weekly security podcast
of 4 June 2009
had this to say on the issue:
STEVE: And then the final thing, I'll bet you've probably had this run across your radar, Leo, as a big kerfuffle has arisen. I think maybe Brian Krebs, who I talk about from time to time, who writes a security column for the Washington Post. He may have been the first person to bring this up. And that is that Microsoft was found to be surreptitiously installing a Firefox add-on for .NET.
LEO: Oooooooh. Oooooooh. Oooooooh.
STEVE: And get this. The Firefox add-on that they installed as part of their regular monthly patch, that is, the second Tuesday of the month deal, when they did, they introduced the .NET Framework 3.5 Service Pack 1, which was back in February, just without telling anyone they slipped this into the Firefox add-on list. I have seen it for months...
LEO: Yeah, me, too, yeah, yeah.
STEVE: ...because it's been there for a while. It's like, oh, I mean, I've already given up because it's like, okay, either you're trusting what Microsoft is doing or you're not.
LEO: Or you're out of luck.
STEVE: Exactly. I mean, if you don't, then go to Linux or a Mac. But it literally, this add-on establishes in Firefox, get this, "The ability for websites to easily and quietly install software on your PC. So the problem here is this is why you're using Firefox, is that you don't want websites to have the ability to easily and quietly install software on your PC. You've moved to Firefox because you don't want to be using the most historically vulnerable browser, Internet Explorer, in the industry. And yet Microsoft has reached over and added this feature to your Firefox browser without your knowledge or permission to do just that. Now, what makes it even problematical is that the uninstall button is disabled.
STEVE: So no one can remove it. Now, now Microsoft is saying, oh, well, I mean, talk about double-speak. I'm going to quote what Microsoft says on their site because they've been slapped so hard and it's raised so much concern that they've now backed off from that. But they say, "In .NET Framework 3.5 SP1, the .NET Framework Assistant enables Firefox to use the Click Once technology that is included in the .NET Framework. The .NET Framework Assistant is added at the machine level to enable its functionality for all users on the machine. As a result, the uninstall button is shown as unavailable in the Firefox add-ons list."
LEO: In case there's somebody else who's using it.
STEVE: Oh, well, yes, exactly. It's at the machine level.
LEO: Oh ho.
STEVE: Too sophisticated for you to manage.
LEO: Wow, yes.
STEVE: "As a result, the uninstall button is shown as unavailable in the Firefox add-ons list because standard users are not permitted to uninstall machine-level components."
STEVE: Even though an...
LEO: So if I'm an administrator I could do it.
STEVE: ...end-user running the machine got it installed just by using Windows Update.
LEO: Yeah, no problem, yeah.
STEVE: That you're being pounded on to make sure is turned on all the time. So they're saying, "In this update for .NET Framework 3.5 SP1, and in Windows 7, the .NET Framework Assistant will be installed on a per-user basis. As a result, the uninstall button will be functional in the Firefox add-ons list. This update will also make this version of the .NET Framework Assistant for Firefox compatible with future versions of the Firefox browser, whatever that means. To properly update the .NET Framework Assistant, this update must be applied while the extension is enabled in Firefox." And it goes blah, blah; it goes on and on.
So, once again, we have a URL where Firefox users can get this. It is support.microsoft.com/?kbid, as in knowledge base identifier. So it's ?kbid=963707. So again, support.microsoft.com/?kbid=963707. That will get you to a page where you can do a number of things. You can manually edit the registry. They've got all kinds of different ways of rummaging around and making this happen. But there's...
LEO: No automatic "Fix it" button, I notice.
STEVE: Yeah, there's not the happy little guy with the tool waving at you.
LEO: Sorry, you can't do that.
STEVE: However, what this will end up doing is disabling the disablement, which is to say reenabling as it - now that they've been scolded, you can reenable the uninstall and then say thank you, Microsoft, but I would prefer not to have Firefox able to easily install software in my machine so that I'm not inconvenienced with the question.
LEO: This is unconscionable. I can't believe this.
STEVE: Yes. Yes.
LEO: I'm stunned.
STEVE: This is bad.
LEO: How dare they?
LEO: In fact, this is exactly the kind of thing that they've been brought to task for by the Department of Justice and the EU. I mean, it's one thing to say, well, you have to use Internet Explorer, we'll going to include Internet Explorer; anther thing to modify other browsers that you use on the system to make them less secure. Am I correct? This makes it less secure?
STEVE: Yes, that's exactly what it does. And which is why Brian Krebs, when he, like, I guess a couple people brought it to his attention, and he said, huh? And he looked at it and did the research, and it's like, oh, goodness, I mean, this is really, really bad.
LEO: That's unconscionable.
STEVE: And this is - Microsoft has worked to build our trust in the whole Windows Update facility. I mean, as I said, you either trust them or you don't use Windows because we've given up control. They're downloading code and dunning us and punishing us and with red flashing lights and things if we try to take control back from them. And it's funny because a friend of mine this morning at Starbucks came to visit and says, so, are you on IE7? I said, oh, yeah, for quite a while. And he says, oh, I guess - so you've made peace with it? I said, well, the only time I ever run it now is to run Windows Update.
STEVE: I mean, I'm completely converted to Firefox with, like, zero trouble. So, I said, so kind of. I mean, it's on my machines; and 8 is sort of filtering in to my machines as I think, well, okay, why not? I mean, I'm not using it anymore, so I don't care if Microsoft wants to push IE8 on my machines. Fine, you know, it has no effect on me except for running Windows Update, which insists on running under IE.
So, yeah, Leo, I agree. This is, I mean, this is a breach of trust. The fact that this was slipped in, that it is a software installation shim for Firefox so that their .NET Framework is able to be more pervasive and to run on more websites. And so that website owners are not going to say, well, I'm not really going to update or start using that because, after all, Firefox doesn't support this. Well, Microsoft slipped this in so that it does, even if it's not what the end-user would want. And so anyone with Firefox, if you look at your add-on list, and you've been keeping your Windows current, you'll see this thing sitting there, and its uninstall button is grayed out, preventing you from uninstalling it until you go here, reenable the button, then you can say thank you, but no, Microsoft.
LEO: Now, what do you lose, just out of curiosity, if you do that? I mean, is there anything that I need this .NET bug for? Is this the Click Once thing?
STEVE: Well, that's what it is. And the question is, I mean, you can think of it as, like, super-advanced scripting. The question is, for example, and we discuss this often here, what do you lose if you disable scripting? Well, you lose some functionality that may or may not be something you care about losing in return for increasing your security. So hopefully - I don't know what.
LEO: I mean, is there - okay. Yeah, well, for one thing, yeah. There's no question this was a stupid and wrong thing to do.
LEO: I mean, there's not a question about that.
STEVE: Without permission. They could have, I mean, look at all the things we do have to give permission for. Every time Microsoft does something, we're having to reverify our license. Yes, I reassert my compliance to your EULA. I mean, often we're being asked to recertify that, yes, we're going to abide by these license terms. It's certainly not out of the question to imagine that Microsoft might say, hey, we want to - we're updating the .NET Framework. It's becoming more pervasive. It's the future. So we want to bring Firefox, which we happen to notice you have on your Windows machine for some reason, we want to bring it into compliance and make sure that things stay synchronized and the functionality that we hope you've become dependent upon will also be present in Firefox as it is in IE. So do we have your permission to do this? I mean, all they had to do was ask. And then people could have said, oh, yeah, I guess I should have that, or not.
LEO: Do you think this is a case of - clearly what Microsoft thinks, I'm trying to put myself in their head, is this is too complicated for our users. We're just going to make this decision on their behalf. And we're not going to explain it because even explaining it is too complicated. So we're just going to do it. We know what's best. We're not causing a problem here. You've trusted us to run your system, so we're going to just do this.
STEVE: I mean, yes, you can certainly say that, hey, you know, trust us or leave.
LEO: Right. I mean, well, you have to. I mean, that's - that's the deal.
LEO: Oh, I just think that stinks. Now, some people have said this is anti-competitive, as well.
STEVE: I have to imagine that there was a conference of some length at Microsoft where they decided to do this. I mean, I hope this wasn't something that they did thoughtlessly. So following your logic, Leo, there must have been the argument made that this is something that was in their and their users' best interests to pursue. I don't know enough about the architecture of Firefox's innards to know whether they had a choice of making this visible on the surface of the UI or not. They may have had no choice. They may have preferred to just sort of slip this in as they do in IE, secretly. But it may be that the architecture doesn't allow them to do that, that they weren't able to just deposit this somewhere and have it take action without being visible on the surface. Or they may have felt, shoot, you know, once that's discovered we'll be in even bigger trouble.
So it would have been nice to be asked, and it certainly would have been nice not to have the uninstall button grayed out. Or, if you click it, have them then present a dialogue that says, whoa. You can uninstall this if you want to, but here's what you lose if you do. Instead it just - it appears magically. It's about installing software into your system without you, making it easier to do that. And we're not going to let you take it out.
LEO: Now, I have Firefox installed on my Vista machine, and IE8 installed, and I'm looking in the add-ons. And I don't see anything. I do see some Microsoft stuff, the Windows Presentation Foundation and Silverlight. I think I installed those.
STEVE: In Firefox.
LEO: Yeah. Mozilla Default Plug-in, Java Platform, iTunes. It says .NET in the name of it?
STEVE: Yes. And I definitely...
LEO: I've seen it on some of my browsers, I mean, some of my systems. But I'm just looking at my Vista system here, and I don't see it. And a couple of people in the chatroom said, well, I don't see it. So I wonder what circumstances - or maybe you have to download a...
STEVE: Okay, I'm looking at it.
LEO: Oh, wait a minute, it's in extensions. I'm sorry. It's not in plug-ins.
LEO: I do see it. Ah ha.
STEVE: Correct, it's extensions.
LEO: I was looking in the wrong place. As Click One Support. There's no disable button. There's a disable button, but no uninstall button. So I could disable it, but I can't remove it. Prompt once before running Click Once. Report all installed versions.
STEVE: Now, that's interesting. Mine is disabled. I must have done that. I had forgotten. Because I'm seeing my Enable button is enabled, and the little popup toolkit says "Enable this add-on when Firefox is restarted." And so I had clearly disabled it, saying - seeing it and saying I don't think I want this, thank you very much. And so, and I restarted the system, and now it's sitting in there. It's not removed.
LEO: It's not uninstallable, but it is disabled.
STEVE: Exactly. I can not uninstall it, but I did disable it in the past.
LEO: Very interesting. I don't - regardless, I mean, I guess maybe Microsoft said, well, you can disable it. But I don't want them installing it.
STEVE: Yeah. I mean, and we can be grateful that this came up, that they've certainly, whatever decision they reached around the conference room, the discussion that I hope they had, they may recognize now that they went too far, and they won't do something like this again. So we can hope that they learn from it.
LEO: Yeah. It does seem unconscionable. You know, there's supposed to be - maybe that's expired. But after the terms of the settlement with the Department of Justice, Judge Colleen Kollar-Kotelly I remember required a judge-appointed ombudsman in Microsoft, maybe even a committee, watching what they do to make sure they don't do anti-competitive things. I wonder if these people are paying any attention at all.
STEVE: Well, I did pick up a little news blurb earlier this week that the EU is not through with Microsoft. They're gearing up, or teeing up, on Microsoft. Apparently what they're considering is requiring Windows to include competitive browsers.
LEO: They're requiring Windows to include competitive browsers. Wow.
STEVE: Literally Firefox and Opera...
LEO: Have it built in, good. I think that's not a bad idea.
STEVE: And so what would happen is, when you first turn Windows on, they call it a "ballot screen." It comes up, and it says, which of these browsers do you wish to install, and which do you want to set up as your system default? So the EU would be requiring that users who are first turning their machine on in that initial sort of pre-usage configuration phase are actually given a choice, and the browsers are present, and you can choose to install any of them that you like, and choose which one you want to use. And so they're talking about moving much further than they did in their prior work of requiring Microsoft to unbundle the media player.
LEO: Ken Shepardson's saying in our FriendFeed chat room that to decouple the Microsoft-is-bad stuff from the security stuff, well, here's the security issue. I mean, they're installing something into Firefox that allows a website to automatically install software on your machine; is that correct?
LEO: Okay. That seems to me on the surface of it that that's a security issue.
STEVE: And that's why - and my complaint is it's why people left IE.
LEO: In the first place.
STEVE: I mean, you have to leave IE. You don't - you're using Firefox because you went to Mozilla.org and got it, and you know why you're using it, and it's a little bit uncomfortable because you have to go back to IE for Windows Update and doing things that only Microsoft will allow to happen under IE. So it's like, this is a conscious choice people are making for some reason, probably because they've decided they don't trust Internet Explorer. So here it's Microsoft reaching over into that decision and saying, eh, not so fast. [... continues onto another topic]
Copyright (c) 2009 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED. This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details: http://creativecommons.org/licenses/by-nc-sa/2.5/
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:220.127.116.11) Gecko/20081217 Firefox/18.104.22.168 diehard