Whilst it’s not okay in Microsoft’s eyes for Google to install a plugin into Internet Explorer, increasing the potential surface area of attack, when Microsoft do it to Firefox, it’s a different matter. Now a security hole has been found in a plugin that Microsoft have been silently installing into Firefox.
Along with .NET Framework 3.5 SP1, Microsoft have been silently installing a Windows Presentation Foundation Plugin that allows the embedding of XAML applications (an XML-based UI technology) in web pages, called XBAP (XAML Web App).
The exploit is drive-by, meaning that the victim only needs to be lured onto a web-page for the attack to be effective. The only safe thing to do until a patch is issued, is to open Firefox’s AddOn Manager and disable the WPF plugin.
Microsoft were caught earlier this year silently installing a ^aEURoe.NET Framework Assistant^aEUR plugin into Firefox, which could not initially be uninstalled. After some pressure from the press, Microsoft relented and provided an update to enable the uninstall button. That update then broke a number of other Firefox extensions.
The only thing that surprises me more, is that I’m not surprised that Microsoft could be this incompetent when it comes to the safety of all users of the web using Windows, regardless if they’re using IE or not.
With greater marketshare than ever before, and a firm position in the mainstream, every software vendor and their dog are wanting to integrate with Firefox. This has led to numerous unwanted, irritating and often uninstallable plugins to add themselves to Firefox. WPF is really only the tip of the iceberg.
Silently installing software on your computer that you are unaware of, is called malware in my book. Mozilla have the capability to blacklist plugins and addons if they misbehave or pose a threat. Frankly, if I were Mozilla, I would ban Microsoft’s plugins from Firefox until they provide an opt-in interface.
This also raises concerns with how Mozilla handle extensions and plugins being installed into the browser without the user’s permission. Whilst Firefox will bring up the AddOns Manager when a new extension is installed, the new extension is not disabled by default until you permit it (Mozilla are working on a proposal for this). External programs on the computer can install extensions into Firefox with nothing more than a registry key, and plugins that are added outside of Firefox itself will not be reported to the user (as in the case with WPF).
With good timing, Mozilla have been working on a Plugin Check system to ensure that users are kept up to date with plugins, which pose a security threat and are a part of the browser users are often unaware of. This follows Mozilla alerting users to an out of date Flash Player version on their landing page for updated Firefox versions.
HTML5 promises to reduce the need for plugins by providing much of the same functionality natively, in the browser via SVG, JavaScript and native video and audio elements. In my opinion, Mozilla need to take a hard stance and stop this plight of plugins as it may turn people off of using Firefox, not least lead to bad press as more plugins are used as exploit vectors in the face of growing Firefox marketshare.
So let me get this, Firefox can be exploited via pluggins? there are hundreds of pluggins for Firefox and everyone one of them its a potential hole, scary.
Plugins are like Java, Flash, etc – they are not the same as Firefox extensions. Basically if you run into a website that demands you install some plugin, you should maybe think twice, since you’re trusting a piece of software that is not sandboxed.
In any case, I notice Firefox now disables the WPF plugin “for my protection”
Ah, I was hoping someone on Windows could confirm that, I read in a comment on another article that Mozilla had flipped the kill-switch and blacklisted the plugin until MS fix it.
I’ll confirm that Mozilla is pushing to disable the extensions. I got the popup just a minute ago to restart for my protection.
I guess that the .NET Framework assistant was added along with the latest .NET 3.5 updates.
I recall myself manually uninstalling all Microsoft add-ons after the last gaffe.
Now they’re back at it?
I only noticed that it was installed when I had the restart Firefox dialog pop up with a message that two “unsafe” add-ons related to Microsoft has been disabled.
Yeah, Just received the popup minutes ago.
Awesome by Mozilla
Yup, me as well. When I saw what add-ons, I didn’t waste a single neuron pulse to try and guess why.
My belief is now confirmed.
Hooray for Mozilla blocking the add-ons!!
–The loon
That is not the problem, as usually nobody will have all of the plugins installed, and NONE of the plugins will be there without his knowledge.
What MS did here, was BY FAR worse, than what google does.
If you come across a website, which requires the chrome plugin in IE, you get asked a nice question, if you want to install that plugin or not. You have to explicitly say “yes” to get the stuff installed.
Whereas in the current situation, you run an update on WINDOWS, and it installs a backdoor into software hich should be out-of-bounds for it’s update scope.
Instead they should do the same as google does with the chrome plugin: Put up a plugin for download, that is installed (or not) by the browser, once it comes across a website which says it needs it.
Microsoft seems to be at it’s old dirty tricks again: Make sure EVERYBODY who is on Windows can interpret THEIR closed, patented version of web protocols. Then luring web designers into designing EXCLUSIVELY for this warped web protocol, thereby creating a bad web experience for non-Windows users.
The google chrome plugin is doing the exact opposite: Enabling IE for standardized, international and platform agnostic web protocols, thereby enabling those standards to be used by EVERYBODY, including operating systems which have only one user on the whole planet.
Just switch to Chrome .
Sure, I’ll give you a list of my essential Firefox extensions and build-in Firefox features which actually improve my work flow significantly or make the Internet simply a nicer place. If Chrome can do all of this things as well I’ll consider switching. Oh, but I forgot: You’re the ascetic who believes browsers should only be an address bar and a content view because a browser in no way can help the user to have a better experience other than staying of the way.
Chrome is nice for the users who only care about speed speed the same way a leaky hut in the wood is sufficient for people who don’t need all those unnecessary features of modern civilization.
I know that your comment was tongue-in-cheek, Tom, but please try not to fall into the same pattern like the ardent Linux users do every time Windows is mentioned.
This is a _plugin_, not an extension. It’s like Flash. Microsoft could silently install this into Chrome just as easily, and Chrome has less UI to deal with plugins. Disabling them in Firefox is easy, and Mozilla even have a blacklist.
Thought I should link to this to show the latest blocklist details:
https://www.mozilla.com/en-US/blocklist/
Two prominent ones are:
Microsoft .NET Framework Assistant and Windows Presentation Foundation, all versions, for all applications. Reason: remote code execution vulnerability (see bug 522777).
Apple QuickTime Plugin, v7.1.*, for all Firefox 3 versions on Windows. Reason: remote code execution in multiple versions (see bug 430826).
Moziila really has to re-think how extensions and plug-ins register with Firefox. In no way should Firefox allow that one of these things can be installed silently without the user’s consent. Even a pop-up window when starting the browser would already be to prominent in my opinion. The yellow notification bar should be sufficient to inform the user that a plug-in wishes to installed, so that the user can also quickly discard of the notification (“Install|Don’t install|Never bother me again”).
I think the problem here is that these malware authors are very tricky. They figure out ways to slip things in without users noticing. I think Mozilla should add as much as possible, but I am wondering whether the issue at hand is not as much that the plugin is installed (it’s a concern yes), but what the plugin can do.
Why not focus on controlling / auditing what the plugins do at the user level. For example, if it tries to write to disk alert the user, if it tries to remotely connect to a website, alert the user.
Control not only getting the plugin in the browser, but also add safe-guards to what it does once it’s there.
This exactly one reason why regardless of your OS, you might be easily owned.
Sure it is harder to get Virus and other type of malaware deployed in MacOS X, Linux and other systems. But if your browser gets owned, you might just say goodbye to your data. Remeber the browser has full rights to access all files with your user rights.
Just because you stay away of Windows, don’t think that you are safe.
I think when I browse with my Amiga 500 I’m pretty safe. I dare anybody to try to “own” me and steal my files.
You’re right though and I think this is a shameful situation. I remember when browsers just displayed text and images – and that’s all. There was no way to hack into the OS. Now, browsers are getting too complex and adding too many features that become security risks. I like handy new features, but not if there is any chance it gives away control of MY computer.
I don’t ever want software being installed without my permission. I don’t ever want software to connect to the internet without my permission. I don’t even like it when software accesses the hard drive when I didn’t ask it to do anything. We’re losing control and are now at the mercy of software instead of being in charge.
It would be relatively easy to own an Amiga 500 which you were using for browsing…
Most of the AmigaOS browsers, and even things like the tcp stack are rather dated, no longer maintained and wouldn’t take too long for a skilled attacker to find some holes. Actually exploiting such holes would be relatively easy too.
The only advantage of using an Amiga is that people wouldn’t be expecting it, if anyone remotely skilled was actually targeting you it wouldn’t help much.
Really? What could an attacker do? They might be able to knock me offline or even crash the Amiga, but I seriously doubt that they could access my files, install software or anything else.
I’d like to see somebody try – just for interest. Would somebody like my A500 IP address so they could attempt it?
Well for starts they can wipe out your data. That’s all.
As soon as you get a compromissed programm with a live network connection, the process has the same rights as the user that started it. Now whatever is running inside that process, read “injected code”, can do whatever that user can do.
If the specific user can wipe out files, than you can say goodbye to all you Amiga 500 files, that have the same user as owner. Or maybe the program will upload data from your files, who knows.
No, they can’t wipe all my data. You’re thinking “too modern”. The Amiga OS doesn’t have built in support for remote execution of programs or processes. It doesn’t have users, owners or rights. It doesn’t have a built in file server. There is no way someone could see my files, let alone execute, upload or delete one.
I don’t use any security at all and I feel supremely safe. (…until somebody can prove otherwise )
Edited 2009-10-19 15:01 UTC
Plugins are native code, there’s no auditing that can really be done other than by your AV spotting this behaviour. The plugin interface just provides a means for the native code to load and to paint back to the browser.
Chrome and Safari on Snow Leopard place plugins on their own thread and in a sandboxed environment, which helps; but ultimately the whole nature of plugins is completely flawed and unsafe from the get-go.
Mozilla also can’t outright block these things from being installed because the OS vetos the browser. Id est, any software running on the computer can manipulate any aspect of the browser to fool it into accepting a plugin, circumventing any protection Mozilla put in place.
That said, I feel Mozilla should take a firm stance and beef up how they handle plugins and things installing into the browser so that the user has complete control. They need to make managing plugins as easy as extensions.
Actually, both run plug-ins in separate processes and not threads. Chrome does not use a sandbox for them as Google encountered too many compatibility problems to be turned on by default. To lessen the attack area at least somewhat Google lets the process which does the IPC run with minimal rights. While the plug-in can still wreck havoc this way at least Chrome itself is somewhat secured.
Edited 2009-10-17 10:52 UTC
Thanks for the corrections, and I had forgot to add IE8/Vista to my list, which sandboxes plugins too.
IE8 and Chrome both feature a process-per-tab model (although in reality there are exceptions when a new tab is run in the same process as its parent, at least on Chrome). Safari only outsources plug-ins into processes, probably mainly to be able to run 32-bit stuff like Flash. Interestingly enough, although IE8 also runs Flash in a separate process it is not able to use it in a 32/64 bit mixed mode like Safari, i.e. Flash does not work with 64-bit IE8.
And I don’t want to sound patronizing by repeating myself but Chrome does not sandbox plug-ins by default. I know that there are different opinions on what constitutes sandboxing but in the context of Chrome calling a separate process a sandbox does not apply since Chrome additionally is able to lock down individual processes.
IE runs plugins in the same process as the renderer, so it can’t currently do the 64-bit/32-bit mix.
Strange, I thought I caught a glimpse of a “FlashHelper” (or similarly named) process last time I used Windows 7. It must be used for some other purpose then, I guess.
If the user is running a program, as far as your computer and OS (Windows, Unix, OS X) is concerned, that program IS the user. There’s no distinction between what the user can do and what programs running as the user can do, therefore it’s not possible for Mozilla to prevent programs running as the user from doing whatever they like “without the user’s consent”.
Keep .NET away from your computer!!
Better than that, keep developers away from .NET! _Nobody_ should be forcing browser users to accept this crap. I swear Microsoft are doing everything in their power to usurp HTML/CSS/JS with *any* other technology, as long as they own it.
Better than that, keep users away from Windows
Honestly what a stupid answer, HTML/CSS/JS are not the total answer for web or desktop or anything, I’ve used .NET and HTML/CSS/JS, and damn the last combination makes your life misserable, who ever invented the CSS layout system should be judged for crimes againts the humanity, the browser may be optimized to run JS “at the speed of light” but is still interpretated code inside a browser, that makes it slow and CPU hungry (just try using Google Wave and you’ll see, I don’t know how google plans to make that thing reliable w/o a pluggin).
In other words, get a clue.
Edited 2009-10-17 17:01 UTC
Welcome to 2009 where at least 3 different JIT-compiling JavaScript engines exist.
I’m still waiting for my invite to Google Wave.
Google claims their rationale to Chrome Frame for IE8 is to get their JavaScript engine in IE so Wave will run better. Is Wave slow for you because of IE javascript engine or just slow in general?
IE8 doesn’t support wave well, and wave in chrome is slow and CPU hungry.
oh and please, stop the fallacity that a faster JS makes a lot of difference when loading a webpage, JS loading only represents 15% to 20% of the loading time of a webpage.
Edited 2009-10-17 18:14 UTC
I completely agree. HTML + CSS + JavaScript were not built for full desktop like apps. The fact that some clever developers started using them for that is what triggered the browsers to get better at it. But in the end, it’s like using a rock with a nail: it will work but it will be a pain.
Even Google recognized that, that’s why they came up with GWT so they can abstract JS a bit.
With .Net and Visual Studio, MS has simply provided the best development environment for their Windows platform. I’ve developed in ASM and C/C++ for years before moving to c# and I must say it’s just a pleasure to code.
I^aEURTMm not saying that JS is better than proper compiled code as a development method, I^aEURTMm saying that _in the browser_, I want HTML/CSS/JS, and not a broken plugin-icon and drive-by viruses, kthnx.
Kroc, I’d really like to agree with you, but HTML controls are to limited, you get a button, a combobox a listbox and a pair more and that’s it, but lets suppose you need a datetime edit that can show a calendar when you click the tiny arrow to show a calendar, that is something trivial in a desktop aplication, or a treeview or a decend grid (tables do a good job but they fall short), if you need something like it, be prepared to reinvent the well with tons of java script and tons of CSS hacks. And apart deploy all those .js and .css files with your webpage. That, in the end, the users will have to download just to have that basic functionality.
Now try to do that with .NET or Flash or Silverligh or <insert your hated pluggin here> and like magic all that functionality will be at your reach.
HTML is to basic, and needs a lot of javascript and CSS wotkship to make it work for my needs, and Im sure im not alone here.
Edited 2009-10-17 21:26 UTC
I agree too. It^aEURTMs early. HTML5 adds a date-picker, Opera support it already, have done so from 9.5.
It^aEURTMll get there, don^aEURTMt worry. Just not right this second.
I for one am willing to forego some fancy UI elements in exchange for some security. We are, after all, dealing with unknown, untrusted data from unknown, untrusted sources.
To beat your example to death , I have no problem picking my month and day from two drop-downs instead of a calendar view. If I need the calendar, I’ll call it up locally on my PC.
Ultimately I think browsers will have to become sandboxes, or (more comfortable to me) we will have to run them in our own sandboxes (a la Sandboxie on Windows, jails on FreeBSD, SELinux). Yes, it will be inconvenient (browse sandbox files, click the one I meant to download, transfer out of sandbox), but far less troublesome than losing your data or reloading your OS.
Edited 2009-10-19 19:04 UTC
I would speak not a single syllable against .NET, C# and other technically sound Microsoft software, if they would just stop trying to balkanize the web with it.
There are exactly 2 ways to do that:
1. Don’t force use of this technology into web protocols.
2. OR make it a free standard, for everybody’s free implementation and use. The patent license grants would need to be unlimited in time, relicenseability and platform (simplified: GPLv3-compatible).
Blazing speed does not help me, if the technology locks me into one program or platform.
Sorry but .net is too useful as a platform and is a security improvement over traditional Win32 c++ development.
This is a case that shows we need better security when it comes to plugins. If you actually wanted to keep developers away from a type of plugin for security reasons you would have a better case with flash.
I guess you still don’t know who invented .NET? It’s the company which just forced to break Firefox where this article just emphasized. So you appreciate their tools that may have tons of these broken security issues? Interesting.
Now now. Firefox itself has had tons of broken security issues. And continues to do so.
Even better – keep Windows away from your computer.
If it’s not installed through Mozilla itself, they can’t have any control over other programs that modify it’s configuration at the OS level.
They are doing the best they can by blacklisting known vulnerable plugins, but when you have access to the layer below there are always round it.
This is not a new nor uncommon thing from the people at Redmond.
That the poorly announced and security ‘enhancement’ was put in without letting victims know…
Only re-affirms why I now use Linux.
“A MAN IS NOT OLD UNTIL REGRETS TAKE THE PLACE OF DREAMS”.
“Along with .NET Framework 3.5 SP1, Microsoft have been silently installing a Windows Presentation Foundation Plugin that allows the embedding of XAML applications (an XML-based UI technology) in web pages, called XBAP (XAML Web App).
The exploit is drive-by, meaning that the victim only needs to be lured onto a web-page for the attack to be effective. The only safe thing to do until a patch is issued, is to open Firefox^aEURTMs AddOn Manager and disable the WPF plugin. ”
The battles of the softwares like these are really annoying and are not helping debug other issues. Because, who knows, was WPF plugin causing problems? Was it something else?
It took me two days, for example to figure out that ( http://annoyances-resolved.blogspot.com/2009/10/battle-of-two-softw… ) WPF did NOT cause this problem with Firefox.
Now that WPF is disabled, and the problem with Blinking Close, Minimize and Restore Button on Firefox reappeared http://annoyances-resolved.blogspot.com/2009/10/firefox-vista-close… ), I know WPF was not to blame.