very averse to work of any kind. The nigger's most prominent anatomical feature, after all, its oversized buttocks, which have evolved to make it more comfortable for your nigger to sit around all day doing nothing for its entire life. Niggers are often good runners, too, to enable them to sprint quickly in the opposite direction if they see work heading their way. The solution to this is to *dupe* your nigger into working. After installation, encourage it towards the cotton field with blows of a wooden club, fence post, baseball bat, etc., and then tell it that all that cotton belongs to a white man, who won't be back until tomorrow. Your nigger will then frantically compete with the other field niggers to steal as much of that cotton as it can before the white man returns. At the end of the day, return your nigger to its cage and laugh at its stupidity, then repeat the same trick every day indefinitely. Your nigger comes equipped with the standard nigger IQ of 75 and a memory to match, so it will forget this trick overnight. Niggers can start work at around 5am. You should then return to bed and come back at around 10am. Your niggers can then work through until around 10pm or whenever the light fades.

ENTERTAINING YOUR NIGGER.
Your nigger enjoys play, like most animals, so you should play with it regularly. A happy smiling nigger works best. Games niggers enjoy include: 1) A good thrashing: every few days, take your nigger's pants down, hang it up by its heels, and have some of your other niggers thrash it with a club or whip. Your nigger will signal its intense enjoyment by shrieking and sobbing. 2) Lynch the nigger: niggers are cheap and there are millions more where yours came from. So every now and then, push the boat out a bit and lynch a nigger.

Lynchings are best done with a rope over the branch of a tree, and niggers just love to be lynched. It makes them feel special. Make your other niggers watch. They'll be so grateful, they'll work harder for a day or two (and then you can lynch another one). 3) Nigger dragging: Tie your nigger by one wrist to the tow bar on the back of suitable vehicle, then drive away at approximately 50mph. Your nigger's shrieks of enjoyment will be heard for miles. It will shriek until it falls apart. To prolong the fun for the nigger, do *NOT* drag him by his feet, as his head comes off too soon. This is painless for the nigger, but spoils the fun. Always wear a seatbelt and never exceed the speed limit. 4) Playing on the PNL: a variation on (2), except you can lynch your nigger out in the fields, thus saving work time. Niggers enjoy this game best if the PNL is operated by a man in a tall white hood. 5) Hunt the nigger: a variation of Hunt the Slipper, but played outdoors, with Dobermans. WARNING: do not let your Dobermans bite a nigger, as they are highly toxic.

DISPOSAL OF DEAD NIGGERS.
Niggers die on average at around 40, which some might say is 40 years too late, but there you go. Most people prefer their niggers dead, in fact. When yours dies, report the license number of the car that did the drive-by shooting of your nigger. The police will collect the nigger and dispose of it for you.

COMMON PROBLEMS WITH NIGGERS - MY NIGGER IS VERY AGGRESIVE
Have it put down, for god's sake. Who needs an uppity nigger? What are we, short of niggers or something?

MY NIGGER KEEPS RAPING WHITE WOMEN
They all do this. Shorten your nigger's chain so it can't reach any white women, and arm heavily any white women who might go near it.

WILL MY NIGGER ATTACK ME?
Not unless it outnumbers you 20 to 1, and even then, it's not likely. If niggers successfully overthrew their owners, they'd have to sort out their own food. This is probably why nigger uprisings were nonexistent (until some fool gave them rights).

MY NIGGER BITCHES ABOUT ITS "RIGHTS" AND "RACISM".
Yeah, well, it would. Tell it to shut the fuck up.

MY NIGGER'S HIDE IS A FUNNY COLOR. - WHAT IS THE CORRECT SHADE FOR A NIGGER?
A nigger's skin is actually more or less transparent. That brown color you can see is the shit your nigger is full of. This is why some models of nigger are sold as "The Shitskin".

MY NIGGER ACTS LIKE A NIGGER, BUT IS WHITE.
What you have there is a "wigger". Rough crowd. WOW!

IS THAT LIKE AN ALBINO? ARE THEY RARE?
They're as common as dog shit and about as valuable. In fact, one of them was President between 1992 and 2000. Put your wigger in a cage with a few hundred genuine niggers and you'll soon find it stops acting like a nigger. However, leave it in the cage and let the niggers dispose of it. The best thing for any wigger is a dose of TNB.

MY NIGGER SMELLS REALLY BAD
And you were expecting what?

SHOULD I STORE MY DEAD NIGGER?
When you came in here, did you see a sign that said "Dead nigger storage"? .That's because there ain't no goddamn sign.

Re:Your official guide to the Jigaboo presidency (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#29772665)

you are one persistent motherfucker!

"Cripple the PC" (0)

Anonymous Coward | about 5 years ago | (#29772585)

Isn't it crippled by definition? Just look at those Mac ads...

Re:"Cripple the PC" (2, Funny)

Anonymous Coward | about 5 years ago | (#29772743)

Exactly, and if anyone knows about crippled platforms, it's Apple.

You didn't expect it? (0, Troll)

Random2 (1412773) | about 5 years ago | (#29772611)

After all, they've done this before. Unless we catch them ,they're going to do whatever they can to remove their competition.

Registry Danger! (5, Informative)

aster_ken (516808) | about 5 years ago | (#29772631)

Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.

Also, the ability to remove this plug-in was covered on Slashdot a few months ago when Microsoft released version 1.1. It was included in an earlier service release to the .NET Framework for Windows XP and Windows Vista. This plug-in doesn't even exist in Windows XP by default. You must have installed .NET Framework 3.0 or higher to get it. Windows Vista includes .NET Framework 3.0, but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand. Windows 7 allows you to do it because the earlier service release is part of the operating system.

Microsoft bashing is fun, but let's stick to facts.

Re:Registry Danger! (-1, Troll)

Anonymous Coward | about 5 years ago | (#29772703)

Go ahead and delete your entire registry..
Oh no, I'm sure you won't have any problems at all..

System Restore can be disabled, rely on it to save your incompetence, you can not.

Re:Registry Danger! (-1, Troll)

Anonymous Coward | about 5 years ago | (#29772865)

not to mention system restore has failed to work for me when i have needed it the most. turns out having a particular antivirus installed (mcaffee if I recall) silently defeats system restore. by silently, i mean you can set the restore points and they appear to work, with no errors. then when you actually need to use a restore point you'll find it won't do much for you at all. another "great going Microsoft" moment. i mean seriously, on linux i don't expect a backup utility to mysteriously fail merely because i have installed clamav, and that's what this would be like. i don't understand why they market windows to noobs because on windows you have problems like this that just don't appear elsewhere.

Re:Registry Danger! (0)

Anonymous Coward | about 5 years ago | (#29772979)

Go ahead and delete your entire filesystem..
Oh no, I'm sure you won't have any problems at all..

System Restore can be disabled, rely on it to save your incompetence, you can not.

Re:Registry Danger! (2, Insightful)

Darkness404 (1287218) | about 5 years ago | (#29772725)

The difference is, its pretty easy to figure out what things do in the Program Files directory, the Windows directory is a bit more confusing, but a lot of it is still pretty easy to figure out. Good luck for an average computer user to figure out what /HKEY_LOCAL_MACHINE\ SOFTWARE\etc. is compared to Program Files and X program.

Re:Registry Danger! (3, Informative)

Frosty Piss (770223) | about 5 years ago | (#29772787)

but if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand.

You mean like this? [adblockplus.org] That's *no* uninstalling.

Re:Registry Danger! (0)

Anonymous Coward | about 5 years ago | (#29772809)

but let's stick to facts.

You don't belong here.

Re:Registry Danger! (1)

fhuglegads (1334505) | about 5 years ago | (#29772837)

if you've bothered to keep up with security updates you would have the ability to uninstall or disable the plug-in without modifying the registry by hand.

no .NET on my windows box.
never installed a service pack or an update
my system works based on the os that was on it when i bought it 3 years ago. there is no reason to let microsoft go and mess up something I already don't like by changing it.

I only use windows for one game that doesn't run under Wine. As far as my work pc goes... that's filed under SEP.. Someone Else's Problem.

Re:Registry Danger! (1)

jellomizer (103300) | about 5 years ago | (#29772873)

Open up your firewall for say 20-30 minutes...

Re:Registry Danger! (4, Informative)

Penguinisto (415985) | about 5 years ago | (#29772875)

"It's no more dangerous to delete something from your registry"

Perhaps, but...

  1. This kinda invalidates the argument that Windows fanboys have been spouting for years, namely "...but in Linux/BSD/Whatever, you have to edit files, which is too hard for Joe Sixpack to do!"
  2. If you bork the registry, discover it's borked only after a full reboot/log-in, then try to reboot again thinking it's some other problem, that backup copy of the registry just went 'pfft!', and you may or may not be able to get to a point where you can use System Restore
  3. The registry makes a great place to hide stuff in (see also half the malware to come down the pike in the past 9 years)

Re:Registry Danger! (0)

Anonymous Coward | about 5 years ago | (#29772909)

Can we please stop with the "It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence" trolling sarcasm?

I think everyone already agrees both of these are bad ideas, I'm happy this wasn't a problem for you, and no one cares that you were forced to read the same exaggerated warning again. The horror!

Microsoft bashing is fun, and we're sticking to the facts.

Re:Registry Danger! (1)

Killer Orca (1373645) | about 5 years ago | (#29772937)

Looking at my add/remove programs list I have 4 different versions of the .Net framework installed, I wish all the programs that relied on them would be able to use the latest one, but unfortunately they do not.

Re:Registry Danger! (0)

Anonymous Coward | about 5 years ago | (#29773111)


Can we please stop with the "registry editing will end the world" warnings?

I sure wish we would. One of my co-workers (Who's actually an IT support person and has been for a decade) completely and truly believes that editing the registry is one of the scariest and most dangerous things you could do. This is the same IT support guy who's afraid of anything that's not a nice GUI. Command line? Scripting? Ohh noes!

How editing something as simple as the registry has become a dangerous activity for IT personnel is beyond me.

Re:Registry Danger! (1)

jamstar7 (694492) | about 5 years ago | (#29773135)

Can we please stop with the "registry editing will end the world" warnings? It's no more dangerous to delete something from your registry than it is to delete something from the Program Files or Windows folders, and System Restore is more-than-capable of bringing the system back to life after your incompetence.

Joe Sixpack doesn't have a clue about editing the registry, he just wants something 'That Just Works(tm)'. Anything else, he'll let his 'computer geek kid' screw up for him til it needs to go to the shop, then bitch when they charge him an arm & a leg to fix it. Having done several years of those kinda repairs, I can categorically tell you that a lot of the registry repair software isn't made for the regular user, it's made for us geeks.

System Restore in XP takes you back to your restore point. If your restore point includes the 'patch', you're gonna have to start all over again.

They said it (0)

Anonymous Coward | about 5 years ago | (#29772657)

It was intended to provide a "uniform Windows experience"...

Amazing (4, Insightful)

gmuslera (3436) | about 5 years ago | (#29772661)

This is from the same people that claimed that the Google Chrome Render plugin for IE6+ will make the browser less secure?

Re:Amazing (1)

mdm-adph (1030332) | about 5 years ago | (#29773013)

Same company -- not the same people. I swear there's whole nations worth of people in companies the size of Microsoft that aren't even on the same page, ever.

Re:Amazing (2, Insightful)

matzahboy (1656011) | about 5 years ago | (#29773107)

The other funny thing is that the firefox plugin was installed without the user's permission. The user has to go to the chrome website and click the button that say "install".

Re:Amazing (1)

Tranzistors (1180307) | about 5 years ago | (#29773127)

See, they know what they are talking about.

Re:Amazing (1)

Pollardito (781263) | about 5 years ago | (#29773145)

It'll be ok though, because Google is making a plugin for this plugin

Re:Amazing (3, Informative)

shutdown -p now (807394) | about 5 years ago | (#29773265)

If anything, this case further reinforces that claim. Any new functionality (including plugins) added to a browser increases its attack surface, unless it completely replaces part of the existing code. In this case, the increased surface was due to WPF being exposed. In case of Chrome plugin, it's Chrome rendering engine.

If Chrome completely replaced IE renderer, with no means to re-activate it, then it would be reasonable to argue that it does improve security. However, Chrome renderer is opt-in, which means that any attack site willing to exploit an IE vulnerability will happily work in IE with Chrome plugin installed, but at the same time any site willing to exploit a Chrome vulnerability - and it's not like there aren't, or will never be, any - can request IE with Chrome plugin to use Chrome for rendering.

CrippleWare (1)

cosm (1072588) | about 5 years ago | (#29772669)

There are already a bajillion (non-technical term) of other platforms that can provide dynamic content without needing to get compiled languages like VisualWhatever.NET involved. AJAX is extremely powerful, one among plenty more great cross-code web design patterns, and is more secure than bringing the herpes in the intertubes that much closer to your kernal. Why in the heck would they wan't to put WPF (more like WTF) in Firefox, besides sabotage any feelings of safety one used to have. Integrating .NET that closely to the Internet is shady at best. It becomes no better a situation than getting an ActiveX driveby from unpatched IE (or IED if you will).

IMHO, I don't see the need to shove .NET down web users throats, making them vulnerable to more 'root'-owned style attacks by placing the internet one step closer to your local Just In Time (to pwn you) compilers.

Re:CrippleWare (1)

DAldredge (2353) | about 5 years ago | (#29772851)

How do I do threads in AJAX?

Re:CrippleWare (1)

cosm (1072588) | about 5 years ago | (#29772925)

If your trying to instantiate multiple client-side threads, count me out. Talk about exploitability! If your using ASP you can run server side threads no problem, but otherwise a bunch of threads started within a web-page would be a terrible idea, sloppy programmers and bad websites would bring your browser to its knees, choking anything that acts asynchronously.

Re:CrippleWare (1)

cosm (1072588) | about 5 years ago | (#29772977)

And another note, threads are powerful in their nature, and so is .NET, do you really want TCP/UDP & the Internet to be able to create threads on your processor. A dropped packed, a tampered connection; what is to stop things like unsafe code with pointers, and a few crossed threads from crashing your computer, instead of just crashing your browser from some javascript issues? Windows can go nuclear easy enough on its own.

Re:CrippleWare (0)

Anonymous Coward | about 5 years ago | (#29772879)

You seem to know so little about .net

Re:CrippleWare (0)

Anonymous Coward | about 5 years ago | (#29772883)

This plugin doesn't do anything other then just report your currently installed .net version to the server, and make the clickonce installation more seamless. Nothing nefarious.

Re:CrippleWare (1)

causality (777677) | about 5 years ago | (#29772987)

IMHO, I don't see the need to shove .NET down web users throats, making them vulnerable to more 'root'-owned style attacks by placing the internet one step closer to your local Just In Time (to pwn you) compilers.

Two reasons come to mind. 1) AJAX and other alternatives tend to be open standards, so vendorlock (a favorite MS tactic) doesn't apply or doesn't easily apply. There is one thing Microsoft really does not like to do, and that's competing on merit in a level playing field that has low barriers to entry for competitors. If it were otherwise, then they would use completely open, unencumbered standards wherever possible (i.e., for every protocol and every file format they create) but this, obviously, is not the case. 2) It's not like Microsoft is ever going to have any legal liability for placing their .NET marketshare ahead of user security. If a customer's machine gets compromised that would not have been compromised without MS's unilateral decision to install the .NET component, that customer has no recourse whatsoever. They can make you as vulnerable as they like in order to advance their marketing goals and they can do it with impunity.

So, Microsoft has something to gain, namely further adoption of .NET and the control that comes with that, and they have nothing to lose. From a business perspective they have no reason not to do this. The only thing that would stop them would be for the average user to both understand these things and demand something different.

I don't get it - why use Windows? (-1, Troll)

Anonymous Coward | about 5 years ago | (#29772697)

Linux works so much better than Windows. Windows is like some defective toy operating system. Anybody who has switched is well aware of this.

This isn't a troll. I'm just seriously curious why anybody uses Windows, when such a better alternative is available.

Re:I don't get it - why use Windows? (1)

drodal (1285636) | about 5 years ago | (#29772951)

The only time I wouldn't use Linux is for video editing.
It's still a little weak there. But I use multiple OS's anyway....

FUD (0)

sexconker (1179573) | about 5 years ago | (#29772727)

"What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7."

Disable and uninstall were there and working on day fucking 1 for my XP machines.

Re:FUD (1)

SydShamino (547793) | about 5 years ago | (#29772869)

Disable and uninstall were there and working on day fucking 1 for my XP machines.

Anecdote.

Both are grayed out TODAY on my fully-patched XP work machine. Anecdote #2.

We cancel out.

Re:FUD (1)

recoiledsnake (879048) | about 5 years ago | (#29773083)

My anecdote... even better, actually a screenshot from Vista. http://imgur.com/WyehG.png [imgur.com]

So the score is no longer zero.

Re:FUD (0)

Anonymous Coward | about 5 years ago | (#29773205)

My anecdote... even better, actually a screenshot from Vista. http://imgur.com/WyehG.png [imgur.com]

So the score is no longer zero.

I went to that link, clicked on the buttons, and nothing happened.

So, the uninstall IS broken.

Probably deliberately, too, knowing Microsoft.

Deja-vu (2, Informative)

Dishwasha (125561) | about 5 years ago | (#29772741)

Is it just me, or were we just talking about this [slashdot.org]

Microsoft is DEAD (0)

Anonymous Coward | about 5 years ago | (#29772757)

according to Paul Graham [paulgraham.com] , Microslop inherited its monopoly from I.B.M.

Yours In Yaznogorsk,
Kilgore T. [youtube.com]

Sony's rootkit trick lighty modified? (1)

Kbac (1261080) | about 5 years ago | (#29772759)

This kinda reminds my of Sony's rootkits from music CDs a little. If I remember correctly installing programs without user permission/knowledge is bad, doing so and making it as imposable to remove or disable as possible is really bad. And the fact that Windows 7 is the only OS that has the option to disable it seems like MS is once again trying to force users to upgrade. "We know 7 is safer than XP because we booby trapped XP!".

Not this shit again. (2, Insightful)

jim_v2000 (818799) | about 5 years ago | (#29772831)

There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.

Re:Not this shit again. (4, Insightful)

asa (33102) | about 5 years ago | (#29773229)

There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.

No. Wrong. Installing plug-ins or extensions without asking is bad. Period. Full stop. End of story.

The only thing in the mind of the predator... (1)

MindPrison (864299) | about 5 years ago | (#29772901)

...is the enemy!

Shouldn't the title read (4, Insightful)

jayme0227 (1558821) | about 5 years ago | (#29772903)

"Microsoft fixes vulnerability in their own Firefox Addon"? The summary would then point out that this was covered and Microsoft fixed the problem. But I guess calling Microsoft "sneaky," ignoring the fact that this was already posted on slashdot, and then minimizing the fact that MS actually fixed the problem was too appealing to pass up.

Except for one thing... (1)

argent (18001) | about 5 years ago | (#29773119)

There is not enough schadenfreude in the world to satisfy the demand when it comes to Microsoft pulling something like "a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update."

Come on, you tell me, what on earth justifies that?

I haven't read the fta (0)

drodal (1285636) | about 5 years ago | (#29772943)

nor have I even read any comments here
but the next time I hem and haw  about Mac vs Windows.

I'll choose Mac, cuz at least they aren't try to sabotage me and my applications....(probably)

The next time one of those idiots on TV say "Im a PC" I'll say back "and your infected! get away from me......"

Congrats....M$, nice on, you sick bastards (1)

hesaigo999ca (786966) | about 5 years ago | (#29772947)

Nice job, of trying to push the blame on a third party software that is kicking your own apps ass when it comes to web browsing!
So what to do, say could we not develop a nice little add on , that allows remote execution once infected and destroys that apps security...and also make it impossible through windows (M$) to uninstall.

Wow, nice one...
-clap/clap/clap

WinVista sp2 (0)

Anonymous Coward | about 5 years ago | (#29773053)

Unless I fail at reading (Very possible), this post is wrong. Like others on the boards, i just went into plugins and disabled it.

I am currently fully patched on vista sp2.

Here we go again. (1)

Deathlizard (115856) | about 5 years ago | (#29773123)

How many times must we hear about this plugin? This is at least the third time I've seen an article on it.

If you got 1.0 of the plugin and want to get rid of it, get the update here [mozilla.org] or Here [microsoft.com] , install it, and then uninstall it.

I'm saving this in my journal. That way, when they post the next .NET plugin story next month, I can just post the journal link. Maybe I can keep the story count there too.

What? Shouldn't firefox fix this one? (1)

Real1tyCzech (997498) | about 5 years ago | (#29773141)

So firefox allows a rogue addon to install without any user intervention and the story is all about how evil MSFT is?

Sure, they did it. Bad Microsoft.

But isn't the bigger issue that now that this is known....*anyone* can pull this on firefox users?

No. I am not apologizing for Microsoft. This was "Sony Stupid" of them. We're used to that here, though. What we're not used to (and apparently sweeping under the rug) is the massive, unholy hell of a mess mozilla's extension system for firefox is....

Re:What? Shouldn't firefox fix this one? (0)

Anonymous Coward | about 5 years ago | (#29773227)

That was my reaction as well. How can ANY firefox plugin be given the authority to not allow itself to be turned off? Sure, it's Microsoft being an asshole, but that also seems like broken behavior on Firefox's part.

sounds like the Mozilla Foundation (1)

alizard (107678) | about 5 years ago | (#29773189)

should secure Firefox to make it impossible for M$ to install anything in their browser.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?