MS sneaks in a Fx add-on at machine level!

General discussion about the NoScript extension for Firefox
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: MS sneaks in a Fx add-on at machine level!

Post by Tom T. » Wed Jun 03, 2009 3:54 am

GµårÐïåñ wrote:@luntrus, no one is defending anything other than the fact that to make a blank statement of ignorance is just wrong. If you come here and post things just to hear yourself talk and don't want responses or discussion then please stop, but if you do it because you have a real point, then there are two sides to everything and jumping on the ignorant bandwagon is wrong and I will defend against it.

GµårÐïåñ, you are my friend, but I didn't get that from luntrus's posts. He reported what he read, saw, and experienced, and you did the same. No two systems, setups, configurations, or users are the same. I am certain that you have studied formal logic (not "computer logic", but verbal debate syllogism-type logic) as I have, and this is the error of "hasty generalization": to take one's own experience, or a single sample (case) as representative of everyone's, or even as proof. Which, of course, is a fancy way of saying what therube said, but since he too is jumping on me as a tech luddite, might as well show off my advanced skills in other areas :lol:

The opposite, however, IS true: Any "none" or "never" statement can be proven false by a single example to the contrary -- the "Black Swan" rule, or modus tollens. To-wit: If you say that luntrus' claimed event *never* happens, then a single incident of it disproves your statement. Several of us, perhaps not so advanced as yourself but not totally stupid, have reported such incidents. I mentioned my friend with a Master of Science in Computer Science, who had WGA Notification silently installed. She also has a genius IQ and built sw for the Space Shuttle. Didn't stop MS from slipping one by silently. Of course, perhaps not everyone keeps wireshark installed at all times and vets each 0 and 1 that comes in. If that's "user stupidity", lots of stupid people out there.

G, I love you, Bro, but I think you've been too harsh on luntrus. I don't want to discourage him from coming here anytime he cares to share his excellent insights gained from fighting malware. He's always welcome in my book. Please reconsider your post. Thank you, my friend.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Wed Jun 03, 2009 4:18 am

Tom, as always I appreciate what you have to say but I never said that just because it has not happened to me the statement is wrong. If you read carefully everything that I have said is that, indeed IT IS NOT (for a fact) an automated slip or trickery otherwise it would affect EVERYONE equally. If something can be stopped from doing what everyone is whining about, then there was a way that was overlooked by the rest. This is not only code logic but also discussion logic. The fact that it has NOT happened to me and thousands of others suggests that although the other side may outnumber us (for whatever reason, and I don't believe I used the term stupid but if I did, I am sorry) but the fact that WE and OUR condition exists suggests that perhaps as unlikely as it may seem that so many screwed the pooch, indeed they did. Didn't everyone but a minor few believe everything revolved around the earth? Did saying that's not true mean it was wrong? No, it was proven to be correct to dissent from that view actually. But at the time, it was heresy. All I say and I will repeat simply as a courtesy to you who chose to address me, I wasn't being hard on anyone and I simply want the acknowledgment that just because the majority is suffering from something doesn't mean they didn't do it to themselves and my experience is indeed proof that it can be avoided. So the question is, why was I able to avoid it and the rest weren't. Not, oh you must be wrong because so many of us had it happen to us. Anyway, I know you get my point, so I will just leave it at that. If it makes everyone happy, I am sorry, I was wrong, the rest of you are right and I recant. :roll:
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: MS sneaks in a Fx add-on at machine level!

Post by luntrus » Wed Jun 03, 2009 10:27 pm

Hi readers of this thread,

Well Microsoft patched it right here: http://www.microsoft.com/downloads/deta ... 83ba034eab (so if you have the older installation you can now both disable and uninstall it)
Furthermore we have found that uninstalling was possible for Windows7 from the word go, and the issue never existed for that Windows platform. Glad to inform you all here there is no issue anymore, I'm also glad the working of Mozilla Fx will be like it was and continued.

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090603 Shiretoko/3.5pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: MS sneaks in a Fx add-on at machine level!

Post by Tom T. » Thu Jun 04, 2009 7:35 am

GµårÐïåñ wrote:I simply want the acknowledgment that just because the majority is suffering from something doesn't mean they didn't do it to themselves...

But it doesn't prove that they *did* do it to themselves, either. This is an indeterminate situation in the absence of further information, which must be examined case by case for cause, reproduction, etc.
GµårÐïåñ wrote:...and my experience is indeed proof that it can be avoided. So the question is, why was I able to avoid it and the rest weren't.

Because you are about 1000 times more knowledgeable and aware than the basically-aware user, and infinitely more knowledgeable and aware than the average home user. Amazingly, most home users never study these issues at all. They turn on the machine and believe they have been sold a product that works and is reasonably safe, just as if they bought a new car. The fortunate ones get tipped off by friends or news stories, add FX, NS, etc. and go back to living their lives, most of which don't revolve around computing. The puter is just a tool like the telephone or TV -- they don't need to know how it works, so long as it works.

MS takes advantage of this vast majority of users. They'll never slip anything by you, true, but I don't think that makes their behavior justifiable. If you leave your doors and windows locked, and I break into your home and get away with it, is it your fault that you didn't install a burglar alarm, bars on the windows, three pit bulls, and a 24/7 security guard? Perhaps you could/should have taken additional precautions, but that still doesn't change the fact that I'm a criminal who broke into your home without your permission or even your knowledge at the time.

GµårÐïåñ wrote:If it makes everyone happy, I am sorry, I was wrong, the rest of you are right and I recant. :roll:

This isn't the Catholic Church vs. Galileo, with the latter recanting publicly under threat of excommunication, while (supposedly) muttering to himself, "Ne sic movebo" (from memory, probably quoting it wrong) = "Nevertheless, it (the Earth) moves". No one is going to excommunicate you, so there is no need to be insincere and give a fake apology while rolling your eyes. Hold to your own convictions. The only reason that I got involved was because the discussion switched from the facts, theories, and issues, to luntrus personally, which is inappropriate and also invalid ("argumentum ad hominem"). The original issue is now moot, anyway, but maintain your position so long as you believe that you are correct, and permit luntrus the freedom of his without insulting him. (or anyone else)

Cheers, Image
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: MS sneaks in a Fx add-on at machine level!

Post by GµårÐïåñ » Thu Jun 04, 2009 7:45 am

I wasn't insulting luntrus or anyone else, just providing my position and opinion, how its taken is out of my hands. The only thing I said directed to luntrus was when I felt he was stifling my point of view in favor of the majority, otherwise, I said nothing to him or anyone else other than stating my position on the subject in the general. I wasn't being insincere but rather sarcastic in that the minority view doesn't become wrong because the majority says so but if they need the affirmation or appearance of concession, then they can have it; won't change my convictions. For better or worse, live by the sword and die by the sword, at least everyone knows where you stand and can hold you to your word. ;) Love you man, you know that, so thanks and goodnight.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Steve Gibson's take on this issue

Post by Tom T. » Sat Jun 06, 2009 10:29 am

Steve Gibson's weekly security podcast of 4 June 2009 had this to say on the issue:
***********
[...]
STEVE: And then the final thing, I'll bet you've probably had this run across your radar, Leo, as a big kerfuffle has arisen. I think maybe Brian Krebs, who I talk about from time to time, who writes a security column for the Washington Post. He may have been the first person to bring this up. And that is that Microsoft was found to be surreptitiously installing a Firefox add-on for .NET.

LEO: Oooooooh. Oooooooh. Oooooooh.

STEVE: And get this. The Firefox add-on that they installed as part of their regular monthly patch, that is, the second Tuesday of the month deal, when they did, they introduced the .NET Framework 3.5 Service Pack 1, which was back in February, just without telling anyone they slipped this into the Firefox add-on list. I have seen it for months...

LEO: Yeah, me, too, yeah, yeah.

STEVE: ...because it's been there for a while. It's like, oh, I mean, I've already given up because it's like, okay, either you're trusting what Microsoft is doing or you're not.

LEO: Or you're out of luck.

STEVE: Exactly. I mean, if you don't, then go to Linux or a Mac. But it literally, this add-on establishes in Firefox, get this, "The ability for websites to easily and quietly install software on your PC. So the problem here is this is why you're using Firefox, is that you don't want websites to have the ability to easily and quietly install software on your PC. You've moved to Firefox because you don't want to be using the most historically vulnerable browser, Internet Explorer, in the industry. And yet Microsoft has reached over and added this feature to your Firefox browser without your knowledge or permission to do just that. Now, what makes it even problematical is that the uninstall button is disabled.

LEO: Oh.

STEVE: So no one can remove it. Now, now Microsoft is saying, oh, well, I mean, talk about double-speak. I'm going to quote what Microsoft says on their site because they've been slapped so hard and it's raised so much concern that they've now backed off from that. But they say, "In .NET Framework 3.5 SP1, the .NET Framework Assistant enables Firefox to use the Click Once technology that is included in the .NET Framework. The .NET Framework Assistant is added at the machine level to enable its functionality for all users on the machine. As a result, the uninstall button is shown as unavailable in the Firefox add-ons list."

LEO: In case there's somebody else who's using it.

STEVE: Oh, well, yes, exactly. It's at the machine level.

LEO: Oh ho.

STEVE: Too sophisticated for you to manage.

LEO: Wow, yes.

STEVE: "As a result, the uninstall button is shown as unavailable in the Firefox add-ons list because standard users are not permitted to uninstall machine-level components."

LEO: Okay.

STEVE: Even though an...

LEO: So if I'm an administrator I could do it.

STEVE: ...end-user running the machine got it installed just by using Windows Update.

LEO: Yeah, no problem, yeah.

STEVE: That you're being pounded on to make sure is turned on all the time. So they're saying, "In this update for .NET Framework 3.5 SP1, and in Windows 7, the .NET Framework Assistant will be installed on a per-user basis. As a result, the uninstall button will be functional in the Firefox add-ons list. This update will also make this version of the .NET Framework Assistant for Firefox compatible with future versions of the Firefox browser, whatever that means. To properly update the .NET Framework Assistant, this update must be applied while the extension is enabled in Firefox." And it goes blah, blah; it goes on and on.

So, once again, we have a URL where Firefox users can get this. It is support.microsoft.com/?kbid, as in knowledge base identifier. So it's ?kbid=963707. So again, support.microsoft.com/?kbid=963707. That will get you to a page where you can do a number of things. You can manually edit the registry. They've got all kinds of different ways of rummaging around and making this happen. But there's...

LEO: No automatic "Fix it" button, I notice.

STEVE: Yeah, there's not the happy little guy with the tool waving at you.

LEO: Sorry, you can't do that.

STEVE: However, what this will end up doing is disabling the disablement, which is to say reenabling as it - now that they've been scolded, you can reenable the uninstall and then say thank you, Microsoft, but I would prefer not to have Firefox able to easily install software in my machine so that I'm not inconvenienced with the question.

LEO: This is unconscionable. I can't believe this.

STEVE: Yes. Yes.

LEO: I'm stunned.

STEVE: This is bad.

LEO: How dare they?

STEVE: Yeah.

LEO: In fact, this is exactly the kind of thing that they've been brought to task for by the Department of Justice and the EU. I mean, it's one thing to say, well, you have to use Internet Explorer, we'll going to include Internet Explorer; anther thing to modify other browsers that you use on the system to make them less secure. Am I correct? This makes it less secure?

STEVE: Yes, that's exactly what it does. And which is why Brian Krebs, when he, like, I guess a couple people brought it to his attention, and he said, huh? And he looked at it and did the research, and it's like, oh, goodness, I mean, this is really, really bad.

LEO: That's unconscionable.

STEVE: And this is - Microsoft has worked to build our trust in the whole Windows Update facility. I mean, as I said, you either trust them or you don't use Windows because we've given up control. They're downloading code and dunning us and punishing us and with red flashing lights and things if we try to take control back from them. And it's funny because a friend of mine this morning at Starbucks came to visit and says, so, are you on IE7? I said, oh, yeah, for quite a while. And he says, oh, I guess - so you've made peace with it? I said, well, the only time I ever run it now is to run Windows Update.

LEO: Right.

STEVE: I mean, I'm completely converted to Firefox with, like, zero trouble. So, I said, so kind of. I mean, it's on my machines; and 8 is sort of filtering in to my machines as I think, well, okay, why not? I mean, I'm not using it anymore, so I don't care if Microsoft wants to push IE8 on my machines. Fine, you know, it has no effect on me except for running Windows Update, which insists on running under IE.

So, yeah, Leo, I agree. This is, I mean, this is a breach of trust. The fact that this was slipped in, that it is a software installation shim for Firefox so that their .NET Framework is able to be more pervasive and to run on more websites. And so that website owners are not going to say, well, I'm not really going to update or start using that because, after all, Firefox doesn't support this. Well, Microsoft slipped this in so that it does, even if it's not what the end-user would want. And so anyone with Firefox, if you look at your add-on list, and you've been keeping your Windows current, you'll see this thing sitting there, and its uninstall button is grayed out, preventing you from uninstalling it until you go here, reenable the button, then you can say thank you, but no, Microsoft.

LEO: Now, what do you lose, just out of curiosity, if you do that? I mean, is there anything that I need this .NET bug for? Is this the Click Once thing?

STEVE: Well, that's what it is. And the question is, I mean, you can think of it as, like, super-advanced scripting. The question is, for example, and we discuss this often here, what do you lose if you disable scripting? Well, you lose some functionality that may or may not be something you care about losing in return for increasing your security. So hopefully - I don't know what.

LEO: I mean, is there - okay. Yeah, well, for one thing, yeah. There's no question this was a stupid and wrong thing to do.

STEVE: Yes.

LEO: I mean, there's not a question about that.

STEVE: Without permission. They could have, I mean, look at all the things we do have to give permission for. Every time Microsoft does something, we're having to reverify our license. Yes, I reassert my compliance to your EULA. I mean, often we're being asked to recertify that, yes, we're going to abide by these license terms. It's certainly not out of the question to imagine that Microsoft might say, hey, we want to - we're updating the .NET Framework. It's becoming more pervasive. It's the future. So we want to bring Firefox, which we happen to notice you have on your Windows machine for some reason, we want to bring it into compliance and make sure that things stay synchronized and the functionality that we hope you've become dependent upon will also be present in Firefox as it is in IE. So do we have your permission to do this? I mean, all they had to do was ask. And then people could have said, oh, yeah, I guess I should have that, or not.

LEO: Do you think this is a case of - clearly what Microsoft thinks, I'm trying to put myself in their head, is this is too complicated for our users. We're just going to make this decision on their behalf. And we're not going to explain it because even explaining it is too complicated. So we're just going to do it. We know what's best. We're not causing a problem here. You've trusted us to run your system, so we're going to just do this.

STEVE: I mean, yes, you can certainly say that, hey, you know, trust us or leave.

LEO: Right. I mean, well, you have to. I mean, that's - that's the deal.

STEVE: Yeah.

LEO: Oh, I just think that stinks. Now, some people have said this is anti-competitive, as well.

STEVE: I have to imagine that there was a conference of some length at Microsoft where they decided to do this. I mean, I hope this wasn't something that they did thoughtlessly. So following your logic, Leo, there must have been the argument made that this is something that was in their and their users' best interests to pursue. I don't know enough about the architecture of Firefox's innards to know whether they had a choice of making this visible on the surface of the UI or not. They may have had no choice. They may have preferred to just sort of slip this in as they do in IE, secretly. But it may be that the architecture doesn't allow them to do that, that they weren't able to just deposit this somewhere and have it take action without being visible on the surface. Or they may have felt, shoot, you know, once that's discovered we'll be in even bigger trouble.

So it would have been nice to be asked, and it certainly would have been nice not to have the uninstall button grayed out. Or, if you click it, have them then present a dialogue that says, whoa. You can uninstall this if you want to, but here's what you lose if you do. Instead it just - it appears magically. It's about installing software into your system without you, making it easier to do that. And we're not going to let you take it out.

LEO: Now, I have Firefox installed on my Vista machine, and IE8 installed, and I'm looking in the add-ons. And I don't see anything. I do see some Microsoft stuff, the Windows Presentation Foundation and Silverlight. I think I installed those.

STEVE: In Firefox.

LEO: Yeah. Mozilla Default Plug-in, Java Platform, iTunes. It says .NET in the name of it?

STEVE: Yes. And I definitely...

LEO: I've seen it on some of my browsers, I mean, some of my systems. But I'm just looking at my Vista system here, and I don't see it. And a couple of people in the chatroom said, well, I don't see it. So I wonder what circumstances - or maybe you have to download a...

STEVE: Okay, I'm looking at it.

LEO: Oh, wait a minute, it's in extensions. I'm sorry. It's not in plug-ins.

STEVE: Correct.

LEO: I do see it. Ah ha.

STEVE: Correct, it's extensions.

LEO: I was looking in the wrong place. As Click One Support. There's no disable button. There's a disable button, but no uninstall button. So I could disable it, but I can't remove it. Prompt once before running Click Once. Report all installed versions.

STEVE: Now, that's interesting. Mine is disabled. I must have done that. I had forgotten. Because I'm seeing my Enable button is enabled, and the little popup toolkit says "Enable this add-on when Firefox is restarted." And so I had clearly disabled it, saying - seeing it and saying I don't think I want this, thank you very much. And so, and I restarted the system, and now it's sitting in there. It's not removed.

LEO: It's not uninstallable, but it is disabled.

STEVE: Exactly. I can not uninstall it, but I did disable it in the past.

LEO: Very interesting. I don't - regardless, I mean, I guess maybe Microsoft said, well, you can disable it. But I don't want them installing it.

STEVE: Yeah. I mean, and we can be grateful that this came up, that they've certainly, whatever decision they reached around the conference room, the discussion that I hope they had, they may recognize now that they went too far, and they won't do something like this again. So we can hope that they learn from it.

LEO: Yeah. It does seem unconscionable. You know, there's supposed to be - maybe that's expired. But after the terms of the settlement with the Department of Justice, Judge Colleen Kollar-Kotelly I remember required a judge-appointed ombudsman in Microsoft, maybe even a committee, watching what they do to make sure they don't do anti-competitive things. I wonder if these people are paying any attention at all.

STEVE: Well, I did pick up a little news blurb earlier this week that the EU is not through with Microsoft. They're gearing up, or teeing up, on Microsoft. Apparently what they're considering is requiring Windows to include competitive browsers.

LEO: They're requiring Windows to include competitive browsers. Wow.

STEVE: Literally Firefox and Opera...

LEO: Have it built in, good. I think that's not a bad idea.

STEVE: And so what would happen is, when you first turn Windows on, they call it a "ballot screen." It comes up, and it says, which of these browsers do you wish to install, and which do you want to set up as your system default? So the EU would be requiring that users who are first turning their machine on in that initial sort of pre-usage configuration phase are actually given a choice, and the browsers are present, and you can choose to install any of them that you like, and choose which one you want to use. And so they're talking about moving much further than they did in their prior work of requiring Microsoft to unbundle the media player.

LEO: Ken Shepardson's saying in our FriendFeed chat room that to decouple the Microsoft-is-bad stuff from the security stuff, well, here's the security issue. I mean, they're installing something into Firefox that allows a website to automatically install software on your machine; is that correct?

STEVE: Yes.

LEO: Okay. That seems to me on the surface of it that that's a security issue.

STEVE: And that's why - and my complaint is it's why people left IE.

LEO: In the first place.

STEVE: I mean, you have to leave IE. You don't - you're using Firefox because you went to Mozilla.org and got it, and you know why you're using it, and it's a little bit uncomfortable because you have to go back to IE for Windows Update and doing things that only Microsoft will allow to happen under IE. So it's like, this is a conscious choice people are making for some reason, probably because they've decided they don't trust Internet Explorer. So here it's Microsoft reaching over into that decision and saying, eh, not so fast. [... continues onto another topic]

Copyright (c) 2009 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED. This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details: http://creativecommons.org/licenses/by-nc-sa/2.5/.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

Post Reply