×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Disables Microsoft .NET Addon

kdawson posted more than 4 years ago | from the with-their-consent-of-course dept.

Mozilla 448

ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

448 comments

Great (3, Interesting)

sopssa (1498795) | more than 4 years ago | (#29783349)

All the addon did was to add a piece of text in useragent that told the website .NET version. How do you manage to fuck up that?

Re:Great (5, Funny)

setagllib (753300) | more than 4 years ago | (#29783357)

Microsoft has put billions of dollars into developing the most effective and efficient security vulnerabilities to date. I can only watch in awe and wonder.

It is nothing compared to VPC (3, Interesting)

Ilgaz (86384) | more than 4 years ago | (#29783449)

That issue is nothing (they asked for it in fact).

The issue which should make to books about the tech irony is Virtual PC for Mac 7.x (if anyone uses, UPDATE!). MS found a theorotical (not sure) issue which Virtual PC's emulated X86/Hypervisor can MODIFY the OS X memory from "there".

While they were decent to fix it very quickly and shipped an update (7.0.3) confusing Mac users, that is one big amazing issue for you. Imagine by running (emulating in fact) a Windows, you risk your OS X memory locations with overwrite.

The real reason why they want to hack user agent (4, Insightful)

Ilgaz (86384) | more than 4 years ago | (#29783417)

While some slashdotters think otherwise, Java/Windows install base is huge thanks to couple of very popular apps and tiny games. Since companies these days looks for multi platform, multi arch; MS needed to show that their herd has been installed/infected by .NET too.

So, they haxor the user agent to show that clueless CTO that their 90% of users have .NET so they should use it instead of massively multi platform Java.

Anyway, as you see, karma is a real bitch and if Sun had a real management, they could milk this issue but... Lucky for MS, Sun is under auto pilot, even under Larry Ellison's Oracle.

Re:Great (2, Interesting)

xonicx (1009245) | more than 4 years ago | (#29783503)

Not really. I was on verge of swtiching to chrome because of firefox getting stuck while typing in address bar. Disabling "Windows Foundation Presention" magically fixed the problem.

Re:Great (4, Informative)

The MAZZTer (911996) | more than 4 years ago | (#29783555)

There's actually a whole Firefox setting namespace devoted to bits of useragent to append, you don't even need a whole addon.

How about just disabling Microsoft? (0, Troll)

John Hasler (414242) | more than 4 years ago | (#29783359)

Much more effective.

Re:How about just disabling Microsoft? (0, Troll)

AvalancheBurn (1419817) | more than 4 years ago | (#29783383)

Yes, except that most of the world is using M$ as their OS. They still have the largest market share on computers, especially in the US. Though I am still confused as to why M$ would need to have an addon for Firefox. Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?

Re:How about just disabling Microsoft? (1)

sopssa (1498795) | more than 4 years ago | (#29783397)

Because Microsoft is not only creating or competing with Internet Explorer. The addon adds .NET version in to useragent so websites can see if it's installed.

Two words (3, Interesting)

Norsefire (1494323) | more than 4 years ago | (#29783405)

Doesn't it seem a little odd that the company that is competing for market shares in the web browser area would create a addon for a competing company?

Chrome Frame.

Re:Two words (2, Informative)

Darkness404 (1287218) | more than 4 years ago | (#29783983)

Chrome Frame was required for running Google Wave (HTML5) in IE. So its not much different than all those Active X plugins you used to have to install to get other things to work back in the "bad old days".

Re:How about just disabling Microsoft? (3, Insightful)

Hurricane78 (562437) | more than 4 years ago | (#29783901)

So your argument against people switching away from MS, is that people use MS??
That's the classical excuse of to beta human: I can't do it, because nobody does it.
And why does "nobody" do it? Because everybody uses that "argument" to not do it!

The best thing is, that it isn't even remotely true that nobody does it. You're reading a comment from someone doing it right now. But it's so convenient to ignore it that, isn't it?
Maybe that's the difference between alphas and betas. Alphas have no problem being the first in the club, to start dancing. No they even grab a girl and make a show out of it! ^^ (Because they know that that makes them the leader. Something that is very handy and feels great. Killing any insecurity-based awkwardness.)

So if one person can do it, then two can too. Including handling MS file formats. Including the ability to be in a MS (SMB) network. And so on.
So if two can do it, everybody can.

Which means nobody needs to use MS software. But they want it! Why? Because it's less effort. One can be lazy. And the excuses "always work", to lie even to oneself, about wanting to switch.
"Oh, if only others would use it! Then I would too! But in this situation? No way!" Except that you wouldn't. Or if you would, then I wonder what a pathetic kind of cattle you are, for always trying to conform, even if it's not what you like.

Hell, I'd even prefer to hear that you actually prefer Windows, and that this is mostly because you don't like all the work required to switch. That would at least be honest. And while not agreeing with the view, I could absolutely comprehend and accept it.

Do yourself a favor, stop imitating others just to be "accepted", stop caring what others think of you, build your own set of values, be you, do what you like, and strongly stand behind your reality. That is a basic human right of everybody. And we will not hate you for it. No, we will love you for it. (Isn't it strange, how doing the opposite of what you did, will give you what you always wanted? ^^)

P.S.: If anywhere you found that my assumptions are wrong, *of course* you can tell me how wrong I am. But only if. ^^ (And moderation is no replacement.)

It is happening you know (0)

Anonymous Coward | more than 4 years ago | (#29783459)

It is happening you know. Check out the fantastic Liunx mobile phone http://www.theinquirer.net/inquirer/news/1532176/nokia-n900-internet-tablet-walk

The Nokia N900 is the MS/Apple killer par excellence, but as Linus Torvalds noted "Killing off Microsoft is just a side effect, not a goal".

Re:It is happening you know (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29783677)

wow. talk about living in a fantasy land.

Re:How about just disabling Microsoft? (5, Funny)

siddesu (698447) | more than 4 years ago | (#29783539)

FYI, it doesn't help at all !!!

I have Microsoft disabled (I run Gentoo Linux), and my Firefox failed miserably to disable the .Net plug-in. I spent a day clicking on the menus and recompiling updates, and I still don't get the pop-up :(

On the bright side, my system now runs 1.27% faster compared to yesterday. It feels like 10% faster, really.

How about just disabling /. fanbois (0)

Anonymous Coward | more than 4 years ago | (#29783943)

Fixed

Oops (3, Informative)

Mr_Silver (213637) | more than 4 years ago | (#29783373)

I just checked my addons and whilst I don't have the Microsoft addon, I do have an AVG one which is disabled. Clicking on the more information link (https://en-gb.www.mozilla.com/en-GB/blocklist/) presents me with a page that says:

en-gb.www.mozilla.com uses an invalid security certificate.

The certificate is only valid for *.mozilla.com.

(Error code: ssl_error_bad_cert_domain)

Whilst it is nice to see they've done it, it's a shame that they didn't test the end to end user flow.

Re:Oops (2, Insightful)

mwvdlee (775178) | more than 4 years ago | (#29783601)

It's open source; you did the testing for them just then!

Now if only reporting these types of issues could be done from within Firefox without having to jump through hoops.

Re:Oops (1, Insightful)

Anonymous Coward | more than 4 years ago | (#29783649)

Like they do with the ubuntu bugtracker, in which popular bugs are polluted with lusers asking instructions? No thank you, leave reporting to the semi-professionals instead of every luser with a keyboard...

Re:Oops (1, Informative)

Anonymous Coward | more than 4 years ago | (#29783807)

It's being worked on. See bugs 505031 [mozilla.org] and 454299 [mozilla.org] to track.

Invalid certificate - no site (1, Informative)

Anonymous Coward | more than 4 years ago | (#29783935)

And what's even worse: It only has a 'check certificate' and and 'abort' button. There's no way to get to the webpage.

If the site didn't have a cert at all, firefox would happily display it, but with an invalid cert you don't even get an option to do that.

Plugin-checker (2, Interesting)

Norsefire (1494323) | more than 4 years ago | (#29783377)

The TFA makes a reference to Mozilla's new Plugin checker [mozilla.com] . I just went there with JavaScript disabled and ...

You have JavaScript disabled or are using a browser without JavaScript. This Plugin Check page does not work without the awesome power of JavaScript. Please enable this Content Preference and reload the page. Or disable all your plugins and keep JavaScript disabled... you'd be in good company, that's how RMS rolls [lwn.net] .

Re:Plugin-checker (0, Offtopic)

drinkypoo (153816) | more than 4 years ago | (#29783473)

The TFA makes a reference to Mozilla's new Plugin checker. I just went there with JavaScript disabled and ...

I just enabled JavaScript and...

We've encountered an error. Please try your request again later.

How fantastic.

Why do quote and blockquote tags render the same? That's stupid.

Re:Plugin-checker (1)

Hurricane78 (562437) | more than 4 years ago | (#29783919)

So RMS also caved in, and does not disable images and CSS styles anymore? What a loser. I knew he was getting weak when he switched from netcat to lynx!

Bad for Firefox in the long run? (4, Interesting)

cyclocommuter (762131) | more than 4 years ago | (#29783399)

I might be mistaken but don't these add-ons/plugins from Microsoft specifically allow certain web pages to render properly under Firefox which otherwise would have required users to run IE? If so Microsoft centric IT Enterprise users who have started using Firefox at work might revert back to IE. This might reduce the gains that Firefox has been achieving in Microsoft centric IT Enterprise shops.

Re:Bad for Firefox in the long run? (5, Informative)

Antique Geekmeister (740220) | more than 4 years ago | (#29783491)

Oh, I think not. The "functionality" added is Windows specific. Websites _should not_ be OS specific. And Microsoft had _no business_ shoving their plug-in silently into Firefox. And most of all. .NET is now a security nightmare: Brian LaMacchia, one of the authors of ".NET Framework Security", resigned from .NET development rather than continue with it. (LaMacchia's career is fascinating: if you'd like to follow a trail of an expert engineer getting involved in projects that are doomed for mishandling security, perhaps in spite of his best efforts, check out his career.)

Re:Bad for Firefox in the long run? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29783523)

>Websites _should not_ be OS specific

Try telling that to corporate IT which wants certain functionality implemented certain ways. Hell, if you want, blame whoever invented the "best viewed by" concept and slap them around with a wet trout.

Re:Bad for Firefox in the long run? (4, Interesting)

gbjbaanb (229885) | more than 4 years ago | (#29783615)

Do you have a link for that? I'd be very interested to show more flaws in the design of .NET.

I know Chris Brumme's excellent weblog [msdn.com] about the CLR has quite a few interesting things to say, and even more if you read between the lines in places, you know he wants to say "we screwed this up big time" and he does say that occasionally. With hindsight, they did make some technical mistakes - throwing objects instead of just exceptions, allowing .Net apps to run in IIS [msdn.com] at all, thinking GC would remove the need for reference counting [msdn.com] , and several marketing mistakes - telling everyone exceptions were very inexpensive (I recall one particularly misinformed MS drone telling me exceptions were free because it was all handled by the CLR... d'oh)(read the blog)

If ever there was an example of keeping it simple, .NET is it - as an example of what not to do. Hats off to Chris who I think is very intelligent and talented, but the scope and spec of what they asked of him was too awkward to make a perfect job of.

Re:Bad for Firefox in the long run? (2, Insightful)

EMN13 (11493) | more than 4 years ago | (#29783825)

So your argument against the fact that a plugin replicating IE-specific tech for firefox doesn't matter in intranet environments is... ... that it's windows specific?

Are you kidding?

Re:Bad for Firefox in the long run? (1)

wgoodman (1109297) | more than 4 years ago | (#29783541)

essentially it added an option to have pages install things without the user's input.. since apparently Mozilla users have been hounding MS for that ability for quite some time now.

I was rather confused on seeing the dialogue box considering i manually uninstalled the security holes a long while ago. they were no longer installed but i suppose it's nice that Mozilla wanted to be extra sure. i miss having proper control of my system. this is reminding me (on a larger scale) of the adblock vs noscript wars a while back.

Re:Bad for Firefox in the long run? (5, Informative)

thejynxed (831517) | more than 4 years ago | (#29783647)

You better check again, as the plugin tries to re-install itself silently when a .NET service is called from a website in Firefox, and also via the recent batch of patches from Microsoft. The only way to be sure is to double-check and not only nuke the appropriate registry entry, but the entire sub-folder of your .NET installation the plugin is installed to, as well as resetting the ID string in About:Config. Then you should proceed to disable that update from being downloaded or displayed via Automatic Updates.

The really disturbing thing I found, is that after sneakily re-installing itself via the latest patch from MS, the plugin is not displayed at all in the Addons/Extensions portion of the Firefox configuration screen. The only reason I even found it reinstalled, was that warning from Firefox when the nasa.gov site attempted to load the plugin while viewing their photo galleries.

Yes, it was my fault to have updates set on Automatic/Automatic, which has since been remedied on this system. I was irresponsibly lazy on the matter.

Re:Bad for Firefox in the long run? (2, Interesting)

thejynxed (831517) | more than 4 years ago | (#29783831)

I forgot to mention in my previous post: It always shows up in the Plugin section of Addons (as it always did, found it odd to be displayed in both Plugins and Extensions sections, but whatever), even after the Plugin is uninstalled manually and the system and Firefox are restarted. Anyone know how to fix that?

Re:Bad for Firefox in the long run? (1)

Hurricane78 (562437) | more than 4 years ago | (#29783989)

No. Once you are used to the other add-ons, you can't live with a plain browser anymore anyway. ^^

But obviously, you think that everybody just caves is, when a page is crap (=renders only in IE).

Do you remember how you and others argued, that IE users complain that the page is buggy, when in fact their browser was?
You either have to say that the same is true for average Firefox users too, or that it never was true (which would be a lie, because people actually did blame the pages, as I know from years of being in that business).

I think they will finally call the page what it is, for "being buggy" (= requiring IE): A crappy page.
Then they will go to the competition, which is just a click away.

By the way: I really wonder why people still come up with that "IE only pages" argument. It's years since I last saw something like that. And even then it was an old and buggy page that looked like out of the 90s. With Firefox over 20%, there is just no way any serious business would miss out on that market share. I know from my old job, that we usually had to make out pages compatible with enough browsers, to get above the 95% margin. Which sometimes meant, to specifically test in IE (two versions, at least), Firefox, Opera and Safari. That's how business does it. Because every lost user is a lost client is going down compared to the competition means not reaching the yearly goal means no bonus or raises for anyone. It's a no-brainer.

MS kinda overstepped its bounds on this one. (4, Insightful)

Anonymous Coward | more than 4 years ago | (#29783409)

Microsoft has deservedly taken a LOT of sh*t for forcing this addon into Firefox unannounced - AND preventing you from disabling or uninstalling it - unless you yank it out of the registry. It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"

Re:MS kinda overstepped its bounds on this one. (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29783439)

It's nice to see Firefox allowing automatically installed addons to decide for themselves that they can't be disabled.

Re:MS kinda overstepped its bounds on this one. (3, Insightful)

phoenix321 (734987) | more than 4 years ago | (#29783495)

The .NET installer/updater that forces this addon into Firefox is running as administrator or even system rights. How should a non-running app protect itself against a code injection in their home directory done by a process with system privileges? Without creating another mess of cryptographic signing, super-super user and files undeletable when Joe Sixpack decides to uninstall?

I'm sure the Firefox team is working on hardening their application against scummy plugins that disallow being uninstalled, but I fear it's not exactly trivial protecting against administrator privileged malware without breaking a whole lot of other stuff.

Re:MS kinda overstepped its bounds on this one. (2, Informative)

lukas84 (912874) | more than 4 years ago | (#29783625)

Firefox offers an option for addons installed on the system level, and not on the user level, like the addons you manually install are.

This makes sense for example in a company, where you deploy Firefox to desktops - you'll want for addons to be installed on a system, and not a per-user base.

The .NET utility just made use of that.

Re:MS kinda overstepped its bounds on this one. (3, Insightful)

sopssa (1498795) | more than 4 years ago | (#29783489)

It's nice to see the Mozilla folks say "NOPE, you...'re NOT doing this to our browser, now get lost"

You seem quite lost. They're not blocking it for that reason, but because it had a security vulnerability.

Read the TFA, MS suggested this! (5, Informative)

Gopal.V (532678) | more than 4 years ago | (#29783415)

From the TFA, it is clear that Microsoft approves of this particular move. I quote

It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on.

I mean, this damage control. But I think Firefox is doing the mature thing and doing it the right way. Because not everbody wants to read the MS KnowledgeBase article [microsoft.com] and implement it themselves. At least, not my mom.

Re:Read the TFA, MS suggested this! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29783447)

At least, not my mom.

True, she does have better things (i.e. me) to be doing right now.

She says hi, by the way.

Re:Read the TFA, MS suggested this! (5, Insightful)

Razalhague (1497249) | more than 4 years ago | (#29783753)

and Microsoft is recommending that all users disable the add-on.

Well gosh, that "unable-to-be-disabled" feature seems really quite stupid now, doesn't it?

Ha ha (1)

TimeElf1 (781120) | more than 4 years ago | (#29783425)

hopefully this will get Microsoft to release a patch sooner

Sooner as in six months to a year when Microsoft finally goes...hmm maybe that didn't quite work?

Re:Ha ha (3, Insightful)

Norsefire (1494323) | more than 4 years ago | (#29783445)

Actually, it was patched on Tuesday [technet.com] .

Re:Ha ha (1)

Jaktar (975138) | more than 4 years ago | (#29783659)

Yep I've been following this pretty closely myself. It was patched a couple days ago. You can follow step by step the discussion of someone providing a link of the initial vulnerability, them deciding to blocklist it, and someone claiming (though no name was given) that Microsoft agreed on the course of action.

The Firefox plugin itself was not the insecure part, it was items within the OS. Because of this, when Microsoft patched the vulnerability they didn't have to patch the plugin. So unless Microsoft re-releases the plugin with a higher version number there's no way for Firefox to do a version check to only allow patched systems to allow the plugin again. This is not an issue for me, but in the thread there are multiple people who are IT guys who claim their corporations rely on the plugin and their mission critical items won't work without it. There's a workaround via disabling the blocklistings via about:config but that's not a very graceful fix.

IMO this whole deal was handled very sloppily and I feel that this is all just petty bickering between Mozilla and Microsoft. Mozilla saw an opportunity to stick it to Microsoft and they took it. I don't want, or need, any part of this. It's easy enough to switch to Opera.

Re:Ha ha (5, Interesting)

Mike Shaver (7985) | more than 4 years ago | (#29783993)

I (Mike Shaver) am the person who spoke with the person at Microsoft. I'm not going to name them, because that's not my place, but this was not a case of us sticking it to Microsoft -- it was a case of us protecting our mutual users, with their agreement. We're working (today, as I type this) on ways to make the blocklist entry less disruptive for people who have their systems patched up. If we had known about the vulnerability before it was publicly disclosed, we could have done a lot more to make it smooth for users, but timing left us with an unpleasantly reduced set of options.

will MS release patch sooner (2, Interesting)

tokul (682258) | more than 4 years ago | (#29783431)

Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner.

Blocklist banned both of plugins without any version limits. Even if MS release updated plugin versions, plugins will remain blocked. I suspect that MS will create new plugs and try to sneak them back to Firefox with .NET "security" updates.

I think Mozilla team even considers removing features abused by MS plugs.

Why was the MS plugin again legal? (4, Interesting)

cheros (223479) | more than 4 years ago | (#29783467)

Yup, saw it happen too on a machine I don't use often in Windows (the ones with Windows only had this thing removed the moment it appeared).

Now, the plugin was installed without consent, nor was there a way to remove it, and it exposed the end user to risk. Ergo, this plugin thus violates computing laws in most countries - if it's illegal for Sony to rootkit your system it should be illegal for MS to add something to software that it didn't make.

I am thus quite surprised that I haven't heard any class action suits for this - I guess it's patch fatigue setting in..

Anyone else an explanation why that plugin avoided legal consequences?

Re:Why was the MS plugin again legal? (5, Insightful)

Nuskrad (740518) | more than 4 years ago | (#29783611)

Was it without consent though? I'm sure it would have been buried in the small print somewhere when installing/updating the .Net framework.

Re:Why was the MS plugin again legal? (3, Interesting)

gbjbaanb (229885) | more than 4 years ago | (#29783653)

I'm sure whatever it was you installed from Sony that snuck the rootkit in had similar wording in its smallprint too.

I guess its ok if MS does it, but not Sony?

Re:Why was the MS plugin again legal? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29783751)

Except that the Microsoft plugin wasn't a rootkit. So, yes, it's OK when Microsoft installs functionality into Firefox that Firefox should, by all rights, already include compared to Sony installing software designed explicitly to disable existing features on your computer.

And, yes, by all rights, Firefox should support .Net natively. It already has special support built in for Java, so there's no reason why it shouldn't include the same hooks for .Net other than an irrational hatred of Microsoft.

Re:Why was the MS plugin again legal? (1)

Val314 (219766) | more than 4 years ago | (#29783815)

please show me the passage. I have read it (really) and havent seen it.

My surreal experience (3, Funny)

phozz bare (720522) | more than 4 years ago | (#29783469)

Last night I was browsing through the headlines on Slashdot's front page. At one point I came across the headline "Sneaky Microsoft Add-On Put Firefox Users At Risk" (story here [slashdot.org] ). While I was reading the text underneath that headline, Firefox's prompt (indicating that it had detected the relevant plugin) popped up. It was so startling that I started wondering whether the browser was reading my mind! Weird stuff.

Re:My surreal experience (1)

The MAZZTer (911996) | more than 4 years ago | (#29783563)

Nah that happens when it automatically checks for addon updates, it also pulls down a copy of the addon blacklist from Mozilla.

.NET is enabled for me (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29783475)

Maybe it's because I keep Windows updated and don't need Firefox to try and protect me from being an idiot.

Just to be clear, I use Firefox, it didn't disable .NET. Is it because I keep Windows updated? Probably.

Nuke it with regedit... (5, Informative)

Dark$ide (732508) | more than 4 years ago | (#29783485)

For x86 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Mozilla > Firefox > Extensions

For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions

Delete key name '{20a82645-c095-46ed-80e3-08825760534b}'

Rule 1: Don't talk about the registry (5, Funny)

Norsefire (1494323) | more than 4 years ago | (#29783545)

A friend had a problem with a CD burner app (Nero I think?) and asked me to take a look at it (they weren't too tech savvy). So I took a look and Googled the error and found that it was a problem with a registry key that would screw randomly. The fix was to delete it and if the error came back the fix was to change it to a specific value (which would cause nagging warnings but not make the program fail outright, so deleting it first was the better solution). So when I had fixed it I told him offhandedly, not expecting him to understand, that it was a problem with the registry and if it happens again to give me a call. So a week later he calls and says it had the same problem but I didn't need to come round because he had found a registry cleaner, for cheap, only $39.95... I never mention the word "registry" to non-tech people now.

Re:Rule 1: Don't talk about the registry (2, Funny)

Bob_Who (926234) | more than 4 years ago | (#29783627)

he had found a registry cleaner, for cheap, only $39.95... I never mention the word "registry" to non-tech people now.

....I never mention windows, I'm up to my neck in Windex and squeegees....

Re:Nuke it with regedit... (3, Insightful)

The MAZZTer (911996) | more than 4 years ago | (#29783575)

Only nukes the addon, the plugin is hiding in C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (and C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll if you have the .NET 4.0 beta).

Remove HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5

And HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF, version=4.0 if you have the 4.0 beta

Re:Nuke it with regedit... (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29783681)

You see how intuitive and user friendly that is?
I'm so glad I never need to help anybody keeping their Windows machines functioning.

ya it was funny... (1)

wisnoskij (1206448) | more than 4 years ago | (#29783527)

Ya, it was funny. I was actually reading about how they were dangerous to have while i was prompted by Firefox to remove them.

Terrible summary (1)

live.play.code (1650733) | more than 4 years ago | (#29783547)

Microsoft has ALREADY released a fix, so mozilla's blocking it doesn't force them to do anything. Also, mozilla asked microsoft if blocking it would be a good idea, microsoft said _yes_, and mozilla blocked it. All this I learned from looking at the links in the summary. Hmm, actually RTFA has some advantages.

Re:Terrible summary (2)

Mike Shaver (7985) | more than 4 years ago | (#29783783)

I applaud your commitment to understanding ahead of commenting. I wish such commitment were as widespread as the plugin in question!

Inconsistent logic (0, Troll)

lseltzer (311306) | more than 4 years ago | (#29783553)

Microsoft says that the MS09-054 patch fixes the issue through all possible vectors, so the add-on is not a vulnerability on patched systems. Yet Firefox is blocking all versions of the add-ons. Why?

If it's to block potential future vulnerabilities then they should block all add-ons, because they all have potential future vulnerabilities.

If it's because some users may not update their systems then they should block all add-ons (especially Flash and Acrobat) because lots of add-ons have old vulnerabilities.

If it's just to stick it to Microsoft for the inconsiderate way they in which they delivered these add-ons then they should say so. I doubt Microsoft agreed to this, as Mozilla implies in their blog.

Re:Inconsistent logic (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29783591)

Yeah, go figure, some guy on a blog is full of shit.

Who could imagine!

Re:Inconsistent logic (5, Informative)

Mike Shaver (7985) | more than 4 years ago | (#29783607)

MS09-054 is labelled as an Internet Explorer update, so it's not obvious that Firefox users need to apply it. We're working with Microsoft on getting that fixed. Microsoft did definitely agree to it; I'm the one they told, on the telephone, before I requested the block be pushed out. I don't know why you think I was lying -- I didn't "imply" it, I flat out said that they agreed, which is the case. Do I have a history of lying about such things?

Re:Inconsistent logic (1)

lseltzer (311306) | more than 4 years ago | (#29783697)

Even so, why do you block patched systems?

Re:Inconsistent logic (5, Informative)

Mike Shaver (7985) | more than 4 years ago | (#29783773)

Because there is no way to distinguish patched from unpatched systems -- the WPF plugin doesn't expose any version information, unlike Flash and other such systems, and it didn't get updated with MS09-054. If I had known about this vulnerability before they posted on their blog, I would have told them to provide just such a distinction, so that we could disable only unpatched setups! We can remove from the blocklist as quickly as we added, but I wanted to protect users while we made sure that Firefox users would apply this patch, and figure out how to do better with this subsystem going forward. Microsoft agreed, and -- my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.

I can't believe this. (3, Insightful)

Fantastic Lad (198284) | more than 4 years ago | (#29784001)

my sympathy for users that this has inconvenienced notwithstanding -- I still think it was the best of our available options.

You did the right thing. Please ignore silly comments from the peanut gallery.

All diplomacy aside, I appreciate any efforts to lock down the walls against invasive bullshit I was tricked into installing and had to crawl through my registry with a flashlight and hip waders in order to kill. Further, anybody who doesn't have a problem with Microsoft tampering with third party software they have no business touching is probably not the sort of person whose complaints are worth clogging up your conscience with.

Cheers!

-FL

Re:Inconsistent logic (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29783721)

>Do I have a history of lying about such things?

I for one, do not know you from a hill of beans, so I'll assume that yes, you do.

It's safer for me that way.

Re:Inconsistent logic (0)

lseltzer (311306) | more than 4 years ago | (#29783737)

BTW, I don't assume you lie, it's just that your argument doesn't make sense to me as you worded it. And in your own blog you state that "Microsoft is recommending that all users disable the add-on." [off.net] From everything I've read from Microsoft this is an overstatement. They advised disabling the add-on as a mitigation mechanism for those who had not applied the patch.

Re:Inconsistent logic (3, Interesting)

Mike Shaver (7985) | more than 4 years ago | (#29783895)

That statement is consistent with what I heard from Microsoft, though their post has been updated since that conversation. And MSFT has seen that text; if it's not correct, I'm sure I'll hear it from them, and will be happy to correct it. (I wrote the text pretty quickly, since it was late on Friday night and we were getting inbound already from the blocklist addition.) But that's really ancillary to the issue, which is that Firefox users are vulnerable to a problem that we learned about this week, which is labelled as an IE problem/patch. Microsoft and Mozilla agreed that we should block the plugin and add-on to mitigate the risk while we made sure that FF users were going to install that IE patch. This isn't an us-vs-them thing, but I don't know who you're talking to at Microsoft who is saying different things.

Re:Inconsistent logic (1)

lseltzer (311306) | more than 4 years ago | (#29783945)

I haven't talked to anyone at Microsoft. I'm just reading what they're putting out publicly.

Firefox is: (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29783635)

awesome!

Hooray for UAC (0)

Anonymous Coward | more than 4 years ago | (#29783637)

Logged in, UAC popped up a notification that some .NET installer was trying to do something funny. I disallowed it.

Thanks, UAC. Best thing Microsoft has done for Windows in forever and most people disable it. Pity.

Cat and mouse (1)

fearlezz (594718) | more than 4 years ago | (#29783639)

So, when do we expect a microsoft update to change te blocklist? Or will they simply rename their plugin+give it a new extension id?

Re:Cat and mouse (4, Informative)

Mike Shaver (7985) | more than 4 years ago | (#29783755)

There's no cat and mouse -- they agreed to this blocking. I have in fact encouraged them to use a different extension ID if and when they make a fixed ClickOnce/WPF add-on that can be installed by active user choice rather than by default!

Imagine this from the other side (4, Insightful)

moosesocks (264553) | more than 4 years ago | (#29783651)

Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner."

Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.

That all said...I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...

Re:Imagine this from the other side (3, Insightful)

tokul (682258) | more than 4 years ago | (#29783797)

Imagine the shitstorm that would have erupted on /. if Microsoft or Apple hit the kill-switch on a vulnerable version of Firefox.

Bigger shitstorm than the one which happened when MS installed browser extensions without consent from end user?

Company abused its position and put malware on users' machines. Good thing that Mozilla has some options to handle such behavior.

Re:Imagine this from the other side (0)

moosesocks (264553) | more than 4 years ago | (#29783865)

Oh, come on. Microsoft released a patch to their software that extended support to an additional browser.

If you don't like it, don't install the .NET framework. There might have been an accidental security flaw (that they openly acknowledged), but it's hardly malware.

Re:Imagine this from the other side (3, Informative)

Mike Shaver (7985) | more than 4 years ago | (#29783933)

The plugin in question was installed via a Windows Update _security_ update, it wasn't something that people really chose to install. I agree, though, that this really, really isn't malware. That's a ridiculous misuse of the term.

Re:Imagine this from the other side (3, Insightful)

Mike Shaver (7985) | more than 4 years ago | (#29783813)

If Microsoft or Apple asked us about such a kill-switch for a version of Firefox that we put onto their users' systems via a security update, and we agreed that it was the right thing to do, I would hope there wouldn't be a shitstorm at all.

Re:Imagine this from the other side (3, Insightful)

jmv (93421) | more than 4 years ago | (#29783857)

If Mozilla had been installing Firefox without the users' consent and prevented the same users from uninstalling it, then yes, Microsoft would have been justified to hit the kill switch. The same way, if it was just a regular Firefox Addon that MS distributed (that the user explicitly installs and can uninstall at any time), I doubt Mozilla would have made a fuss about it.

Re:Imagine this from the other side (1)

rtaylor187 (694389) | more than 4 years ago | (#29783861)

I thought we were against kill-switches, and certainly wasn't aware that there were any built into Firefox...

There are some situations where a kill-switch is useful - this seems like one of them per TFA. So, I don't think "we" are against kill-switches per se, but rather against undisclosed/secret kill-switches. Firefox is open source, so the kill-switch mechanism is visible in the source somewhere - right? It would take some code review to be "aware", but it is openly available to be found. Whereas... Microsoft, Apple and Amazon (Kindle) are delivering closed source products where a kill-switch mechanism would be hidden/secret unless explicitly disclosed by the manufacturer.

Re:Imagine this from the other side (1)

Jeff DeMaagd (2015) | more than 4 years ago | (#29783877)

Maybe there were people that were 100% anti kill-switch, but I don't think they represent everyone. Just because something can be used for evil doesn't mean it's necessarily bad. A knife that is used to cut fruit can cut people too.

What bothers me more though is the fact that a plug-in can prevent its own disabling or removal without an aggressive external technique.

This is very annoying for me (2, Insightful)

Winckle (870180) | more than 4 years ago | (#29783729)

I like to play games through http://2dfighter.com/default.aspx [2dfighter.com] and this extension let me do so through firefox, now I can't reactivate it at all, and I can't install a new version because it's been removed from the website. Thanks Mozilla, now I have to go back to IE to use 2df.

Re:This is very annoying for me (2, Insightful)

Fantastic Lad (198284) | more than 4 years ago | (#29783909)

Lessee. . . By default a secure browser for a few hundred thousand users who didn't want an invasive add-on in the first place or. . , your ability to play video games.

You know, there are some other fun websites out there which will also try to trick you into installing malware. You might enjoy visiting those as well. --Hey, they even have boobies!

-FL

Re:This is very annoying for me (4, Informative)

Dreadneck (982170) | more than 4 years ago | (#29783921)

If you go to about:config in firefox and toggle the value of extensions.blocklist.enabled from true to false and restart firefox then the plugins will work.

Is There a Conspiracy? (4, Interesting)

Mad Hamster (870092) | more than 4 years ago | (#29783743)

After last Patch Tuesday (yes, this is a confession I do have some Windows boxes), Firefox on my systems developed an issue with pages displaying in sort of a text-only mode when using the Refresh button(1). Page load times were also longer than usual. Those issues disappeared immediately once Mozilla's block of the .NET addon & the WPF plugin arrived.

This taken together with the fact that Microsoft appears to have patched the vulnerabilities before Mozilla put the block in effect makes me wonder if there are bits of the story which have not been made public.

After all the vulnerability has been known to Microsoft for severeal motbhs, but kept secret until they released a patch. Of course it could just be Mozilla reacting to being kept in the dark about the vulnerability.

(1) Well I also run NoScript, so it may be there was a conflict of some kind with that vs. the Microsoft thingies.

Outrage (3, Insightful)

windex82 (696915) | more than 4 years ago | (#29783779)

Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?

While they're at it... (4, Informative)

wigle (676212) | more than 4 years ago | (#29783793)

They should also disable the Adobe Download Manager (Adobe DLM). For any of you that have downloaded Adobe Reader 9 (with Firefox) recently, you would have noticed that they make you install a Firefox add-on instead of just linking you to the binary.

It's proprietary and full of ads! Just what I wanted, an extension that checks for updates of my Adobe Reader software. Uninstalled. The Firefox team should send a message. Firefox add-ons are not yours to take over like the Windows startup.

I Don't trust just disabling (1)

fast turtle (1118037) | more than 4 years ago | (#29783873)

the damn thing because of the manner in which it installed. It's a registry entry, whicm means that unless Firefox/Mozilla pulls it from the registry itself, I doubt it is actually disabled beacuse it's not a plug-in/add-on.

Call me paranoid but since the plug-in/add-on is not installed into the proper firefox extensions/plug-in folder, I can't see how Firefox can control the behaviour of the damn thing so take the assured disabling route of deleing all of the registry keys for the damn thing under the Mozilla/Firefox entries. Did that and the add-on was gone right away without restarting firefox and that sugests to me that it can't be disabled by Firefox/Mozilla using the traditional methods.

and people wonder why MS has security problems (2, Informative)

ummit (248909) | more than 4 years ago | (#29784011)

In what universe is it acceptable for vendor A to modify vendor B's software on User C's (i.e. my) computer? To modify it at all, let alone with security-impacting ramifications?

Earth to Microsoft: drive-by downloads are among the worst of vulnerabilities. They must be avoided at all costs. And the way to avoid them is not to be more careful when writing and installing unnecessary little browser plug-ins. The way to avoid them is not to install unnecessary little browser plug-ins in the first place. (And if you simply must install unnecessary little browser plug-ins, do it with your own grotty browser, not the non-Microsoft one I installed specifically to avoid all the security concerns of yours.)

Sheesh.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...